Threat Research

Qakbot infection with Cobalt Strike and VNC activity

Securonix

A Windows host was infected with Qakbot (Qbot) on 2022-03-14, with Cobalt Strike and VNC remote-access activity appearing about 17 hours later. The incident highlights the obama166 distribution tag, the DLLs downloaded during infection, and notable changes in Qakbot’s persistence and data handling. #Qakbot #CobaltStrike #VNC #obama166

Keypoints

  • Infection timeline: Qakbot infection on 2022-03-14 with Cobalt Strike and VNC activity observed ~17 hours after compromise.
  • Distribution tag: DLLs used for Qakbot infections include the obama166 distribution tag.
  • Infection chain: email lure leading to a zip download, an Excel macro, and subsequent DLL payloads downloaded for Qakbot.
  • C2 and beaconing: Cobalt Strike and VNC beacon traffic appear, with VNC module traffic and a period of data exchange, though no Cobalt Strike/VNC binaries remained on the host.
  • Persistence changes: older Qakbot persistence via Run keys and scheduled tasks is not consistently observed in this sample; reboot/logout did not preserve the infection as in previous campaigns.
  • IOCs and artifacts: multiple URLs, IPs, domains, file hashes, and named files/dlls associated with the infection are documented (including ZIP and DLL artifacts and VNC/C2 activity).

MITRE Techniques

  • [T1566.002] Phishing – Spearphishing Link – “Downloading a zip archive from link in an email.”
  • [T1059.005] Visual Basic – “Traffic generated by Excel macro for Qakbot DLL files.”
  • [T1117] Regsvr32 – “Run method: regsvr32.exe [filename].”
  • [T1547.001] Boot or Logon Autostart – Registry Run Keys/Startup Folder – “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” and related registry update.
  • [T1021.005] Remote Services – VNC – “VNC module traffic: 45.153.241[.]142 port 443 – encoded/encrypted traffic and beacon channels.”
  • [T1071.001] Web Protocols – “Qakbot C2 traffic: 201.170.181[.]247 port 443 – HTTPS traffic” and “port 443 – www.openssl[.]org – HTTPS traffic (connectivity check)”
  • [T1053.005] Scheduled Task – “Earlier this year, Qakbot samples created a scheduled task that pointed to an additional registry update with base64 code used to re-create the Qakbot binary after a reboot.”

Indicators of Compromise

  • [URL] context – hxxp://eaglio[.]org/apm/3/s2Fmok83x.zip, hxxp://101.99.95[.]190/6537991.dat, hxxp://146.70.81[.]64/6537991.dat, hxxp://190.14.37[.]12/6537991.dat
  • [Domain] context – runfs[.]icu, www.openssl[.]org
  • [IP] context – 201.170.181[.]247 port 443; 23.111.114[.]52 port 65400; 76.169.147[.]192 port 32103; 103.87.95[.]131 port 2222; 86.98.27[.]253 port 443; various IPs
  • [Domain] context – runfs[.]icu (Cobalt Strike).
  • [FileHash] context – ba80720c42704e8e1a73e60906f6f289ba763365c8f6b16ccf47aac8a687b83e; 5a6157eefc8d0b1089a5bfdee351379b27baff4c40b432fd22e0cbe1f6102fab; 47fe3cbab19b43579e3312d90f7a8c7021c84e228e7c8ef97d39a1a7a261ea01; 8751f8aedc65a10826071515b4b7896a8800152b8e3bcbbe9e8a64970deb9b49; 7312353bab71ecefec6888bb804afd71f67178ded4ce41960924d3d6f7400320; 7264fc1e81ff854b769f8e19ced247fb95210a58ddd5edce4a6275ddc38e5298
  • [FileName] context – ClaimDetails-1699343128-Mar-14.zip; ClaimDetails-1699343128-Mar-14.xlsb; BiloaDopaters1.ocx; BiloaDopaters2.ocx; BiloaDopaters3.ocx; Hezukybbcdipimaxckk.dll

Read more: https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/