QakBot, also known as QBot or Pinkslipbot, is a modular second-stage malware with backdoor capabilities initially designed to steal credentials. The tool is not associated with a singular specific threat group but continues to be leveraged by multiple adversaries, primarily those involved in cybercrime operations. In recent years, QakBot has been observed collaborating with various ransomware groups acting as the initial delivery of attacks using MegaCortex, PwndLockerm, Egregor, ProLock, Maze, REvil, Conti, and Black Basta.
The malware has been under constant development since its initial discovery in 2007. QakBot’s current primary purpose is to act as a downloader and stager for other pieces of malware. Infections starting with QakBot have been observed to lead to compromises tools and malware like Cobalt Strike, Brute Ratel, Mimikatz, and BloodHound.
AttackIQ has released three new attack graphs that seek to emulate this tool to help customers validate their security controls and their ability to defend against this group. Validating your security program performance against these behaviors is vital in reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against multiple threat actors that all begin their campaigns with QakBot.
- Assess their security posture against the many evolutions of one of the most prolific malware families used in cybercrime.
- Continuously validate detection and prevention pipelines against attacks with different endgame objectives.
QakBot – 2022-09 – ISO Image Deployment Leads to Brute Ratel, Cobalt Strike, and SharpHound
The first attack graph is based on a report published by TrendMicro detailing an attack starting with an ISO file attempting to defeat mark of the web (MOTW) protections; a security feature that prevents malicious files and attachments from being opened that came from the internet.
During this campaign, the adversary delivered Brute Ratel, a Cobalt Strike-like penetration testing framework. Additionally, the perpetrator deployed Cobalt Strike for lateral movement and SharpHound to discover active directory organizational units, group policies, domains, user groups, computers, and users. In the last stage of the infection, the attackers exfiltrated stolen data.
This emulation begins with the mounting of an ISO image and the subsequent execution of its payload, which culminates with the download and saving of the DLL associated with QakBot. This DLL is executed through RegSvr32 and injected into a process. Subsequently, the emulation attempts to obtain persistence through the registry and emulates communications between the malware and the adversary’s infrastructure.
Subvert Trust Controls: Mark-of-the-Web Bypass (T1553.005): This scenario bypasses MOTW by downloading and mounting an ISO image on the system to execute the payload contained inside.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two independent scenarios to test both network and endpoint controls and their ability to prevent the delivery of known malicious samples.
System Binary Proxy Execution: Regsvr32 (T1218.010):
RegSvr32 is a native Windows utility that threat actors can use to register Common Object Model (COM) DLLs. This functionality allows an actor to deploy a malicious DLL and have a native Windows tool execute the code as the parent process. This scenario executes
RegSvr32 with an AttackIQ binary.
Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created.
Registry Run Keys / Startup Folder (T1547.001): Windows leverages multiple registry keys that identify applications or commands to be run at startup. An entry is created to execute a binary at startup using a
Application Layer Protocol: Web Protocols (T1071.001): This scenario emulates the HTTP requests made by QakBot payloads by making HTTP
POST requests to an AttackIQ server.
This is followed by the execution of the techniques associated with the discovery phase of the attack. The actor is attempting to gain additional knowledge about their victim’s environment before moving onto the next stage of malware.
Remote System Discovery (T1018): This scenario executes the
net view command to gather additional hosts connected to the infected asset.
System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like
Internet Connection Discovery (T1016.001): This scenario uses
nslookup to lookup an external domain using Google’s DNS (
22.214.171.124). The actors utilize this command to determine if they will be able gain outbound access to the internet using 3rd party DNS servers.
Network Share Discovery (T1135): The native
net tools are used to list all of the local mapped network shares with
System Network Connections Discovery (T1049): The native Windows command line tool
netstat is used to collect active connections and identify listening services running on the host.
Permission Groups Discovery: Local Groups (T1069.001): The actor is interested in identifying memberships of privileged local groups like Remote Desktop Users and Local Administrators by executing
net localgroup lookups.
System Owner/User Discovery (T1033): Executes the native query user and whoami commands to receive details of the running user account.
Brute Ratel is delivered to the infected host and initiates discovery of the victim’s domain configuration.
System Binary Proxy Execution: Rundll32 (T1218.011):
RunDll32 is a native system utility that can be used to execute DLL files and call a specific export inside the file. This scenario executes
RunDll32 with an AttackIQ DLL and calls an export to mimic previously reported malicious activity.
Account Discovery: Domain Account (T1087.002): The system command
net group is used to list Domain and Enterprise Admins accounts.
Domain Trust Discovery (T1482): The native binary
nltest is used to list all of the domain trust relationships for the domain associated with the workstation.
Account Discovery: Local Account (T1087.001): A list of local accounts configured on this host is collected by executing the
net user command. Knowing what other accounts are present on the host will allow the actor to potentially re-use previously known credentials or identify disabled legitimate accounts they can re-enable to blend in with everyday activity.
