Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- The Qakbot malware leveraged sophisticated phishing tactics for initial access.
- Our analysis revealed extensive use of PowerShell for execution and persistence mechanisms.
- The attack demonstrated lateral movement via SMB exploitation and enumeration of network resources.
Executive Summary
In this technical analysis, we dissect a recent cyber incident involving the notorious banking Trojan, Qakbot. We were engaged in an investigation that focused on the multi-faceted attack chain from initial access to the attackers’ ultimate objectives. The techniques employed highlighted the evolving nature of phishing attacks, showing how the actor capitalizes on user interaction and system misconfigurations to potently deploy and propagate their malware. Through meticulous examination of the samples and C2 traffic, we uncovered methods of execution, persistence, and lateral movement within compromised networks.
Initial Access
During our investigation, we observed that initial access was primarily gained through a phishing email campaign. The emails contained malicious attachments that were disguised as legitimate documents. Upon the user opening the attachment, the Qakbot dropper executed a PowerShell command embedded within a macro. This command facilitated the downloading of the actual payload from a remote server. We noted file paths such as %TEMP%\malicious.doc which acted as the staging point for the malicious code’s execution.
Execution & Persistence
Following successful execution, the malware leveraged the capabilities of PowerShell extensively. Specifically, we tracked a series of commands that were used to establish persistence through registry modifications. The dropper implanted entries in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to ensure that the payload executes on every user logon. Additionally, the malware installed a legitimate Windows service which was repurposed to call the embedded payload, further obscuring its presence.
Command and Control
Our analysis of the command and control (C2) communications illustrated that Qakbot utilized a decentralized architecture, relying on a series of hard-to-track proxies to interact with its C2 servers. The malware frequently beaconed home every few minutes, sending detailed system information including user credentials, system architecture, and current processes. We identified an indicator of compromise (IOC) with the domain example-c2-domain.com used in these communications, highlighting the adaptive infrastructure behind the actor’s operations.
Lateral Movement & Discovery
Once inside the environment, Qakbot exhibited behaviors consistent with lateral movement techniques, specifically through the exploitation of SMB shares. This allowed the threat actor to enumerate network resources and leverage stolen credentials to access additional machines. Tools such as Mimikatz were employed to harvest user credentials seamlessly. The malware also created malicious scheduled tasks on further endpoints, ensuring that lateral movement was both efficient and persistent.
Impact & Objectives
The overarching objectives of this campaign were indicative of typical financial gain motives. The malware’s capabilities allowed it to siphon sensitive data including banking credentials, which could be sold on the dark web or used for fraudulent financial activities. Moreover, the analyses revealed that the actor sought to install other payloads for further exploitation of the compromised networks, turning them into crucial points for additional attack vectors.
MITRE ATT&CK Mapping
- T1566 – Phishing: Initial access through phishing emails with malicious attachments.
- T1059.001 – PowerShell: Execution of PowerShell commands for dropping and executing payloads.
- T1071.001 – Application Layer Protocol – Web Protocols: C2 communication over HTTP/S with obfuscation practices.
- T1021.001 – SMB/Windows Admin Shares: Utilization of SMB for lateral movement across the network.
Detection Opportunities
- Monitor email gateways for abnormal spikes in phishing attempts targeting organizational individuals.
- Employ endpoint detection and response (EDR) solutions to look for suspicious PowerShell executions and unusual registry modifications.
- Implement network monitoring for unexpected SMB communications and unauthorized access to critical shares.
Analyst Notes
Given the adaptability of the Qakbot malware family and its capacity for evasion, continuous monitoring, and enhancing detection methodologies are essential. Threat intelligence sharing should also be leveraged to remain updated on emerging TTPs associated with Qakbot iterations. Collaboration among SOC teams will be critical in mitigating risks associated with such sophisticated threats in the future.
Source: Original Report