Qakbot spreads by inserting malicious replies into ongoing email conversations, using compromised accounts to push a zip containing a malicious Office document. The malware is modular, downloads payloads, injects into system processes like Edge and Explorer, and communicates with a TLS-enabled C2 server. #Qakbot #Qbot #WebInject #ARPscan
Keypoints
- Qakbot propagates via reply-all emails that include “a link to download a zip file containing a malicious office document.”
- The campaign delivers multiple payloads, including a web injector for credential theft and an ARP-scanning component to profile the network.
- It is modular: a core engine with plugins, capable of downloading and injecting additional payloads into Edge/Explorer.
- The malware obfuscates and encrypts data, caches it in the Windows Registry with per-machine keys, and uses TLS-protected C2 communications.
- WMI is used to fingerprint the host, copy files, and invoke other Windows executables, with some commands obfuscated via XOR.
- Regsvr32 is used to load DLL payloads from a five-character folder on the C: drive, illustrating its loader technique.
- Beacons to the C2 occur roughly every five minutes, and some payloads can deliver Cobalt Strike beacons for later movement or monetization.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The attack uses “a link to download a zip file containing a malicious office document” embedded in email replies.
- [T1204.002] User Execution: Malicious File – “Opening the spreadsheet (and clicking the Enable Content button in Excel) triggered it to execute a payload embedded in the .xlsb file.”
- [T1218.011] Signed Binary Proxy Execution: Regsvr32 – The loader uses regsvr32 to load DLL payloads dropped to a five-character folder. “dropped into a randomly named (five letters long) folder the bot created in the root of the C: drive.”
- [T1055] Process Injection – The malware injects payloads into Edge/Explorer processes. “injected into Explorer, and Msedge.exe, it began to retrieve a variety of malicious payloads and inject them into additional instances of the two system programs.”
- [T1071.001] Web Protocols – C2 communications occur over HTTPS with TLS, e.g., “The C2 communications between the bot and its controllers is done through HTTPS POST and GET requests, with the data transmitted in an encrypted format, wrapped inside TLS.”
- [T1016] Network Configuration Discovery – The malware retrieves the infected host’s public-facing IP address. “retrieving the public-facing IP address.”
- [T1046] Network Service Scanning – ARP scanning of the internal network to map the environment. “an ARP scan of the entire IP address range of the testbed’s NAT network address space, presumably to look for a way to move laterally.”
- [T1112] Modify Registry – Data is cached in the Windows Registry in encrypted form with per-machine keys. “caches data in the Windows Registry in an encrypted format.”
- [T1056.003] Web Form Input Capture: Web Inject – The webinjects define how credentials are intercepted on various login pages. “webinjects rules — large data files that define the way the bot will intercept the credentials when the user enters their username and password into Web-based login forms.”
Indicators of Compromise
- [IP] External IP – 174.16.38.95 – observed as the infected host’s public IP address during C2 communications.
- [File] eum.zip – contains the malicious Excel .xlsb payload used to deliver initial infection.