Pinkslipbot banking Trojan exploiting infected machines as control servers

Pinkslipbot banking Trojan is a banking Trojan that uses a complicated multistage proxy for HTTPS-based control server communication.

Security researchers at McAfee Labs have spotted a new strain of the Pinkslipbot banking malware (also known as QakBot/QBot) that leverages UPnP to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine even if they are behind a network address translation router.

“To do so, Pinkslipbot uses universal plug and play (UPnP) to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine. As far as we know, Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers and the second executable-based malware to use UPnP for port forwarding after the infamous W32/Conficker worm in 2008.” states the analysis shared by Mcafee.

Pinkslipbot, aka, Qbot first appeared in 2009 when was detected by Symantec, recent variants implement new features, including an advanced evasion technique.

Qbot, is a data stealer worm with backdoor capabilities, it is used to recruit infected machines in a credential-harvesting botnet.

Experts noticed that Pinkslipbot uses UPnP to provide the path to the targets, it infects machines that provide HTTPS servers from IP addresses listed in the malware. These machines serve as HTTPs proxies that route the path to an additional layer of HTTPs proxies, this technique allows masquerading the IP address of the real C&C server.

“We have discovered that the list of IP addresses consists solely of infected machines that serve as HTTPS-based proxies to the actual control servers. This setup (shown in the following diagram) is used to mask the real IP addresses of the Pinkslipbot control servers.” states the analysis.

The malware checks the target’s connection using a Comcast Internet speed tester, the test is possible only with US IP addresses. If the target passes the speed test, the malware then taps on UPnP ports to check the available services. The malicious code checks 27 ports to see if it can map them to the outside world.

It is still unclear the exact procedure of determining whether an infected machine is eligible to be a control server proxy.

“Malware researchers believe the choice depends on an infected machine’s satisfying a combination of three factors.

  • IP address located in North America
  • High-speed Internet connection
  • Capability to open ports on an Internet gateway device using UPnP”

Once detected available ports, the malware infects a machine behind the firewall and establish a permanent port mapping to route the traffic, and works as a C&C proxy.

Infected machines at the first level of proxy use the libcurl library to pass information to the second-layer which then route the traffic to the “real” C&C servers.

“Once the infected machine receives a control server request from a new Pinkslipbot infection, it routes all traffic to the real control servers via an additional proxy using the popular libcurl URL transfer library. ” continues the analysis.

To prevent Pinkslipbot infection users should “keep tabs on their local port-forwarding rules” and should turn UPnP off if they don’t need it.

Pierluigi Paganini 

[adrotate group=”7″]

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase