Summary of threats
Qakbot malware (also known as: QakBot, Quakbot, Pinkslipbot) is a widespread and well-known information-stealing malware that was discovered in 2007 and has been around for over a decade. Historically considered a banking trojan and loader (but not only targeting financial organizations due to its modularity), it has evolved since its inception to be more adaptive and upgraded with new techniques and capabilities – being recently known as a common precursor to Ransomware Compromise. Although not exclusively associated since many threat actors use Qakbot, the threat group known as the “Gold Lagoon” has been observed conducting operations since its inception and observed activities in several countries on most continents.
The variant is usually spread via phishing campaigns, malicious links, attachments (MS Word and Excel) and embedded images. Previously, it was mainly used to steal user data and perform credential harvesting. Over time, Qakbot has evolved to include techniques such as command and control functionality, the ability to perform lateral movement in an environment, and if left untouched, lead to a ransomware compromise (ProLock and Egregor being examples). The variant’s adaptive behavior and technical expansion is what has allowed it to remain prevalent for over a decade, and thus more difficult for security teams to consider – an example being the recent discovery of Qakbot distros using the recent CVE-2022-30190 “Follina” exploits in their malicious attachments.
Threat Synopsis – Qakbot
The Qakbot malware variant has been attacking organizations for over a decade, constantly adapting and adding modular advancements throughout its lifespan, becoming customizable to the needs of the attacker and the targeted victim. These changes have included (but not limited to): the ability to perform lateral movements, data recognition and exfiltration, keylogging, credential theft and even execution ransomware if not affected. The modularity and adaptations of the variant make Qakbot even more difficult for security teams to prepare.
The variant is known to be delivered via malicious emails, using malicious links, attachments or embedded images. Malicious links download the malware when clicked (sometimes delivered unclickable, allowing sandbox bypass) and have been observed to use “fake answers” to appear as part of a thread. legitimate discussion. Malicious attachments have been observed, for example, to include ZIP files that contain Excel documents with embedded malicious macros, as well as HTML documents that download ZIP files containing image files, Word documents and/or files shortcuts that all lead to infection. Finally, embedded images that are meant to impersonate notifications such as craigslist ads or legitimate account emails – to which the potential victim must manually type the given URL into their browser, and in turn download a malicious Excel file which starts the infection.
After initial access, it was observed that reconnaissance/discovery commands were being used, abusing native Windows tools such as ipconfig and net.exe. Then the variant creates keys in a randomly named subkey under “HKCUSoftware” and is queried via a scheduled task, which in turn triggers a PowerShell script that continues the attack chain – which runs a local payload in the registry or reached to pull in the payload. Malicious processes were executed via regsvr32.exe, along with randomly named registry keys being created in registry path: HKCUSoftwareMicrosoft while running the second stage of the DLL.
Due to the scope and customization of Qakbot, there are sometimes no definitive tactics and techniques that we can point out that will always be relevant for every victim. We can say that the variant’s email delivery methods are consistent, as well as some observed TTPs that have been identified, but understand what is considered normal in an environment, as well as keep abreast of newly observed techniques go a long way to backing up. For example, in June 2022, Qakbot was observed exploiting the recent “Follina” zero-day vulnerability (abuse of ms-msdt). Using “fake response” emails, the messages include malicious HTML attachments that download a ZIP archive that includes image files containing a hidden DLL file/shortcut that runs it and (or) a Microsoft Word .docx file who abuses the Follina exploit.
*** This is a syndicated blog from the Security Bloggers Network of Cyborg Security written by Josh Campbell. Read the original post at: https://www.cyborgsecurity.com/threats/emerging-threats/qakbot/