Surge of QakBot Activity Using Malspam, Malicious XLSB Files

The Multi-State Information Sharing and Analysis Center (MS-ISAC) is observing an uptick in U.S. State, Local, Tribal, and Territorial (SLTT) QakBot activity aligned with open-source reporting. This includes the research project abuse.ch, which found that 74% of the malware payloads received in April 2022 were for QakBot.

What Is QakBot?

QakBot is a banking trojan that the cybersecurity community has tracked since 2007. Over time, it evolved into the modular malware that's currently being deployed. It has numerous capabilities and can perform enumeration (through net, whoami, nslookup, netstat, ipconfig, etc.), move laterally on a network through Server Message Block protocol (SMB), use keylogging capabilities to steal user credentials, monitor network traffic, and drop additional malware. More specifically, it monitors traffic to online banking websites and leverages a Man-in-the-Middle (MitM) technique to intercept authentication tokens on a user’s active banking session.

But that's not all. QakBot can also load additional modules, including credential and cookie harvesters, a Virtual Network Computing (VNC) module, Cobalt Strike, and an email collection module. It can also lead to other malware infections, such as ransomware. Once QakBot operators are finished with an infected host or network, the malware leverages Cobalt Strike modules to sell or grant access to other cyber threat actor (CTA) groups. For example, there is recent reporting that QakBot is tied to current ransomware campaigns, including Black Basta.

Cyber Threat Actors (CTAs) disseminating QakBot do so widely via malspam emails that often leverage thread hijacking. In the summer of 2022, the cybersecurity community observed QakBot exploiting CVE-2022-30190 (also known as Follina), a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT).

Inside One QakBot Infection

The initial infection vector for all QakBot activity reported to the MS-ISAC was malspam; the attachments were either malicious XLSB file attachments or a password-protected ZIP file containing a malicious IMG, MSI, or XLSB file. Once executed, the malware reached out to malicious domains to download DLLs and create a new directory in the C: drive. The DLLs executed via regsvr32.exe. In some of the cases, the malware injected these DLLs into explorer.exe or onedrivesetup.exe. To establish persistence, QakBot created scheduled tasks via schtasks.exe.

In one incident worked by the MS-ISAC's Cyber Incident Response Team (CIRT), the QakBot payload was delivered to the victim via an email with an attached ZIP file.

Once the ZIP file was opened, an IMG file was presented to the victim. An IMG file is similar to an ISO file; both function as a “container” to store additional files. Within modern versions of Windows, an ISO or IMG file can be natively mounted by double-clicking the aforementioned file. Due to this ease of access, CTAs commonly switch to using these types of deliverables in their campaigns.

Figure 1. Delivered IMG file.

After natively mounting the IMG file by double clicking on it, the victim was presented with three files. Note that file icon of the file ‘54165666_666958’ is masqueraded as a folder. In actuality however, this was a shortcut (i.e., a LNK file).

• DLL
• Microsoft Word Document
• Windows shortcut or link (LNK) file

Figure 2. Contents of IMG file.

Reviewing the LNK file found that its purpose was to execute rundll32.exe and execute the DLL found within the same directory named "019338921.dll."

By reviewing the properties of the LNK file, we can identify its command arguments.

Figure 4. Command line parameters of LNK file.

 

Figure 5. Command line parameters of LNK file expanded.

Once clicked, the LNK file would have run the above parameters with the DllInstall function, which can be used to install or execute a specified DLL.

Review of the Microsoft Word document "doc693.docx" found that this file matched that of an Open Office XML (OOXML) document. This type of file is implemented as a ZIP archive containing various files that make up a single document.

It's possible to unzip an OOXML file to display its contents. As shown below, we can see that the file header of "doc693.docx" matched that of an OOXML format and was categorized as a ZIP file.

Figure 8. File header matching OOXML and zip.

Reviewing the contents of this file shows numerous files that make up the structure of the document.

Figure 9. Contents of delivered Microsoft Document file.

Analysis of "document.xml.rels" found within "/word/_rels" revealed references to a hardcoded IP address. Once opened and its content enabled, the document reached out to the aforementioned IP address to access another file named "123.res." (At the time of analysis, this IP address and content were no longer available for review.)

Figure 10. Discovered hardcoded IP address.

Additional review of the aforementioned OOXML document found no suspicious macros, suggesting that the purpose of the document was to communicate with the hardcoded IP address to access "123.res."

Figure 11. No identified macros.

Based on the observed files, it is likely the CTAs implemented three malicious files to increase their chances of successfully compromising a victim’s machine. This included execution of the provided DLL, a disguised shortcut/LNK file, and a Microsoft Word document equipped to communicate with a suspicious IP address.

Depending on the initial access or execution technique used, such as opening the Microsoft Word file or executing the LNK file, the campaign typically downloads an additional payload to the system. In this example, a DLL named "gseae.dll" was downloaded and placed within C:\Users\%CurrentUser%\AppData\Roaming\Microsoft\. Here, a folder named "Hurosfyqv" was created. It contained the DLL as well as a registry RUN key for persistence.

Figure 12. Path and Run key value of observed DLL.

