Collecting Information on the Qakbot Banking Trojan

Background: 

The Qakbot banking Trojan is one of the top-tier malware families on the current threat landscape. It is distributed in mass spam campaigns, steals confidential information, and has also provided access to ransomware operators. Preventing and detecting this threat has become a priority for many organisations as a successful infection can lead to a costly cyber incident. In this blog, I aim to share more information on this malware, provided by open sources, and highlight the intelligence gathering process it takes to combat this threat.

Qakbot (also known as Quakbot or Qbot) has been around since 2008. It has targeted the customers of various financial institutions worldwide. While Qbot’s targeting has mostly remained the same – with the aim of stealing bank details and enabling wire fraud – its propagation methods have changed across various campaigns. Despite its age, Qakbot still remains a significant threat with established connections in the organised cybercrime underworld.

One such connection is the ProLock ransomware gang. The ransomware has been dropped by Qakbot via macro-enabled Microsoft Office documents or password-protected ZIP archives distributed in targeted phishing campaigns. The malware has also been dropped itself during the mass spam campaigns orchestrated by the Emotet operators. If Qakbot is used to gain access to the systems, ransomware is often followed on target environments soon after. [12]

In a recent security advisory, Water ISAC issued an alert regarding an Egregor ransomware attack on 29 October targeting a large water and wastewater utility in the US. Notably, the ransomware’s most likely initial infection vector was a macro-enabled document attachment containing the Qakbot Trojan. After Qakbot had successfully established a foothold, the Egregor operators reportedly leveraged RDP to traverse network resources. Over 100 workstations and multiple servers, including a backup server, were targeted. The risk of additional water utilities being targeted by ransomware is high. [3]

Further technical details on the Qakbot banking Trojan were released by CrowdStrike in three part series. [456]

Qakbot’s key features include:

  • Stealing information from infected machines, including passwords, emails, credit card details and more.
  • Installing other malware on infected machines, including ransomware
  • Qakbot can also steal FTP credentials and spread across a network using SMB.
  • Allowing the Bot controller to connect to the victim’s computer (even when the victim is logged in) to make banking transactions from the victim’s IP address.
  • Hijacking users’ legitimate email threads from their Outlook client and using those threads to try and infect other users’ PCs.

Qakbot TTPs mapped to the Mitre ATT&CK Framework:

TacticTechniqueSub-Technique
Initial AccessPhishingSpear-Phishing Attachment
ExecutionUser ExecutionMalicious Link, Malicious File
ExecutionCommand and Scripting InterpreterPowerShell, CMD Shell, Visual Basic
ExecutionSigned Binary Proxy ExecutionMsiexec, Rundll32
PersistenceBoot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder
PersistenceScheduled Task/JobScheduled Task
Defence EvasionObfuscated Files or InformationNone
Defence EvasionProcess InjectionDynamic-link Library Injection
Defence EvasionVirtualization/Sandbox EvasionSystem Checks
Defence EvasionMasqueradingLegitimate Task or Service Names
Credential AccessBrute ForcePassword Guessing
Credential AccessInput CaptureWeb Injects
DiscoveryVirtualization/Sandbox EvasionUser Activity Based Checks
DiscoveryNetwork Share DiscoveryNone
Lateral MovementRemote ServicesSMB/Windows Admin Shares
CollectionData from Local SystemCredentials in Files
CollectionEmail collectionNone
Command and ControlApplication Layer ProtocolWeb Protocols

Web Injects:

On 13 November, a security researcher known as @dark0pcodes shared the location of an active Qakbot web injection. Germán Fernández confirmed the Qakbot variant was using web injects with a U-Panel GUI v2.9 (uAdmin). This specific GUI is often used by phishing kits to harvest two-factor authentication (2FA) codes. Paired with this function, a threat actor can remotely connect to the Qakbot-infected device, enter the stolen credentials plus the 2FA token, and begin initiating transactions. These TTPs enable the operators to bypass most anti-fraud protections. Further, this example also leveraged a typosquatting domain to masquerade as Fortinet. [7]

Example of the uAdmin panel used by Qakbot:

Qakbot decoy document:

Qakbot process tree:

Basic tracking sources for Qakbot:

SourceURL
VirusTotalhttps://www.virustotal.com/gui/search/qakbot/comments
AnyRunhttps://any.run/malware-trends/qbot
Hybrid Analysishttps://hybrid-analysis.com/search?query=tag%3Aqbot
MalwareBazarhttps://bazaar.abuse.ch/browse/yara/win_qakbot/
YARA by CAPEhttps://github.com/ctxis/CAPE/blob/master/data/yara/CAPE/QakBot.yar
@dark0pcodes toolshttps://github.com/dark0pcodes/qbot_helper
Live Tweetshttps://twitter.com/search?q=%23Qakbot%20OR%20%23Qbot&src=typed_query&f=live
Threat Reportshttps://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
BlueLivhttps://community.blueliv.com/#!/discover?search=Qakbot

References:

  • https://twitter.com/1ZRR4H/status/1327365067298512900
  • https://twitter.com/VK_Intel/status/1323534149081272320
  • https://www.buguroo.com/en/labs/emotet-has-begun-distributing-the-qakbot-bank-malware
  • https://blog.malwarebytes.com/cybercrime/2020/11/qbot-delivered-via-malspam-campaign-exploiting-us-election-uncertainties/
  • https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques
  • https://www.group-ib.com/blog/prolock
  • https://twitter.com/abuse_ch/status/1301073144367771650?s=20
  • https://twitter.com/abuse_ch/status/1314087412050595841
  • https://fr3d.hk/blog/u-admin-show-tell
  • https://app.any.run/tasks/41746a3c-73be-420b-8eba-3c5282037455/