Gathering Intelligence on the Qakbot banking Trojan

-

Background: 

The Qakbot banking Trojan is one of the top-tier malware families on the current threat landscape. It is distributed in mass spam campaigns, steals confidential information, and has also provided access to ransomware operators. Preventing and detecting this threat has become a priority for many organisations as a successful infection can lead to a costly cyber incident. In this blog, I aim to share more information on this malware, provided by open sources, and highlight the intelligence gathering process it takes to combat this threat.

Qakbot (also known as Quakbot or Qbot) has been around since 2008. It has targeted the customers of various financial institutions worldwide. While Qbot's targeting has mostly remained the same - with the aim of stealing bank details and enabling wire fraud - its propagation methods have changed across various campaigns. Despite its age, Qakbot still remains a significant threat with established connections in the organised cybercrime underworld.

One such connection is the ProLock ransomware gang. The ransomware has been dropped by Qakbot via macro-enabled Microsoft Office documents or password-protected ZIP archives distributed in targeted phishing campaigns. The malware has also been dropped itself during the mass spam campaigns orchestrated by the Emotet operators. If Qakbot is used to gain access to the systems, ransomware is often followed on target environments soon after. [1, 2]

In a recent security advisory, Water ISAC issued an alert regarding an Egregor ransomware attack on 29 October targeting a large water and wastewater utility in the US. Notably, the ransomware’s most likely initial infection vector was a macro-enabled document attachment containing the Qakbot Trojan. After Qakbot had successfully established a foothold, the Egregor operators reportedly leveraged RDP to traverse network resources. Over 100 workstations and multiple servers, including a backup server, were targeted. The risk of additional water utilities being targeted by ransomware is high. [3]

Further technical details on the Qakbot banking Trojan were released by CrowdStrike in three part series. [4, 5, 6]

Qakbot's key features include:

  • Stealing information from infected machines, including passwords, emails, credit card details and more.
  • Installing other malware on infected machines, including ransomware
  • Qakbot can also steal FTP credentials and spread across a network using SMB.
  • Allowing the Bot controller to connect to the victim’s computer (even when the victim is logged in) to make banking transactions from the victim’s IP address.
  • Hijacking users’ legitimate email threads from their Outlook client and using those threads to try and infect other users’ PCs.

Qakbot TTPs mapped to the Mitre ATT&CK Framework:

TacticTechniqueSub-Technique
Initial AccessPhishingSpear-Phishing Attachment
ExecutionUser ExecutionMalicious Link, Malicious File
ExecutionCommand and Scripting InterpreterPowerShell, CMD Shell, Visual Basic
ExecutionSigned Binary Proxy ExecutionMsiexec, Rundll32
PersistenceBoot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder
PersistenceScheduled Task/JobScheduled Task
Defence EvasionObfuscated Files or InformationNone
Defence EvasionProcess InjectionDynamic-link Library Injection
Defence EvasionVirtualization/Sandbox EvasionSystem Checks
Defence EvasionMasqueradingLegitimate Task or Service Names
Credential AccessBrute ForcePassword Guessing
Credential AccessInput CaptureWeb Injects
DiscoveryVirtualization/Sandbox EvasionUser Activity Based Checks
DiscoveryNetwork Share DiscoveryNone
Lateral MovementRemote ServicesSMB/Windows Admin Shares
CollectionData from Local SystemCredentials in Files
CollectionEmail collectionNone
Command and ControlApplication Layer ProtocolWeb Protocols

Web Injects:

On 13 November, a security researcher known as @dark0pcodes shared the location of an active Qakbot web injection. Germán Fernández confirmed the Qakbot variant was using web injects with a U-Panel GUI v2.9 (uAdmin). This specific GUI is often used by phishing kits to harvest two-factor authentication (2FA) codes. Paired with this function, a threat actor can remotely connect to the Qakbot-infected device, enter the stolen credentials plus the 2FA token, and begin initiating transactions. These TTPs enable the operators to bypass most anti-fraud protections. Further, this example also leveraged a typosquatting domain to masquerade as Fortinet. [7]

Example of the uAdmin panel used by Qakbot:

Qakbot decoy document:

Qakbot process tree:

Basic tracking sources for Qakbot:

SourceURL
VirusTotalhttps://www.virustotal.com/gui/search/qakbot/comments
AnyRunhttps://any.run/malware-trends/qbot
Hybrid Analysishttps://hybrid-analysis.com/search?query=tag%3Aqbot
MalwareBazarhttps://bazaar.abuse.ch/browse/yara/win_qakbot/
YARA by CAPEhttps://github.com/ctxis/CAPE/blob/master/data/yara/CAPE/QakBot.yar
@dark0pcodes toolshttps://github.com/dark0pcodes/qbot_helper
Live Tweetshttps://twitter.com/search?q=%23Qakbot%20OR%20%23Qbot&src=typed_query&f=live
Threat Reportshttps://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
BlueLivhttps://community.blueliv.com/#!/discover?search=Qakbot

References:

  • https://twitter.com/1ZRR4H/status/1327365067298512900
  • https://twitter.com/VK_Intel/status/1323534149081272320
  • https://www.buguroo.com/en/labs/emotet-has-begun-distributing-the-qakbot-bank-malware
  • https://blog.malwarebytes.com/cybercrime/2020/11/qbot-delivered-via-malspam-campaign-exploiting-us-election-uncertainties/
  • https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques
  • https://www.group-ib.com/blog/prolock
  • https://twitter.com/abuse_ch/status/1301073144367771650?s=20
  • https://twitter.com/abuse_ch/status/1314087412050595841
  • https://fr3d.hk/blog/u-admin-show-tell
  • https://app.any.run/tasks/41746a3c-73be-420b-8eba-3c5282037455/

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more