QakBot Detection: DUCK HUNT
In Russia, Ducks hunt you.
A skilled and high operational tempo Russian / Eastern European adversary group known as Mallard Spider, TA570, or by the groups developed malware’s name QBot / QakBot has been observed leveraging Follina (CVE-2022–30190) in the wild. The attack flow is simple.
As of this writing, there is no patch available; however, workarounds exist that effectively mitigate the risk of this vulnerability (the workaround is provided below).
The MSRC-provided workaround is as simple as three easy steps:
1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
QakBot has other ways to get from Point A’s Phishing Email to Point B’s QakBot binary execution; however, April marked the beginning of Microsoft’s phased plan to disable Macros in Office Products by Default. VBS scripting execution via Office Documents was and is today perhaps the most common method of connecting a user click with malware execution, but the future outlook for adversaries looking to attack through Outlook with VBS embedded attachments isn’t so bright.
Thus, adversaries are and will continue to look for alternative methods to execute their code on our machines. These tests of Follina by QakBot and other groups will simply be one of many explored alternatives. In the future, I will write a blog post on additional alternative methods we defenders should be aware of.
Threat Hijacking -> Follina -> QakBot
On Monday, May 30, 2022, Microsoft issued CVE-2022–30190 along with the workaround. It was highly advised the workaround be implemented quickly as not only were adversaries already abusing the vulnerability that day, but adversaries were abusing it months before and with its public release the general expectation was to see more abuse in the wild.
And Mallard Spider did not disappoint. Within a week, evidence of MallardSpider abusing this vulnerability was discovered. SANS InfoSec form has an excellent breakdown of one such observed incident: TA570 Qakbot (Qbot) tries CVE-2022–30190 (Follina) exploit (ms-msdt).
This adversary is well known for Threat Hijacking. This is where they will compromise email accounts and “pick up conversations” by replying to existing email threads with emails with lures designed to get people to open links and attachments.
In this case, an attached HTML file containing a Zip achieve had a .lnk file (growing in popularity since the April Macro Disable by Default change), a dynamic link library which was the binary for Qakbot, and a Microsft Word File with the Follina exploit. While this may sound complicated, QakBots use of Thread Hijacking supports a high rate of execution.
Embraced by the Support of a Spiders Nest
Another relevant Operational Intelligence to consider of this group is that their efforts recently received a boost when, on March 23rd, Wizard Spider’s Emotet Botnet began, once again, delivering QakBot. This is the first time we have observed Emotet dropping QakBot since the return of the Emotet Botnet after LE’s takedown in January of 2021. Since then, Mallard Spider has also released a new version that expands the tactics used by QakBot to include dropping a Dynamic Link Library packed with QakBot through a legitimate MSI install file.
While QakBot may be considered by many to be a commodity malware, its uses and adversary objectives bring significant personal or enterprise risk. Compromises by this group have been seen to result in serious financial losses via Financial Fraud, or even ransomware such as Twisted Spiders Egregor and ProLock.
Lets Improve Follina Detection
Initially, the Threat Hunting and Detection community reviewed the intelligence of the April attacks using Follina before it was popular and simply looked for Microsoft Word, Excel, and Outlook launching the problematic binary msdt.exe. Such searches can be found currently in as logic for some security controls or on forums where Hunting and Detection are discussed such as r/crowdstrike.
Original Defender Search from r/crowdstrike:
| where ProcessCommandLine contains "msdt.exe"
| where InitiatingProcessFileName has_any (@"WINWORD.EXE", @"EXCEL.EXE", @"OUTLOOK.EXE")
Original Crowdstrike Search from r/crowdstrike:
index=main sourcetype=ProcessRollup* event_simpleName=ProcessRollup2
| search ParentBaseFileName IN (winword.exe, excel.exe, powerpnt.exe, outlook.exe)
| search FileName=msdt.exe
| table _time, aid, ComputerName, UserName, UserSid_readable, ParentBaseFileName, FileName, CommandLine
| lookup local=true aid_master aid OUTPUT AgentVersion, Version, MachineDomain, OU, SiteName
While later PowerPoint was added, the risk existed within the entire Office Suite. Therefore, forward-looking prevention or detection of these attacks ought to include the entire list of impacted Office products.
Follina will Put a Spotlight on MSDT
As is often the case, the discovery of a ZeroDay has drawn additional attention to the affected protocol handler. Issues are being discovered or rediscovered, that could enable more effective abuse of MSDT such as DogWalk which not only lacks a patch but also a CVE-ID.
Mallard Spider has capable and agile developers. They were quick to put the vulnerability to use, but there will be others who will try this vulnerability on us in the future. The lack of an easy patch that can be automatically updated on a personal device or easily deployed via traditional patching solutions will likely keep this vulnerability in use for a while, which will make development efforts to implement/execute more rewarding for adversaries. Consider patching and hunting for this threat starting from early April if you haven’t yet.