Threat Research

Qakbot Campaign Delivered Black Basta Ransomware

Securonix

The Qakbot botnet (Qbot) was disrupted in a multinational operation in August 2023, with Secureworks CTU monitoring the activity and law enforcement seizing over $8.6 million and identifying more than 700,000 infected computers. Qakbot served as a delivery vehicle for other threats, including Black Basta, via rapid, multi-step intrusions that leveraged phishing, Cobalt Strike, and data exfiltration tools, culminating in ransomware deployment.

Keypoints

  • Law enforcement disrupted the Qakbot botnet and seized illicit profits worth over $8.6 million, affecting 700,000+ infected machines.
  • Qakbot was used to deliver other malware, including Black Basta, Conti, REvil, and Cobalt Strike.
  • Initial access primarily relied on phishing emails with a link to a password-protected ZIP archive to bypass mail-scanning controls.
  • RegSvr32 was used to execute Qakbot via a JavaScript (WW.js) in a hidden directory, with the payload stored as a DLL using a .tmp extension.
  • Qakbot performed automated discovery and then deployed Cobalt Strike DNS Beacons for lateral movement and C2 communications.
  • Rclone (MsRcl.exe) enabled large-scale data exfiltration over WebDAV, followed by rapid deployment of Black Basta in at least one incident.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The initial access vector was a phishing email containing a link to a password-protected malicious ZIP archive (‘The initial access vector for these intrusions was a phishing email. This email contained a link to a password-protected malicious ZIP archive (see Figure 1).’).
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – The JS file used the RegSvr32 utility to execute a Qakbot binary in the ‘port’ hidden directory (‘the JavaScript file (WW.js) used the native RegSvr32 utility to execute a Qakbot binary in the ‘port’ hidden directory.’).
  • [T1059.007] JavaScript – JavaScript execution within WW.js indicating script-based payload behavior (‘WW.js’).
  • [T1021.001] Remote Services – Cobalt Strike was deployed to multiple hosts within the compromised environment (‘The threat actors then used Qakbot to deploy Cobalt Strike to multiple hosts within the compromised environment.’).
  • [T1071.004] Application Layer Protocol: DNS – Cobalt Strike DNS Beacons generated high volumes of DNS requests (‘DNS Beacons that created high volumes of DNS requests with the convention…’).
  • [T1090.003] Proxy: Tor – SystemBC RAT used Tor to obfuscate network traffic (‘configured to use Tor to obfuscate network traffic’).
  • [T1567.002] Exfiltration Over Web Service – Data exfiltration via WebDAV using Rclone (MsRcl.exe) (‘Rclone to transfer up to hundreds of gigabytes of data in a few hours’ and ‘WebDAV protocol to transfer up to 55 files concurrently’).

Indicators of Compromise

  • [Domain] Domain name – davelax-ng.com, samiford.com, and 2 more domains
  • [MD5 hash] MD5 hash – 4d4afa8b53727c555e42f968b1c9aac3, 507d8c2edb4500f479f31320aeae9940, and 2 more hashes
  • [SHA1 hash] SHA1 hash – 5af8bc9faf9fc0624180ca3d01579534, d893a91a87cde424c90e699420f5c223
  • [SHA256 hash] SHA256 hash – 26814c6f3dd138baa80fe2976204bd6d2772199d2a9e5f1394769efebe385c92, f9ff6bac08394cce4b892bc5875e3970bcdfaa83f3d7613b7f55968b410e85d7, and 1 more hash
  • [IP address] IP address – 146.70.86.61, 159.223.144.162, and 1 more IP
  • [Filename] Filename – cob_56.dll (Cobalt Strike Beacon)
  • [Domain] Domain name – jagiwicure.com, jibebukuki.com, and 2 more domains

Read more: https://www.secureworks.com/blog/qakbot-campaign-delivered-black-basta-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint