Qakbot Continues to Menace Corporate Environments
By Joe Lamura, Vigilant SOC Manager
A Vigilant Know More Series
Roughly 90% of all cyber incidents that occur start with an email from a threat actor to an unsuspecting user.
Recently, Vigilant Analysts had an opportunity to analyze a number of Qakbot email samples. Our team observed that threat actors are using most of the same tricks, but still finding ways to evade detection.
What is Qakbot?
Qakbot has been around since 2008 and has always been classified as a banking trojan. Banking trojans are generally malware that are aimed as stealing user’s credentials and can be used across industries--not just finance. Over the years, Qakbot has evolved, adding additional modules that allow for much more functionality including the ability to drop additional files on the device allowing for remote control.
Recent Sample Analysis
The email samples themselves all appeared different on the surface, however, further analysis showed many similarities at the first and second stages. For example, all of the sample emails made use of the same lures, such as an invoice due, or a security alert regarding the recipient's account. These lures were simply designed with one goal in mind: to get the user to click on the link to a remote web server to download a malicious file.
The malicious file in this first stage was often a password protected zip file. The reason for password protecting the file is to avoid automated file analysis. Without the password, an automated security solution is incapable of opening the zipped archive to analyze the file within. However, for the end user this password is provided within the email as an “added security measure” for their protection.
Within the zipped archive is a heavily obfuscated JScript file, which once analyzed and deobfuscated, was most often found to reveal an encoded PowerShell script. The PowerShell script has instructions to reach out to a remote webserver to download the second payload, which was a DLL file. A review of the DLL shows that it provided threat actors the capability of stealing passwords from browsers, remote control of the infected system, as well as other stealth capabilities such as the ability to drop files without the user’s awareness. If Vigilant MEDR is employed in your environment, a similar rule can be set in the environment, and trusted devices can be whitelisted.
What Can Your Organization Do to Protect from Qakbot Infections?
Make sure to safeguard your endpoints with an ever-evolving solution that can keep up with the ever changing threat landscape. The Vigilant team is constantly performing threat research and analysis to create new detection capabilities, better aimed at detecting malicious activity such as Qakbot. With our MEDR service, our team can detect and block Qakbot infections before they occur.
User awareness training is also always recommended as a security measure, to remind users of the lures used by threat actors so they don't click on the malicious links in the first place. In addition, giving users an easy way to report suspicious emails can be a valuable source of information for security teams. With proper procedures in place, security teams can respond to reported emails to 1) determine whether the reported message is in fact malicious, and 2) can kick start response efforts to identify how many users are impacted and whether any users have already been infected. Timely response to the initial attack can prevent a much larger incident from ever occurring by removing the threat actors before they can take actions on objectives.