Keypoints
- Qakbot campaigns deliver initial vectors via malspam using PDF, HTML (HTML smuggling), OneNote, ZIP, and XLL files that unpack obfuscated JS/WSF/MSI to run downloaders.
- Downloaders typically execute obfuscated JavaScript or WSF that runs base64- or hex-encoded PowerShell or an XMLHTTP request to fetch the Qakbot payload.
- Persistence is achieved with scheduled tasks (runs every 10 minutes) and registry run keys; XLL samples drop 1.dat/2.dat which are combined into 3.dat containing the PE payload.
- Defense-evasion techniques include obfuscation, file deletion (self-cleaning PowerShell), indirect command execution via conhost.exe, DLL side-loading/search-order hijacking, hidden files, and process injection.
- Payload unpacking uses VirtualAlloc; resources contain COMPONENT_07 (encrypted campaign ID) and COMPONENT_08 (encrypted C2 config), decrypted by RC4 keys validated via SHAβ1.
- C2 configurations are encoded in hex and converted byte-by-byte to decimal IPs and port values (example: 58 7E 5E 04 -> 88.126.94.4; C3 50 -> 50000).
- Network analysis shows global C2 activity with spikes in MarchβApril 2023 and sizable transaction volumes between international C2 nodes.
MITRE Techniques
- [T1566] Phishing β Initial delivery via malspam emails that host malicious PDF/HTML/OneNote/ZIP attachments (βMalSpam -> PDF/HTML/OneNote/ZIPβ).
- [T1204] User Execution β Victims are tricked into running downloaded files (JS/WSF/XLL/MSI); article notes files named like βInvoiceβ to βdeceive users into executing the fileβ (βdeceive users into executing the fileβ).
- [T1059] Command and Scripting Interpreter β Attackers use obfuscated JS and PowerShell to execute download and payload stages (βexecuting a Powershell commandβ).
- [T1047] Windows Management Instrumentation β Listed as used in execution tactics within the campaign analysis (βWindows Management Instrumentationβ).
- [T1053.005] Scheduled Task β Persistence via scheduled tasks set to run the Qakbot payload periodically (βscheduled tasks to execute the Qakbot payload every 10 minutesβ).
- [T1547.001] Registry Run Keys / Startup Folder β Qakbot creates registry keys to store encoded PowerShell commands and enable execution (βcreates a registry key and adds the base64 encoded Powershell command into the registry key using the reg.exe command line toolβ).
- [T1027] Obfuscated Files or Information β Multiple stages are obfuscated (JS, WSF, hex/base64 encoding) to hide behavior (βobfuscated JS fileβ, βhex-encoded XMLHTTP requestβ).
- [T1070.004] File Deletion β MSI contained a self-deletion PowerShell script to erase traces after execution (βa self-deletion PowerShell script was incorporatedβ).
- [T1112] Modify Registry β Malware writes encoded commands and persistence data into registry entries (βadds the base64 encoded Powershell command into the registry keyβ).
- [T1202] Indirect Command Execution β Qakbot uses conhost.exe as a proxy to execute commands indirectly (βconhost.exe as a proxy binary to bypass defensive measuresβ).
- [T1574.002] DLL Side-Loading β Attack chains load hidden DLLs to execute malicious code (EXE -> hidden DLL -> curl download) (βDLL side loading techniqueβ).
- [T1574.001] DLL Search Order Hijacking β The analysis lists DLL search order techniques used to load malicious libraries (βDLL Search Order Hijackingβ).
- [T1564.001] Hidden Files and Directories β Payload fragments (1.dat/2.dat) are dropped into AppData and combined into 3.dat to hide the PE (βdrops two files, β1.datβ and β2.datβ, into the UsersUserAppDataRoaming directoryβ).
- [T1055] Process Injection β Process injection is listed among defense-evasion techniques observed in samples (βProcess Injectionβ).
- [T1218] System Binary Proxy Execution β Use of system binaries (conhost.exe) to proxy execution is recorded (βSystem Binary Proxy Executionβ, βconhost.exe as a proxy binaryβ).
