Threat Research

Qakbot Returns – K7 Labs

K7computing

Qakbot has resurfaced after the “Duck Hunt” disruption and is being delivered via phishing emails that drop malicious PDFs and an MSI installer containing a patched IDM DLL with the malware. The campaign unpacks a memory-loaded second-stage using VirtualAlloc/VirtualProtect, executes via rundll32 as AcrobatAC.dll, uses process hollowing against wermgr.exe, stores RC4-encrypted registry data and attempts C2 connections. #Qakbot #Microsoft

Keypoints

  • Qakbot reappeared after the “Duck Hunt” disruption and is currently being distributed in small-scale phishing campaigns targeting the hospitality sector.
  • Delivery chain: phishing email → malicious PDF → MSI downloader which contains a patched Internet Download Manager (IDM) DLL embedding Qakbot.
  • The embedded DLL is packed with a custom packer and is unpacked in-memory using VirtualAlloc() and VirtualProtect() to avoid disk-based MZ detection.
  • The MSI drops a temp installer that invokes rundll32.exe to execute a copied DLL named AcrobatAC.dll using the export EditOwnerInfo, while showing decoy Acrobat/error windows.
  • The malware launches wermgr.exe in a suspended state and performs process hollowing to load the final Qakbot payload into that process.
  • Post-compromise behavior includes creating a registry key containing RC4-encrypted victim/system data, timestamp and C2 details, and attempting C2 connections (which were offline during analysis).
  • Two file hashes for the observed Qakbot samples are provided as IoCs and detection signatures are available from vendors like K7 Labs.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Phishing emails delivered malicious PDFs that initiate the chain. (‘malicious PDFs which were spread through phishing mails.’)
  • [T1218.011] Signed Binary Proxy Execution: rundll32.exe – The MSI invokes rundll32.exe to execute the malicious DLL in a hidden window. (‘drops an installer temp file which passes the command line to invoke rundll32.exe and hides the window to run in background.’)
  • [T1055] Process Injection – The DLL unpacks payload into allocated memory regions and executes from memory to evade EDRs using VirtualAlloc/VirtualProtect. (‘It uses VirtualAlloc() to allocate memory to unpacked code and VirtualProtect() to change the protection on a memory region.’)
  • [T1055.012] Process Hollowing – The threat actor injects malicious code into a suspended wermgr.exe process to run the final payload. (‘Process Hollowing technique to inject malicious code into the suspended process of Windows Error Manager.’)
  • [T1112] Modify Registry – Qakbot creates registry keys containing encrypted victim/system information, installation timestamp and C2 info. (‘creates a registry key with RC4 encrypted data of victim system information, timestamp of installation and C2 information’)
  • [T1071] Application Layer Protocol (Command and Control) – The malware attempts to contact C2 servers in the background from the hollowed process. (‘Qakbot tries to make a C2 connection in the background when the victim believes wermgr.exe is running.’)

Indicators of Compromise

  • [File hashes] Qakbot sample hashes – 723DAE8ED3F157E40635681F028328E6, 88BBF2A743BAAF81F7A312BE61F90D76
  • [File names] Executed and dropped binaries – AcrobatAC.dll, wermgr.exe

The technical chain begins with phishing emails that deliver malicious PDFs; those PDFs download an MSI which contains a patched Internet Download Manager (IDM) DLL embedding Qakbot. The embedded DLL is protected with a custom packer; during analysis the packer was unpacked by monitoring VirtualAlloc() and VirtualProtect() calls to capture an in-memory second-stage loader (the PE was reconstructed by adding an MZ header), which then executed from memory to evade disk-based MZ detection used by some EDRs.

At runtime the MSI drops a temporary installer and launches rundll32.exe with hidden window flags to execute a self-copied DLL named AcrobatAC.dll via the export EditOwnerInfo; the DLL displays decoy Acrobat/error windows while invoking wermgr.exe (Windows Error Reporting) in a suspended state. The actor performs process hollowing against the suspended wermgr.exe to map the final Qakbot payload into that process; the unpacked PE dumped from wermgr.exe matched the final payload used for persistent execution.

After successful injection the malware creates a registry key storing RC4-encrypted data containing victim system information, installation timestamp and C2 configuration, then attempts outbound C2 connections from the hollowed process (connections were unavailable during the lab analysis). Provided IoCs include the two sample hashes listed above and the observable filenames used in the kill chain.

Read more: https://labs.k7computing.com/index.php/qakbot-returns/