{"id":1891,"date":"2024-09-25T08:52:30","date_gmt":"2024-09-25T08:52:30","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1891"},"modified":"2025-07-29T03:03:01","modified_gmt":"2025-07-29T03:03:01","slug":"analysis-of-new-wave-of-qakbot-2023","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-new-wave-of-qakbot-2023\/","title":{"rendered":"Analysis of new wave of QakBot (2023)"},"content":{"rendered":"\n

Qakbot (aka Qbot or Pinkslipbot) is a banking trojan, which steals sensitive data from the targeted victims and attempts to self-propagate to other systems on the network. As we all know, second-stage modular malware with backdoor capabilities. Qakbot also provides remote code execution (RCE) capabilities, allowing attackers to perform manual attacks to achieve secondary objectives such as scanning the compromised network or injecting ransomware.<\/p>\n\n\n\n

Qakbot’s modules also allows automated targeting of financial data, locally stored emails, system passwords or password hashes, website passwords, and cookies from web browser caches. The threat actor can also log keystrokes to steal any typed credentials.<\/p>\n\n\n\n

QBot Infection Chain of 2022<\/strong><\/p>\n\n\n\n

\"\"
Infection Chain \/ 2022<\/figcaption><\/figure>\n\n\n\n

Distribution Techniques<\/strong><\/p>\n\n\n\n

In this blog, we will discuss two different recent distribution techniques of QakBot\/QBot malware.<\/p>\n\n\n\n

Technique 1: Distributed via OneNote file<\/strong><\/p>\n\n\n\n

OneNote is a digital note-taking app that provides a single place for keeping all of your notes, research, plans, and information where everything you need to remember and manage. An .one file is a notebook which is created by Microsoft OneNote, a note-taking program. It contains one or more pages of notes, which are organized into sections. ONE files may contain text, digitized handwriting, and objects pasted from other applications, such as images, drawings, and audio or video clips.<\/p>\n\n\n\n

OneNote Infection Chain<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As usual, campaigns begin with the source of the first spam email. This time, they were able to get away by using Microsoft’s OneNote. Once the user opens the.onenote file, the.CMD file’s commands will be run . ps1 does something strange: it connects to the system program and drops the executable payload at the targeted path. It does this by overwriting the content of the onenote executable, which is how it performs the malicious action. When the payload file is run, the QBot infection starts communicating with their C2C server to trade the stolen information and data.<\/p>\n\n\n\n

Sample Information<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Technical Analysis<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Here’s the mock OneNote page with a dialogue message box. When the victim clicks on the attachment file. Actually, the message box instructs the victim to double-click to open the pages in order to view their content. One interesting feature is that we can see MS copyright 2023, which leads them to believe that it is legitimate.<\/p>\n\n\n\n

Once the file is executed then, automatically Qbot will open the powershell command. Most of the malware campaigns are using powershell .ps1 commands to initiate the initial process i.e. communicating with the external URLs to download the 1st level payload\/dropper files etc.<\/p>\n\n\n\n

Why is powershell used?<\/strong><\/p>\n\n\n\n

Powershell is commonly used for automating the management of systems. It is also used to build, test, and deploy solutions, often in CI\/CD environments. By using the same scripting language, malicious threat actors leverage scripts, such as WScript and CScript, to escape script-host constraints on Windows and other operating systems. Now, Powershell is used to carry out the critical pieces of the attack. The Powershell script used in this instance was to disable Windows Defender’s antivirus prevention capabilities like real-time detection, script and file scanning and a host-based intrusion prevention system.<\/p>\n\n\n\n

Powershell > Base64 Decoded<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Hard Coded .ps1 command<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We can see the powershell command which calls the randomized .dat file with the malicious IOC where it\u2019s going to store into the hidden folder of %ProgramData% in C drive under the name of gb.jpg file. After that it will execute the payload file using rundll32.exe.<\/p>\n\n\n\n

