Qakbot malware (also known as: QakBot, Quakbot, Pinkslipbot) is a prevalent and well known information-stealing malware that was discovered in 2007, existing for over a decade. Historically viewed as a Banking Trojan and loader (however not solely targeting financial organizations due to its modularity), has evolved since its conception to be more adaptive and upgraded with new techniques and capabilities – being recently known as a common precursor to Ransomware compromise. Although not exclusively associated since many threat actors utilize Qakbot, the threat group known as “Gold Lagoon” has been observed conducting operations since its creation and activities seen in several countries across most of the continents.
The variant is typically delivered via Phishing campaigns, weaponizing malicious links, attachments (MS Word and Excel) and embedded images. Previously, it was primarily used to steal user data and perform credential harvesting, over time Qakbot has evolved to include techniques such as Command and Control features, the ability to conduct lateral movement within an environment, and if left untouched, lead to ransomware compromise (ProLock and Egregor being examples). The variant’s adaptive behavior and its technique expansion is what has allowed it to stay prevalent for over a decade, and thus more difficult for security teams to account for – an example being the recent discovery of Qakbot distributions using the recent CVE-2022-30190 “Follina” exploit in their malicious attachments.
Threat Synopsis – Qakbot
The Qakbot malware variant has been prevalent attacking organizations for over a decade, constantly adapting and adding modular advancements throughout its lifespan – becoming customizable depending on the attacker’s needs and the victim targeted. These changes have included (but not limited to): the capacity to perform lateral movement, recon and exfiltration of data, keylogging, stealing credentials and even execution of ransomware if left untouched. The variant’s modularity and adaptations make Qakbot even more challenging for security teams to prepare for.
The variant is known to be delivered via malicious e-mails, utilizing malicious links, attachments, or embedded images. The malicious links download the malware when clicked (sometimes delivered not clickable, allowing a bypass from sandboxes) and has been observed to utilize “fake replies” to appear as part of an email thread that was legitimate. Malicious attachments have been observed for example to include ZIP files that contain excel documents with malicious macros embedded, as well as HTML documents that download ZIP files that contain image files, word documents and/or shortcut files that all lead to infection. Finally, embedded images that are meant to impersonate notifications such as craigslist ads or legitimate account e-mails – to which tell the potential victim to manually type the URL given into their browser, and in turn downloads a malicious Excel file that begins the infection.
After initial access, reconnaissance/discovery commands have been observed to be utilized, abusing Windows-native tools such as ipconfig and net.exe. Afterwards, the variant creates keys into a randomly named subkey under “HKCU\Software\” and are queried via scheduled task, which in turn triggers a PowerShell script that continues the attack chain – which either executes a local payload in registry or reaches out to pull in the payload. Malicious processes have been seen to be executed via regsvr32.exe, as well as randomly named registry keys being created within the registry path: HKCU\Software\Microsoft upon second-stage DLL execution.
Due to the outreach and customization of Qakbot, at times there aren’t definitive tactics and techniques that we can point out that are always going to be relevant to each victim. We can say that the variant’s e-mail delivery methods are consistent, as well as some observed TTPs that have been identified, however understanding what is considered normal in an environment, as well as keeping up to date with newly observed techniques go a long way to safeguard. For example, In June of 2022, Qakbot was observed to exploit the recent “Follina” zero-day vulnerability (abuse of ms-msdt). Utilizing “fake reply” emails, the messages include malicious HTML attachments that download a ZIP archive that include image files containing a hidden DLL file/shortcut that runs it and(or) a Microsoft Word .docx file that abuses the Follina exploit.