Threat Research

Increase in Observations of Qakbot Malware 

Securonix

eSentire observed a surge in Qakbot information-stealing malware incidents across multiple industries in early April 2023, with phishing emails delivering zip archives containing a Windows script (.wsf), a PDF, or an HTML file via HTML smuggling. The campaign sometimes retrieved Cobalt Strike after initial access, enabling basic reconnaissance and raising the risk of ransomware delivery; detections and IoCs were shared to raise awareness and support remediation. Hashtags: #Qakbot #CobaltStrike

Keypoints

  • Surge in Qakbot incidents observed in the first week of April 2023 across various industries.
  • Qakbot is delivered via phishing with zip archives containing a Windows Script (.wsf), a PDF, or an HTML file using HTML smuggling.
  • Early activity was blocked at initial file execution and at the PowerShell stage by eSentire MDR for Endpoint.
  • In later incidents, Qakbot retrieved Cobalt Strike immediately, with potential for reconnaissance and ransomware delivery.
  • Microsoft 365 security measures and a shift away from OneNote deliveries are noted as threat actors test new delivery methods.
  • IoCs include multiple IP addresses and file hashes associated with Qakbot and Cobalt Strike.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Phishing emails delivering Zip archives containing payloads (Windows Script .wsf, PDFs, or HTML) via HTML smuggling. “…phishing emails containing a Zip archive containing a Windows script file (.wsf), a PDF document, or an HTML file using the HTML smuggling method.”
  • [T1059.001] PowerShell – Used during the initial execution to reach domains associated with a Qakbot infection. “…PowerShell scripting stage, which involved a PowerShell script attempting to reach domains associated with a Qakbot infection.”
  • [T1105] Ingress Tool Transfer – Retrieval of additional tooling (Cobalt Strike) from a remote source, enabling further actions. “…a version of Qakbot that retrieved Cobalt Strike immediately.”

Indicators of Compromise

  • [IP Address] indicators – 23.81.246.2 (Cobalt Strike), 94.131.117.111 (Qakbot), and 5 more IPs
  • [File Hash] indicators – 6291579CD41491CC045D7E0ED05B9A3A72C5CCA6F74F8BDEBC1C85459C423B60, 8C8CF24571C836636A25040CE36EEA9036B0CC4F09DA14780ED2618A488FDFE8, and 2 more hashes

Read more: https://www.esentire.com/security-advisories/increase-in-observations-of-qakbot-malware