Technique 2: Distributed via .hta file<\/strong><\/p>\n\n\n\n

The .hta file extension is a file format used in html applications. HTA embodies the program that can be run from the HTML document. HTA contains hypertext code, VBScript or JScript code depending on the program set up. A .hta file executes without being confined to the limiting factors of the security context of the browser that it is also treated as a fully trusted application. HTA are in text format so text editing programs can be used to edit the raw \/ source files.<\/p>\n\n\n\n

The default file-association for the .hta extension is the Microsoft HTML Application Host (mshta.exe). HTA files store executable code that can be run from an HTML document.<\/p>\n\n\n\n

HTML Infection Chain<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As usual, this campaign also starts from the initial vector of spam emails. This time the threat actor uses .hta as their evasion technique to bypass security controls. Once the user opens the.hta file, the commands from the.CMD file will be run, and then the.js script will do something strange, it connects to the system program and drops the executable payload at the targeted path. Upon launching of the payload file, QBot infection starts & communicating to their C2 server to exchange the stolen data & information.<\/p>\n\n\n\n

Sample Information<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

File Contents<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Here is the full content of the .hta file, where it\u2019s containing the junk 5& as the repeating factor, if we remove the factor we will get the exact function. Once the user launches the .hta application then the mshta.exe will execute at the C:\\Users\\User_name\\Desktop\\Open.hta to communicate with their phishing IOCs to perform the intended malicious action.<\/p>\n\n\n\n

Indicator of Compromise<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Here we can see the .dat file, once the user opens the file. In general, A DAT file is a data file that contains specific information about the program used to create it. This file has the .DAT file extension, which is a generic format that can contain any information \u2013 video, audio, PDF, and virtually any other type of file.<\/p>\n\n\n\n

MITRE ATT&CK Tactics & Techniques<\/strong><\/p>\n\n\n\n

\n
ID<\/td>Tactic<\/td>Technique<\/td><\/tr>
TA0001<\/td>Initial Access<\/td>T1566.001 \u2013 Spearphishing Attachment<\/td><\/tr>
TA0002<\/td>Execution<\/td>T1027 \u2013 Obfuscated Files or Information T1204.001 \u2013 Links via OneNote\/.hta file T1204.002 \u2013 Attachment file via OneNote\/.hta file<\/td><\/tr>
TA0003<\/td>Persistence<\/td>T1053.005 \u2013 Scheduled Task T1547.001 \u2013 Registry Run Keys \/ Startup Folder<\/td><\/tr>
TA0004<\/td>Privilege Escalation<\/td>T1053.005 \u2013 Scheduled Task<\/td><\/tr>
TA0005<\/td>Defense Evasion<\/td>T1027.002 \u2013 Software Packing T1055 \u2013 Process Injection T1218.005 \u2013 Onenote spawns MSHTA to execute embedded .hta file. T1497.001 \u2013 System Checks<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
TA0006<\/td>Credential Access<\/td>T1003 \u2013 OS Credential Dumping T1110.001 \u2013 Password Guessing T1555.003 \u2013 Credentials from Web Browsers<\/td><\/tr>
TA0007<\/td>Discovery<\/td>T1016 \u2013 System Network Configuration Discovery<\/td><\/tr>
TA0011<\/td>C&C Server<\/td>T1071.001 \u2013 Web Protocols T1090 \u2013 Proxy T1090.002 \u2013 External Proxy<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div><\/div>\n\n","protected":false},"excerpt":{"rendered":"

Qakbot (aka Qbot or Pinkslipbot) is a banking trojan, which steals sensitive data from the targeted victims and attempts to self-propagate to other systems on the network. As we all know, second-stage modular malware with backdoor capabilities. Qakbot also provides remote code execution (RCE) capabilities, allowing attackers to perform manual attacks to achieve secondary objectives […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1891","post","type-post","status-publish","format-standard","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1891","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1891"}],"version-history":[{"count":2,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1891\/revisions"}],"predecessor-version":[{"id":4169,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1891\/revisions\/4169"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}