Shortly after the DLL dropped on the victim system, we observed the execution of various Living off the Land (LotL) reconnaissance-based commands and binaries. These included but were not limited to the following:

• Whoami.exe
• Net.exe
• Nslookup.exe
• Ipconfig.exe

In some observed cases, QakBot was seen to have injected into various processes, such as explorer.exe, and to have used Scheduled Tasks as well as Registry Run keys for persistence. It should be noted that QakBot has been known to create randomly generated filenames, directories, and various scheduled task names in an effort to make creating name-based signatures more difficult.

 

Figure 13. Randomly named scheduled task.

Additionally, a Windows Defender exception was made for the suspicious DLL and directory by modifying the following registry key:

• HKLM\SOFTWARE\Microsoft\Windows\Defender\Exclusions\Path

Indicators of Compromise

The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from QakBot. Additionally, QakBot frequently shifts its C2 infrastructure, so all of the IP addresses listed below may not represent active infrastructure but can be used for threat hunting, respectively. Additionally, this list is not exhaustive of all IP addresses observed in open-source reporting. Security researchers, such as those operating Feodo Tracker, actively track QakBot and other malware C2 infrastructure.

C2 IPs

37[.]252[.]0[.]102
74[.]15[.]2[.]252
76[.]169[.]147[.]192
41[.]228[.]22[.]180
103[.]87[.]95[.]133
103[.]88[.]226[.]30
105[.]226[.]83[.]196
109[.]228[.]220[.]196
143[.]0[.]34[.]185
176[.]205[.]119[.]81
181[.]118[.]183[.]98
187[.]207[.]48[.]194
191[.]17[.]223[.]93
201[.]211[.]64[.]196
31[.]48[.]166[.]122
39[.]44[.]144[.]159
45[.]46[.]53[.]140
45[.]9[.]20[.]200
47[.]180[.]172[.]159
47[.]23[.]89[.]62
47[.]23[.]89[.]62:993
72[.]252[.]201[.]34
75[.]113[.]214[.]234
76[.]69[.]155[.]202
83[.]110[.]75[.]97
86[.]97[.]11[.]43
86[.]98[.]208[.]214
86[.]98[.]33[.]141
96[.]29[.]208[.]97
100[.]1[.]108[.]246
103[.]107[.]113[.]120
103[.]139[.]243[.]207
103[.]246[.]242[.]202
109[.]12[.]111[.]14
117[.]248[.]109[.]38
121[.]74[.]167[.]191
140[.]82[.]49[.]12
140[.]82[.]63[.]183
144[.]202[.]2[.]175
172[.]114[.]160[.]81
173[.]21[.]10[.]71
175[.]145[.]235[.]37
187[.]102[.]135[.]142
191[.]99[.]191[.]28
196[.]233[.]79[.]3
203[.]122[.]46[.]130
209[.]197[.]176[.]40
217[.]128[.]122[.]65
42[.]235[.]146[.]7
46[.]107[.]48[.]202
47[.]156[.]191[.]217
5[.]32[.]41[.]45
66[.]98[.]42[.]102
68[.]204[.]7[.]158
71[.]13[.]93[.]154
71[.]74[.]12[.]34
72[.]76[.]94[.]99
75[.]99[.]168[.]194
76[.]25[.]142[.]196
90[.]120[.]65[.]153
93[.]48[.]80[.]198
94[.]59[.]138[.]62
102[.]182[.]232[.]3
108[.]60[.]213[.]141
125[.]168[.]47[.]127
140[.]82[.]63[.]183
144[.]202[.]2[.]175
144[.]202[.]3[.]39
148[.]64[.]96[.]100
149[.]28[.]238[.]199
173[.]174[.]216[.]62
174[.]69[.]215[.]101
176[.]67[.]56[.]94
179[.]158[.]105[.]44
181[.]208[.]248[.]227
182[.]191[.]92[.]203
187[.]251[.]132[.]144
190[.]252[.]242[.]69
190[.]73[.]3[.]148
202[.]134[.]152[.]2
208[.]107[.]221[.]224
24[.]178[.]196[.]158
31[.]35[.]28[.]29
32[.]221[.]224[.]140
37[.]186[.]54[.]254
37[.]34[.]253[.]233
38[.]70[.]253[.]226
40[.]134[.]246[.]185
41[.]230[.]62[.]211
41[.]38[.]167[.]179
45[.]63[.]1[.]12
45[.]76[.]167[.]26
67[.]209[.]195[.]198
70[.]46[.]220[.]114
73[.]151[.]236[.]31
76[.]70[.]9[.]169
78[.]87[.]206[.]213
80[.]11[.]74[.]81
81[.]215[.]196[.]174
82[.]152[.]39[.]39
84[.]241[.]8[.]23:32103
85[.]246[.]82[.]244
91[.]177[.]173[.]10
92[.]132[.]172[.]197
72[.]12[.]115[.]90
101[.]99[.]95[.]146
185[.]82[.]127[.]231
185[.]172[.]129[.]84
185[.]235[.]247[.]119
187[.]250[.]114[.]15