- [T1003] OS Credential Dumping β Qakbotβs goal includes credential harvesting and OS credential dumping techniques to obtain sensitive credentials (βstealing financial data and login credentials from web browsersβ).
- [T1555.003] Credentials from Web Browsers β Qakbot specifically targets browser-stored credentials for theft (βstealing β¦ login credentials from web browsersβ).
- [T1016] System Network Configuration Discovery β Network discovery is part of reconnaissance for target identification (βSystem Network Configuration Discoveryβ).
- [T1071] Application Layer Protocol β C2 uses application-layer protocols for communications as part of the command-and-control configuration (βApplication Layer Protocolβ).
- [T1095] Non-Application Layer Protocol β Non-application-layer C2 protocols are also enumerated for command-and-control communications (βNon-Application Layer Protocolβ).
Indicators of Compromise
- [File Hashes] MD5 examples from campaign samples β c986136d713f71449ad8ba970379d306 (malicious PDF downloader), 68781578b0b58e21177c7b71f9b85567 (malicious XLL), and many other MD5s listed.
- [Domains / URLs] Download and staging URLs β 85.239.52[.]29/ONT.php (PDF downloader), http[:]//jbdata.com.ng/uq/uq.php?88748 (HTML smuggling URL), plus numerous other hosting URLs.
- [IP Addresses] Staging and payload hosts β 77.91.100[.]135/aSxBaqnfj98.dat and 45.155.37[.]101/a2nZbs476.dat observed as WSF/download hosts; additional C2 IPs appear in listings.
- [C2 IP:Port] Example parsed from decrypted config β 88.126.94.4:50000 (hex 58 7E 5E 04 -> 88.126.94.4; C3 50 -> 50000) used to illustrate C2 decoding.
- [File names / extensions] Abused file types and dropped fragments β 1.dat / 2.dat / 3.dat (XLL drop-and-merge fragments), example XLL, WSF, JS, HTA, MSI, ZIP, OneNote files used in chains.
- [File paths] Drop locations used by samples β UsersUserAppDataRoaming (where dat fragments are written before merging and execution).
Qakbot attack chains observed MarchβMay 2023 follow a multi-stage downloader model: malspam delivers malicious PDFs, HTML (HTML smuggling), OneNote files, ZIPs or XLL add-ins that unpack obfuscated JS/WSF/MSI/HTA. Those scripts create registry entries or scheduled tasks and execute base64- or hex-encoded PowerShell or XMLHTTP requests to fetch the next stage; for example, JS/WSF writes a registry key with a base64 PowerShell command via reg.exe or performs an XMLHTTP request to download the payload. XLL samples drop two fragments (1.dat, 2.dat) into %AppData% which are concatenated into 3.dat containing the PE, and scheduled tasks are created to run the payload periodically (every 10 minutes) to maintain persistence.
On the binary side, Qakbot unpacking allocates memory with VirtualAlloc and locates two resource components in the Bitmap section: COMPONENT_07 (encrypted campaign ID) and COMPONENT_08 (encrypted C2 configuration). The sample uses XOR obfuscation for many strings and a static hardcoded key (SHA-1 of the key) in .DATA as an RC4 key; analysts perform RC4 decryption validated by SHAβ1, then a second RC4 pass on Component_08 to reveal hex-encoded C2 entries. The C2 format uses a leading separator byte (01), a SHA-1 validation field, a 20-byte new RC4 key, then encrypted config bytes where IPs and ports are encoded as hex bytes and converted to decimal (e.g., 58 7E 5E 04 -> 88.126.94.4, C3 50 -> 50000).
Defense-evasion and execution techniques include obfuscated/encoded scripts, self-deleting MSI components, indirect command execution via system binaries (conhost.exe), DLL side-loading/search-order hijacking (EXE loads hidden DLL which uses curl to pull the final Qakbot payload), hidden files in AppData, and process injection capabilities. Network telemetry shows distributed C2 infrastructure with high transaction spikes in MarchβApril 2023 and global C2 placement; detecting these cases requires monitoring for the chained behaviors (malspam -> staged downloader -> registry/task persistence -> RC4/SHA-1 validated resource decryption -> hex-decoded C2 resolution) rather than single-file signatures.