EclecticIQ details a QakBot phishing campaign that bypasses Windows Mark of the Web (MoTW) using an unpatched vulnerability, enabling malware installation. The campaign leverages LOLBINS like Regsvr32 and WScript, delivers payloads via encrypted ZIP/ISO, and culminates in a QakBot Loader with a malformed signature to evade security features. #QakBot #MoTW #ZeroDayVulnerability #Regsvr32
Keypoints
- QakBot phishing campaigns leverage an unpatched vulnerability to bypass MoTW and potentially increase infection rates.
- phish emails contain a malicious URL that leads to an encrypted ZIP, then an ISO image, and finally a JavaScript loader (WW.js) that executes QakBot.
- The QakBot Loader uses a malformed digital signature to bypass MoTW and Windows warnings.
- Living Off the Land Binaries (LOLBINS) like Regsvr32.exe and WScript.exe are exploited to run QakBot components.
- QakBot injects into wermgr.exe (process injection) and uses obfuscation and XOR/API hashing to evade detection.
- C2 communications use JSON with RC4-encrypted, Base64-encoded payloads; QakBot checks connectivity and can serve as an initial access point for ransomware.
- Observed IoCs include specific file names and their SHA-256 hashes associated with the loader chain.
MITRE Techniques
- [T1204.001] User Execution – Malicious Link – Used via phishing emails with a malicious URL inside. Quote: ‘The threat actor distributes QakBot using phishing emails with a malicious URL inside.’
- [T1218.010] System Binary Proxy Execution – Regsvr32 – Regsvr32 used to load the QakBot DLL. Quote: ‘When a user clicks on the WW.js, it will use Regsvr32.exe (2) to load the QakBot DLL.’
- [T1059.007] Command and Scripting Interpreter: JavaScript – JavaScript loader WW.js used to execute QakBot DLL. Quote: ‘final QakBot Loader (WW.js) … as a JavaScript format which can be executed by a simple user click.’
- [T1566.002] Phishing: Spearphishing Link – Phishing emails with malicious URL deliver QakBot. Quote: ‘The threat actor distributes QakBot using phishing emails with a malicious URL inside.’
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communications over web protocols. Quote: ‘C2 protocol uses JSON object encapsulation with a RC4 Encrypted message which is encoded with Base64.’
- [T1055.012] Process Injection: Process Hollowing – Injects into the legitimate Windows Error Reporting process (wermgr.exe). Quote: ‘QakBot injects itself inside the legitimate Windows Error Reporting process (wermgr.exe) to evade behavior based anti-malware solutions.’
- [T1027] Obfuscated Files or Information – XOR encryption to hide strings. Quote: ‘The XOR encryption algorithm to hide its strings for minimizing AV detection.’
- [T1027.007] Obfuscated Files or Information: Dynamic API Resolution – Dynamic API Resolution to evade detection. Quote: ‘Windows API Hashing (Dynamic API Resolution) to evade signature-based anti-malware scanners.’
- [T1082] System Information Discovery – Gathering victim computer information via C2. Quote: ‘gathering victim computer information upon the attacker’s request through a C2 server.’
- [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence via Scheduled Task. Quote: ‘Scheduled Task/Job: Scheduled Task.’
- [T1497.001] Virtualization/Sandbox Evasion: System Checks – System checks to detect virtualization/sandbox. Quote: ‘Virtualization/Sandbox Evasion: System Checks.’
- [T1047] Windows Management Instrumentation – Use of WMI. Quote: ‘Windows Management Instrumentation’
Indicators of Compromise
- [File Name] – QakBot loader artifacts observed in the campaign – resemblance.tmp, UY76.img, WW.js, Injected-QakBot-dll
- [SHA-256 Hash] – QakBot file hashes – 8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274, 26f5bc698dfec8e771b781dc19941e2d657eb87fe8669e1f75d9e5a1bb4db1db, and 2 more hashes (c5df8f8328103380943d8ead5345ca9fe8a9d495634db53cf9ea3266e353a3b1, 6fb41b33304b65e6e35f04e8cc70f7a24cd36e29bbb97266de68afcf113f9a5f)