Bloodhound is used to identify additional domain controllers and hidden domain trusts. Finally, Cobalt Strike is deployed and executed through RunDLL32 with the final objective exfiltrate stolen data.
Exfiltration Over C2 Channel (T1041): Files are sent to an AttackIQ controlled server using
HTTP POST requests.
QakBot – 2022-06 – Infection Chain with Cobalt Strike and Coroxy Lead to Black Basta Ransomware
The second attack graph is based on another TrendMicro report detailing the emerging Black Basta ransomware group using the QakBot for initial access and lateral movement, while taking advantage of the PrintNightmare vulnerability (CVE-2021-34527) to perform privileged file operations. During this activity, the attacker distributed QakBot using spearphishing emails containing Excel 4.0 files with macros.
This emulation begins with the downloading and saving of the malicious document used to deliver QakBot. The malware is executed using
RegSvr32 and injects into an existing process. Scheduled tasks are created for persistence and HTTP is used for command-and-control emulation.
Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the
The next phase of the attack is similar to the previous attack graph where QakBot is used to execute native discovery commands to gather intelligence about the victim’s environment.
Cobalt Strike and Coroxy will be saved to the system to collect additional information and facilitate exfiltration of collected data. Cobalt Strike uses a named pipe impersonation to elevate privileges.
Access Token Manipulation (T1134): A service is created that listens for incoming connections over a named pipe. A PowerShell script is then executed to communicate with and transfer control to the service token.
System Information Discovery (T1082): This scenario will obtain the OS Serial Number using a WMI command.\
Finally, the deployment of Black Basta ransomware is performed, which aims to encrypt system files using similar method to the one used by Conti Ransomware.
Data Encrypted for Impact (T1486): AttackIQ has replicated the functionality used by the Conti ransomware to encrypt files on the targeted hosts. This includes the common file extensions and encryption methods utilized by the actor.
QakBot – 2021-10 – Infection Chain with Living-off-the-Land (LotL) Techniques
The third and final attack graph is based on a wave of activity detected in October 2021 when QakBot was observed quickly spreading while stealing browser information and email data. Following the opening of an XLS document, the initial QakBot DLL loader was downloaded and saved to disk. Once executed, the QakBot process creates a scheduled task to elevate itself to the system. QakBot injected into many processes but one favorite in this intrusion was Microsoft Remote Assistance (msra.exe). Within minutes of landing on the compromised system, a series of discovery commands were executed using Microsoft utilities.
The emulation again begins with the downloading and saving of the malicious Office document used in phishing emails which leads to the execution of the QakBot DLL through RunDLL32. A directory will be added to the Microsoft Defender exclusion list and the LSASS process memory will be dumped which can later be used to extract credentials and tokens.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario adds the directory
"C:\ProgramData\Microsoft\Oweboiqnb\" specified in the script’s parameters to the Microsoft Defender Exclusion List by executing a PowerShell script.
OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the
lsass.exe process. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.
Mimikatz is then used to dump the credentials from that minidump file.
The attack graph then begins the common QakBot discovery phase before attempting to collect browser data including bookmarks and saved passwords. E-mail archives are then harvested and staged for data exfiltration.
Browser Bookmark Discovery (T1217): This scenario will execute a PowerShell script that will iterate through each user profile on the system and attempt to flush the data from the WebCache log files back to the
WebCacheV01 database using the
esentutl utility. Once the data has been flushed, a copy of the database will be made to a temporary directory.
Email Collection (T1114.001): This scenario will look for
.ost files (email files used by Outlook) under the user profile directories recursively.
Data Staged: Local Data Staging (T1074.001): Files are collected and stored in a temporary directory so they can be exfiltrated later.
Detection and Mitigation Opportunities
With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
QakBot is most commonly delivered and executed as a DLL file. The primary native methods for executing these files is to call the RunDll32 or RegSvr32 utilities and pass along the path and export function to be executed.
While these two native tools are commonly used by legitimate applications there are behaviors related to their execution that can stand out in your process logs. Searching for files that are being executed from temporary directories, that don’t have the standard .dll file extension, or call strange looking export names can stand out from regular user behavior.
Process Name == (rundll32.exe OR regsvr32.exe)
Command Line CONTAINS (‘TEMP’ OR ‘.png’ OR ‘Roaming’)
2. Scheduled Task/Job: Scheduled Task (T1053.005)
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.
With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task
Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)
- M1047 – Audit
- M1028 – Operating System Configuration
- M1026 – Privileged Account Management
- M1018 – User Account Management
3. Process Injection (T1055)
Malware will commonly inject malicious code into other running processes to attempt to blend in with legitimate applications.
Searching for common processes that are performing uncommon actions can help identify when a process has been compromised.
In summary, these attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against multiple threat actors using the same initial playbook. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.