Gathering Intelligence on the Qakbot banking Trojan
The Qakbot banking Trojan is one of the top-tier malware families on the current threat landscape. It is distributed in mass spam campaigns, steals confidential information, and has also provided access to ransomware operators. Preventing and detecting this threat has become a priority for many organisations as a successful infection can lead to a costly cyber incident. In this blog, I aim to share more information on this malware, provided by open sources, and highlight the intelligence gathering process it takes to combat this threat.
Qakbot (also known as Quakbot or Qbot) has been around since 2008. It has targeted the customers of various financial institutions worldwide. While Qbot's targeting has mostly remained the same - with the aim of stealing bank details and enabling wire fraud - its propagation methods have changed across various campaigns. Despite its age, Qakbot still remains a significant threat with established connections in the organised cybercrime underworld.
One such connection is the ProLock ransomware gang. The ransomware has been dropped by Qakbot via macro-enabled Microsoft Office documents or password-protected ZIP archives distributed in targeted phishing campaigns. The malware has also been dropped itself during the mass spam campaigns orchestrated by the Emotet operators. If Qakbot is used to gain access to the systems, ransomware is often followed on target environments soon after. [1, 2]
In a recent security advisory, Water ISAC issued an alert regarding an Egregor ransomware attack on 29 October targeting a large water and wastewater utility in the US. Notably, the ransomware’s most likely initial infection vector was a macro-enabled document attachment containing the Qakbot Trojan. After Qakbot had successfully established a foothold, the Egregor operators reportedly leveraged RDP to traverse network resources. Over 100 workstations and multiple servers, including a backup server, were targeted. The risk of additional water utilities being targeted by ransomware is high. 
Qakbot's key features include:
- Stealing information from infected machines, including passwords, emails, credit card details and more.
- Installing other malware on infected machines, including ransomware
- Qakbot can also steal FTP credentials and spread across a network using SMB.
- Allowing the Bot controller to connect to the victim’s computer (even when the victim is logged in) to make banking transactions from the victim’s IP address.
- Hijacking users’ legitimate email threads from their Outlook client and using those threads to try and infect other users’ PCs.
Qakbot TTPs mapped to the Mitre ATT&CK Framework:
|Initial Access||Phishing||Spear-Phishing Attachment|
|Execution||User Execution||Malicious Link, Malicious File|
|Execution||Command and Scripting Interpreter||PowerShell, CMD Shell, Visual Basic|
|Execution||Signed Binary Proxy Execution||Msiexec, Rundll32|
|Persistence||Boot or Logon Autostart Execution||Registry Run Keys / Startup Folder|
|Persistence||Scheduled Task/Job||Scheduled Task|
|Defence Evasion||Obfuscated Files or Information||None|
|Defence Evasion||Process Injection||Dynamic-link Library Injection|
|Defence Evasion||Virtualization/Sandbox Evasion||System Checks|
|Defence Evasion||Masquerading||Legitimate Task or Service Names|
|Credential Access||Brute Force||Password Guessing|
|Credential Access||Input Capture||Web Injects|
|Discovery||Virtualization/Sandbox Evasion||User Activity Based Checks|
|Discovery||Network Share Discovery||None|
|Lateral Movement||Remote Services||SMB/Windows Admin Shares|
|Collection||Data from Local System||Credentials in Files|
|Command and Control||Application Layer Protocol||Web Protocols|
On 13 November, a security researcher known as @dark0pcodes shared the location of an active Qakbot web injection. Germán Fernández confirmed the Qakbot variant was using web injects with a U-Panel GUI v2.9 (uAdmin). This specific GUI is often used by phishing kits to harvest two-factor authentication (2FA) codes. Paired with this function, a threat actor can remotely connect to the Qakbot-infected device, enter the stolen credentials plus the 2FA token, and begin initiating transactions. These TTPs enable the operators to bypass most anti-fraud protections. Further, this example also leveraged a typosquatting domain to masquerade as Fortinet. 
Example of the uAdmin panel used by Qakbot:
Qakbot decoy document:
Qakbot process tree:
Basic tracking sources for Qakbot:
|YARA by CAPE||https://github.com/ctxis/CAPE/blob/master/data/yara/CAPE/QakBot.yar|