Threat Research

Cyble – The Many Faces Of Qakbot Malware: A Look At Its Diverse Distribution Methods

Securonix

Qakbot (QBot) is spread through multiple OneNote- and script-based channels, including OneNote attachments, WSF/JS/JSE/HTA paths, and HTML applications, each delivering a DLL payload that is executed via Rundll32 and often injected into processes. The campaigns exploit social engineering and obfuscated/scripted delivery chains to download and run Qakbot, with modular capabilities like keylogging, credential theft, and botnet functionality. #Qakbot #OneNote #PowerShell

Keypoints

  • Qakbot uses diverse distribution methods, notably malspam with OneNote attachments, ZIP-wsf, JS/JSE, and HTA/HTML Application payloads.
  • In the OneNote delivery chain, a BAT file drops and executes, launching a PowerShell script that downloads a Qakbot DLL and runs it with Rundll32.
  • The OneNote-based approach often hides malicious activity behind convincing cloud-message prompts to coax users into opening attachments.
  • WSF-based delivery uses a forged certificate/file layout, with a malicious JScript inserted between certificates and DLLs downloaded via Rundll32.
  • JSE and HTA variants extend the delivery chain by dropping encoded scripts that trigger BAT/PowerShell and DLL execution.
  • Qakbot is modular and capable of keylogging, credential theft, network reconnaissance, botnet functionality, and ransomware deployment, with frequent code updates to evade detection.

MITRE Techniques

  • [T1566] Spearphishing Attachment – “The delivery of Qakbot via OneNote attachments.” Quote: ‘The email’s subject line reads “RE: DRCP Hire- Success Story..” The attachment is named “Contracts – Copy.one”.’
  • [T1204] User Execution – “The user opens the OneNote attachment, triggering the Qakbot infection process.” Quote: ‘The message is designed to deceive the user into double-clicking on it to view the attachment, which ultimately triggers the Qakbot infection process.’
  • [T1059] Command and Scripting Interpreter – “embedded BAT file is dropped and executed, leading to the launch of a PowerShell script.” Quote: ‘a page appears… which ultimately triggers the Qakbot infection process’ and ‘This batch script launches an obfuscated PowerShell content’
  • [T1218] Signed Binary Proxy Execution – “the DLL is executed using rundll32.exe.” Quote: ‘the downloaded file is not an actual GIF file but a DLL Qakbot executable file, which is subsequently run using “Rundll32.exe” with the “Wind” parameter.’
  • [T1140] Deobfuscate/Decode Files or Information – “obfuscated PowerShell content” and “Encoded/Decoded JScript File.” Quote: ‘the obfuscated batch script and command file containing an URL to download a malware payload’ and ‘Figure 14 – Encoded/Decoded JScript File’
  • [T1055] Process Injection – “the malware injects malicious code into ‘wermger.exe’.” Quote: ‘The process tree diagram of Qakbot reveals that, following the execution of the DLL file, the malware injects malicious code into “wermger.exe”.’
  • [T1105] Ingress Tool Transfer – “The PowerShell script downloads a file in GIF format from the URL … using the Invoke-Webrequest command.” Quote: ‘Upon execution of the “i.cmd” file, it utilizes a PowerShell script to download a file in GIF format from the URL hxxps[:]//casualscollection[.]com/l2iy4Dn/09[.]gif by using the Invoke-Webrequest command.’
  • [T1057] Process Discovery – “The process tree diagram…” Quote: ‘Below, you can see the process tree of Qakbot’s execution through the .wsf file.’

Indicators of Compromise

  • [SHA256] Spam Email – e0481af37fbb369ced2bff17468218b4676995b609fac1f96f604d93c55cfb5a
  • [SHA256] OneNote Attachment – 82ea16ea858ac6b9580f604695ebeaf1f004ae882a7d0e48688c28d466662f10
  • [SHA256] Open .Bat – 518518b0929911353cd7ab95d873e1fb290d8a494122cfb88e7f8bcf015576c8
  • [SHA256] i.cmd – 5ade2a474118032ab353c7e835a0ca90669e690c997c8b374f94f408a9510b4e
  • [SHA256] a8qZzTS.jpg (DLL file) – 7dd17b8cb0639732fe6929a5d7e1431fedae58acd401a7810afc0be8f9c42ad0
  • [URL] hxxps[:]//casualscollection[.]com/l2iy4Dn/09[.]gif – URL used to download Qakbot DLL
  • [SHA256] Spam Email – d80f18f5fc088c87905ee19c3f7b1dfd22920584913cc7b5925d64ad375e838f
  • [SHA256] wsf Zip Attachment – 9981bf6ad64c2f48de970948b4dc6ca5e3e5f9ca8b86c2db921e032cd4a4c6cb
  • [SHA256] wsf file – d13f70c241681df78ffa91ef105bfee069e78e7daa125cb7c47a50d34b234f12
  • [SHA256] lwbYFO.dll (DLL file) – 4949b9d77f80cdb79f498b2def775dea9371dd08e2d66b4f513da35337af38c9
  • [URL] hxxp://gkjdepok[.]org/crtfc/lwbYFO.dll – URL used to download Qakbot DLL
  • [URL] hxxp[:]//104.236.1[.]43/YXF/150223[.]gif – URL used to download Qakbot DLL
  • [URL] hxxp[:]//104.236.1[.]43/YXF/150223[.]gif – another reference to the GIF download URL
  • [SHA256] OneNote Attachment – eca50ee3c2ed694bf8b42a4e0eb14555c70c0d6186cc2dc863af8265c25ba4f1
  • [SHA256] Open .jse – b0339e18da6fbea0c60e388e631de79a83e2bc20880d6b9624d4784465a330b7
  • [SHA256] default.bat – b435653b9e1860cf38d78911eb7341c4b9c8e09af765b28a490ed269413eb2b1
  • [SHA256] 150223.gif (GIF payload) – (included in process with GIF payload placeholder) – d80f18f5fc088c87905ee19c3f7b1dfd22920584913cc7b5925d64ad375e838f

Read more: https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint