Malware is increasingly distributed via ISO files, with multiple families adopting the method. Qakbot has shifted from Excel macros to ISO-based delivery, alongside AsyncRAT, IcedID, and BumbleBee.
Keypoints
- The distribution method using ISO files is rising, affecting Qakbot as well as AsyncRAT, IcedID, and BumbleBee.
- Phishing emails attach a malicious HTML file that, when opened, leads to a password-protected compressed file inside the HTML page.
- The compressed file contains an ISO with an LNK file and a folder; the LNK file launches a malicious JS file.
- The JS file executes a CMD file that combines the strings “regsvr” and “32” to load recruiter.db via regsvr32.exe, delivering Qakbot.
- Qakbot checks for anti‑analysis indicators (e.g., C:INTERNAL__empty) and environmental variables before performing malicious actions.
- Once active, Qakbot steals user, process, and OS information, then injects into legitimate processes and connects to multiple C2 servers to download modules and exfiltrate data.
- AhnLab lists specific detections and IOCs, urging users to avoid opening email attachments and promoting threat intelligence for related indicators.
MITRE Techniques
- [T1566.001] Phishing – The phishing mail distributes Qakbot with a malicious HTML attachment. Qualifying quote: “The phishing mail that distributes Qakbot is shown in Figure 1, and a malicious HTML file is attached to it.”
- [T1027] Obfuscated/Compressed Files and Information – The HTML page creates a password-protected compressed file; the password is disclosed on the HTML page. Qualifying quote: “The compressed file is password-protected, and the password can be found on the HTML page.”
- [T1190] Exploit Public-Facing Application? (not applicable)
- [T1059.007] JavaScript – The malicious JS file is used to trigger subsequent steps. Qualifying quote: “The malicious JS file serves the role of executing the cmd file in the same folder with the argument ‘regsvr’.”
- [T1117] Regsvr32 – The cmd file loads recruiter.db through regsvr32.exe. Qualifying quote: “loads the recruiter.db file through regsvr32.exe.”
- [T1059.003] Windows Command Shell – The CMD file combines ‘regsvr’ and ’32’ and runs regsvr32.exe. Qualifying quote: “The cmd file combines the strings ‘regsvr’ and ’32’ transmitted with the argument…”
- [T1055] Process Injection – Qakbot injects into normal processes (e.g., explorer.exe, msra.exe, OneDriveSetup.exe). Qualifying quote: “the injected processes decode multiple C2s to attempt a connection, and a portion of these are shown below. When a connection to C2 is made, additional malicious behaviors can be performed, including downloading malicious modules and stealing financial information.”
- [T1082] System Information Discovery – It steals username, running processes, OS information, etc., before further actions. Qualifying quote: “steals the username, information on currently running processes, OS information, etc.”
- [T1105] Ingress Tool Transfer – After establishing C2, it downloads additional malicious modules. Qualifying quote: “downloading malicious modules” (context implied with C2 activity).
- [T1071] Web Protocols – The malware communicates with multiple C2 addresses over various ports to maintain control and obtain modules. Qualifying quote: “The injected processes decode multiple C2s to attempt a connection.”
- [T1204] User Execution – The LNK file is disguised as a folder icon; executing it launches the malicious JS. Qualifying quote: “The LNK file is disguised as a folder icon, and executing this will launch the malicious JS file inside the ‘conspicuously’ folder.”
Indicators of Compromise
- [Hash] 5c97198ce6ada4da0e2f4fc0062bfd3b, 34e4f836930e6215d1ccf50b4af7f41a, and 3 more hashes
- [IP] 154.181.203[.]230:995, 66.181.164[.]43:443, and 15 more IPs
- [File] recruiter.db – used by Qakbot payload loading via regsvr32
Read more: https://asec.ahnlab.com/en/39537/