Analysis of new wave of Qakbot Campaign

QakBot (a.k.a QBot) is one of the leading banking trojans, it still continues to grow and develop, with more capabilities and new techniques. Its main purpose is to steal banking data (banking credentials, online banking session information, victim’s personal details, etc.). However, its developers have also developed functionalities that allow QBot to spread itself, evade detection and debugging, and install additional malware on compromised machines, such as Cobalt Strike, REvil, ProLock, Egregor and Black Basta ransomware.

Follina / Dogwalk Vulnerability Used to Deliver QakBot

Around November 2022, LMNTRIX spotted a pattern that showed a triple-threat attack on Microsoft Windows users. Threat actors are using phishing attacks to install Qakbot/Qbot malware “without” showing a Mark of the Web (MoTW) security warning to stop the attack. Several types of malware are being sent out using the recently discovered Windows flaw called Follina (Dogwalk) with CVE-2022-30190, which users still haven’t fully fixed.

Normally, when files are downloaded from untrusted sources such as suspicious, or malicious websites on the the Internet, for email attachments/downloaded files, Windows will add a special attribute called “Mark of the Web” to the file. This attribute is an alternative data stream that tells you where the file came from, who sent you there, and where you can download it. When a user tries to open a file with the MoTW attribute, Windows will show a security warning and ask the user to confirm that they want to scan the file / open the file directly.

In the same week, LMNTRIX CDC observed that a major cybercrime group with the identifier TA570 had used CVE-2022-30190 to send out Qbot, a widely used info-stealer also called Qakbot. Qakbot can spread on networks that have been hacked and several cybercrime groups have used it for getting initial access.

The Follina vulnerability has a large impact because it affects ALL Microsoft Office 2013 version and upwards – on ALL currently supported Microsoft Windows operating systems, including the most recent: Win 10, Windows Server 2019 and Windows Server 2022 also! Microsoft Office offers a very lucrative attack surface as, its the most popular productivity suite on the planet, with over a billion installation on computer devices.

Target Platform – Windows Users

Activity of the Qbot in the Wild

• Collecting information about the compromised host.
• Stealing credentials (from browser data and cookies).
• Targeting web banking links.
• Password brute-forcing.
• Registry manipulation and creating scheduled tasks (for persistence).
• Laterally moving through the network.

Infection Chain

The new QakBot infections are done by the initial vectors such as .PDF documents. As usual this can be done by using phishing campaigns or, malspam emails. Once the victim opens the email attachment containing the .PDF document, then the .PDF file will communicate with the external link to download the ZIP file. The embedded .ZIP file will have the final payload file. Each time they will dynamically change their IOCs to avoid being detected by antivirus software.

QakBot Initial Infection (Loading Sequence)

During the summer months of June and July 2022, LMNTRIX NDR observed variations of the following pattern of network activity on several active client networks;

• HTTP Connection – The user’s device connects to an email service like Outlook.com or Google Mail.

• Stage 1 (Loader) – The device sends an initial HTTP GET request with an Office user-agent string and a ‘/123.RES’ target URI to C2 Server. The request is answered with a HTML file containing the exploit for the Follina vulnerability (CVE-2022-30190). This HTML file downloads a .zip file via HTML smuggling.

• Stage 2 – Now the device sends another HTTP GET request with cURL to a target URI that ends in “.dat” to an unusual external endpoint. The request is responded to with a Qakbot DLL sample (DLL sideloading method). This download.dat / downloads.dat is actually a zip file… When trying to extract the zip file, it requests for a password.

• Password: Upon closer static analysis the contents of the zip file are encoded with Base 64, when decrypting, we can use the password: “abc321” (without quotes)

• QakBot Malware uses a modified regsvr32 binary to execute its DLL payload.

• C2 Access – Lastly the infected device goes ahead and connects to QakBot Command and Control servers over ports such as 443, 995, 2222, and 32101 to perform desired actions on objectives.

What is HTML Smuggling?

Most of the incidents observed by LMNTRIX involved Qakbot in June/July 2022. The machines were infected likely through HTML smuggling. HTML Smuggling is when malicious code (javascript shellcode, or just javascript) is put into HTML attachments to drop a secondary payload. Based on open source intelligence reports and patterns of network traffic observed, we believe the Qakbot infections seen across LMNTRIX client base in June 2022 started with one of the following three methods:

Option A – When the user opens an HTML attachment, a ZIP file is downloaded to their device. The ZIP file has a Qakbot DLL file and, an LNK shortcut file. When the LNK shortcut file is opened, the DLL file gets loaded for further malice.

Option B – When the user opens an HTML attachment, a ZIP file is downloaded to their device. ZIP file contains a docx file that, when opened, sends an HTTP GET request to C2 Server with an Office User Agent string and a ‘/123.RES’ target URI from the user’s device. If the HTTP GET request works, an HTML file with a Follina exploit is sent back as the response. The Follina exploit makes the user’s device send an HTTP GET request to an outside server with a.dat target URI. Subsequently a Qakbot DLL file is downloaded to answer the request.

Option C – When the user opens an HTML attachment, a ZIP file is downloaded to their device. ZIP file has an LNK file that, when opened, makes the user’s device send an initial HTTP GET request with a cURL string and a.dat target URI. If successful, the HTTP GET request downloads a Qakbot DLL.

Sample Information

Technical Analysis of PDF document

A PDF file is a multi-platform document created by Adobe Acrobat or another PDF application. The PDF format is commonly used for saving documents and publications in a standard format that can be viewed across multiple platforms. In many cases, PDF files are created from existing documents instead of being created from scratch. PDF file format has an important feature that allows the author/creator to add a hyperlink any URLs or any attachments to perform actions or, to ensure that your reader has immediate access to related information. This makes it conducive for malware authors to achieve their action on objectives.

Qbot – Fake Adobe Template

The above image shows the fake Adobe template which contains the XXXX.pdf file. In-order to open the .PDF, they have provided a password. After opening the pdf file by using SFX extraction, .ZIP file will drop the payload file and take further action. An SFX file is a compressed archive that has been combined with an executable module, allowing Windows users to extract the archives without a decompression program. It is typically saved with .EXE file extension, but may sometimes use the ‘.SFX’ extension also. When double-clicked in Windows, SFX files automatically decompress themselves and extract data that’s present inside the archive.

Embedded URL

Here we can see the associated external URL & the password to open the .ZIP file.,

PDF designers and the PDF reader software architects never intended for files to be able to modify the operating system running the PDF reader. Malware authors have found ways to exploit PDF readers’ software vulnerabilities and have creatively used the PDF language, enabling them to produce PDF documents that execute arbitrary code.

PDF Contents

Embedded IOCs

Most of the security vendors detect this URL as a Phishing/malicious site. Also, the status code is “still alive”.

Communicating & File Referring

Still the QakBot sample communicates with the multiple domains to drop payloads on the victim’s machine.

Once the system is infected, it will do the following: 

1. Collect information about the compromised host. s
2. Set up tasks to run at a certain time (privilege escalation & persistence).
3. Gathering credentials. Dumping credentials (.exe access).
4. Password stealing (from browser history and cookies).
5. Targeting web banking links (web injects).
6. Password brute-force attacks.
7. Changes to the registry (persistence).
8. Process injection is used to hide the malicious actions
   – The malware gets deployed in stages, and it has built-in AV evasion techniques.

Indicators of Compromise (QakBot)

MITRE ATT&CK Tactics & Techniques for QakBot