Threat Research

New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails

Securonix

Fortinet’s FortiGuard Labs documented a phishing campaign delivering a new QakBot variant via an attached HTML file that auto-executes to drop a ZIP, load a loader, and ultimately run QakBot within a Windows process. The analysis details the infection chain from the HTML drop to process hollowing, anti-analysis tricks, C2 communications, and data exfiltration, underscoring the danger of HTML attachments in phishing attempts. #QakBot #QBot #QuackBot #Pinkslipbot

Keypoints

  • The phishing email with an attached HTML file (ScannedDocs_1586212494.html) delivers a new QakBot variant, as identified by Fortinet’s FortiMail/SPAM marking.
  • The HTML contains JavaScript that auto-executes when opened, decoding a base64 payload and saving a ZIP file (ScannedDocs_1586212494.zip) locally.
  • The ZIP drops a Windows shortcut (ScannedDocs_1586212494.lnk) that uses curl to download a DLL loader (Tres.dod) and executes it via regsvr32.
  • The QakBot Loader decrypts a Resource block, then deploys a fileless PE core module inside regsvr32 and uses a self-deployment function to call the core module’s entry point.
  • QakBot employs process hollowing to inject its core module into a target process (often OneDriveSetup.exe) by creating a suspended process, writing to memory, and resuming the thread to execute the core.
  • Anti-analysis techniques include encrypted constant strings, dynamic Windows API resolution, and checks for analysis tools (e.g., Frida, Wireshark, IDA, Fiddler) to disrupt researchers.
  • The core module gathers device information via Windows APIs and WMI, then communicates with C2 servers over HTTP(S) using RC4 and base64-encoded JSON payloads; the C2 list is decrypted from resources.

MITRE Techniques

  • [T1566.001] Phishing – The phishing email used to lure the recipient into opening the attached HTML file. ‘Figure 1.1 shows the phishing email used by hackers to lure the recipient into opening the attached HTML file (ScannedDocs_1586212494.html). This phishing email has been marked as SPAM by Fortinet’s FortiMail.’
  • [T1059.007] JavaScript – The HTML file contains a piece of javascript code that is automatically executed once it is opened in a web browser by the recipient. ‘The HTML file contains a piece of javascript code that is automatically executed once it is opened in a web browser by the recipient.’
  • [T1105] Ingress Tool Transfer – The loader is downloaded from a remote URL (194[.]36[.]191[.]227/%random%.dat). ‘downloading a file from URL 194[.]36[.]191[.]227/%random%.dat into local file “%ProgramData%FlopTres.dod”.’
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – Regsvr32 is used to execute the downloaded DLL loader. ‘regsvr32 %ProgramData%FlopTres.dod’.
  • [T1055.012] Process Injection / Hollowing – Process hollowing to inject QakBot core into a target process (e.g., OneDriveSetup.exe). ‘QakBot will select a system process from a process list … OneDriveSetup.exe … CreateProcessW() to start a new process … WriteProcessMemory() … jump to the injected core module.’
  • [T1497] Virtualization/Sandbox Evasion – Checks for analysis tools and processes to disrupt analysis. ‘QakBot has a thread function that checks once per second to see if any analysis tool is running … predefined process name list.’
  • [T1027] Obfuscated/Compressed Files and Information – Encryption of constant strings and RC4 usage. ‘Constant strings are encrypted’ and ‘decrypted by a particular function before using.’
  • [T1047] Windows Management Instrumentation – WMI queries to obtain information. ‘WMI Object Query’ with SELECT * FROM Win32_OperatingSystem, AntiVirusProduct, etc.
  • [T1082] System Information Discovery – Collection of OS, computer, processor, and RAM details via APIs and WMI. ‘OS information’ and ‘CPU processor information.’
  • [T1041] Exfiltration Over C2 Channel – Data collected is prepared and sent to C2 via HTTP(S). ‘The core module collects information … and sends it to its C2 server.’
  • [T1071.001] Web Protocols – C2 communications over HTTP(S). ‘HTTP Post method with URL “/t4” and the base64 encoded registry data as the body … transported over SSL protocol.’
  • [T1132.001] Data Encoding – Data is encoded with base64 after RC4 decryption. ‘The data is RC4 encrypted and then encoded as a string using a base64 algorithm.’
  • [T1012] Query Registry / [T1047] WMI – Data collection steps include querying the registry and WMI for system information.
  • [T1059.003] Windows Command Shell – Usage of Windows commands for discovery (ipconfig, netstat, etc.).

Indicators of Compromise

  • [URL] 194.36.191.227/%random%.dat – The loader download URL used in the attack chain.
  • [Hash] FE1043A63E6F0A6FAA762771FF0C82F253E979E6E3F4ADD1C26A7BD0C4B2E14C – SHA-256 of the attached HTML file.
  • [Hash] 9C3D3CD9B0FCB39117692600A7296B68DDDF2995C6D302BC9D9C8B786780BA19 – SHA-256 of the QakBot loader module.
  • [Hash] F5B6619E92D7C4698733D9514DF62AFACA99883DFAC8B9EE32A07D087F2800BF – SHA-256 of ScannedDocs_1586212494.lnk.
  • [File name] ScannedDocs_1586212494.html – Initial attached HTML file used to trigger infection.
  • [File name] ScannedDocs_1586212494.lnk – Windows shortcut downloaded by the loader to execute the payload.
  • [IP] 194.36.191.227 – Source IP observed in the downloader URL.

Read more: https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint