Nina Kovacs — Exploit Research Analyst
Key Takeaways
- QakBot has evolved with enhanced evasion techniques and sophisticated C2 communication protocols.
- The malware demonstrates lateral movement capabilities, exploiting Windows APIs and scheduled tasks for persistence.
- Identification of unique IOCs is crucial for early detection and response efforts against this threat.
Executive Summary
During our investigation into a recent intrusion involving a variant of the QakBot banking Trojan, we observed a series of well-coordinated tactics employed by the threat actor. The malware showcased advanced persistence mechanisms, developed command and control (C2) channels, and an intention to exfiltrate sensitive financial information. Our analysis revealed the multi-stage attack vector, starting from initial access through phishing campaigns to executing reconnaissance and lateral movement within an enterprise network.
Initial Access
The attack chain began with a classic phishing email, containing malicious attachments designed to appear as legitimate invoices. Upon opening the Word document, embedded macros executed obfuscated PowerShell commands, which led to downloading the QakBot payload from a remote server. The initial payload was a dropper that decompressed and launched the main implant from a temporary directory, specifically %TEMP%\r4g8j3d4.exe, thereby establishing initial foothold.
Execution & Persistence
Once executed, the implant conducted a series of steps to maintain persistence. It utilized the Windows Management Instrumentation (WMI) to create scheduled tasks with the command schtasks /create /tn "QakBot" /tr "C:\Users\Public\AppData\qakbot.exe" /sc onlogon /ru system, enabling it to reactivate upon user logon. Furthermore, our forensic analysis uncovered modifications to the registry, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with an entry named qakbot pointing to its executable, allowing for automatic execution upon system startup.
Command and Control
The sample we examined communicated with its C2 infrastructure using HTTPS to evade detection, revealing a series of randomized subdomains for communication. Each beacon attempts to reach the C2 server every few minutes, using a standard format: https://. Within these communications, the implant sent back system information, including OS details and installed software, and received additional commands, demonstrating an adaptive command mechanism. Notably, the binary implemented a custom encryption method for data exfiltration, which posed challenges in decoding the returned information for analysis.
Lateral Movement & Discovery
Equipped with a toolkit of lateral movement techniques, the QakBot variant leveraged tools such as PSEXEC and WMIC to propagate through the network. During our analysis, we recorded its attempts to access administrative shares using stolen credentials, which it obtained by scraping memory. The implant also executed discovery commands, such as net view and net session, to enumerate other devices and user sessions for further compromise. This facilitated deeper infiltration into the network.
Impact & Objectives
As the campaign progressed, the ultimate goal of the threat actor appeared to focus on financial data theft. The implant was configured to exfiltrate user credentials from browsers, critical business documents, and system configurations. In specific incidents surface during our analysis, large volumes of sensitive data were reported to have been transmitted back to the C2 infrastructure, indicating that the actor was moving towards executing wire fraud scenarios. The combination of reconnaissance, credential harvesting, and data exfiltration underscores the multifaceted nature of QakBot attacks.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Use of HTTPS for C2 communication.
- T1059.001 – Command-Line Interface: PowerShell: Utilization of PowerShell for execution of the initial payload.
- T1021.002 – Remote Services: SMB/Windows Admin Shares: Use of SMB for lateral movement within the network.
Detection Opportunities
- Monitor for the creation of suspicious scheduled tasks that initiate on login related to known malware executables.
- Implement network monitoring to identify irregular outbound HTTPS traffic connections to known malicious domains.
- Utilize endpoint detection and response (EDR) tools to flag unusual PowerShell activity or execution policies that have been altered.
Analyst Notes
The evolving sophistication of the QakBot variant poses significant challenges to organizations. Understanding the TTPs involved is essential for crafting effective defenses. Continuous monitoring, improved incident response plans, and user education on avoiding phishing emails are critical steps moving forward.
Source: Original Report