Cyble Research Labs uncovered a new Qakbot playbook that uses DLL sideloading and a multi-stage delivery chain, including HTML-embedded ZIPs and an ISO with a disguised LNK file to trigger execution. The campaign evolves with legitimate apps loading malicious DLLs and injecting payloads, highlighting ongoing Qakbot activity and increasing evasiveness.
#Qakbot #DLLSideLoading #WindowsCodecs
#Qakbot #DLLSideLoading #WindowsCodecs
Keypoints
- Qakbot infection begins with a mass-spam phishing campaign, serving as the initial access vector.
- The spam attaches an HTML file that contains base64-encoded images and a password-protected ZIP, which drops a further payload.
- Opening the HTML triggers the extraction of a ZIP named βReport Jul 14 47787.zipβ containing an ISO image with four files.
- The ISO includes a .lnk file masquerading as a PDF and other legitimate-looking components, setting up the next stage of infection.
- The .lnk file executes calc.exe, which loads WindowsCodecs.dll (masquerading as a support file) as part of DLL sideloading.
- Final Qakbot payload is executed via regsvr32.exe and injects into explorer.exe for the malicious actions.
- IOCs include MD5, SHA1, and SHA256 hashes for the HTML, ZIP, ISO, WindowsCodecs.dll, and 7533.dll files, revealing a multi-artifact footprint.
MITRE Techniques
- [T1566] Phishing β The initial infection of Qakbot starts with a malicious spam campaign that contains various themes to lure the users into opening the attachments. βThe initial infection of Qakbot starts with a malicious spam campaign that contains various themes to lure the users into opening the attachments.β
- [T1204] User Execution β After opening the HTML file, it will automatically drop the password-protected zip file in the Downloads location. βAfter opening the HTML file, it will automatically drop the password-protected zip file in the Downloads location.β
- [T1574.002] Hijack Execution Flow: DLL Side-Loading β DLL sideloading is a technique used by TAs to execute malicious code using legitimation applications. βDLL sideloading is a technique used by TAs to execute malicious code using legitimation applications. In this technique, TAs place legitimate applications and malicious .dll files together in a common directory.β
- [T1055] Process Injection β The final payload injects its malicious code into explorer.exe and performs all the malicious activities. βThe final payload injects its malicious code into explorer.exe and performs all the malicious activities.β
Indicators of Compromise
- [MD5] β MD5 hashes for Qakbot artifacts β d79ac5762e68b8f19146c78c85b72d5e, a4a09d3d5905910ad2a207522dcec67c
- [SHA1] β SHA-1 hashes for Qakbot artifacts β 899c8c030a88ebcc0b3e8482fbfe31e59d095641, 8e7984a0af138aac5427b785e4385cdc6b9b8963
- [SHA256] β SHA-256 hashes for Qakbot artifacts β cb83a65a625a69bbae22d7dd87686dc2be8bd8a1f8bb40e318e20bc2a6c32a8e, 197ee022aa311568cd98fee15baf2ee1a2f10ab32a6123b481a04ead41e80eee
Read more: https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/