QakBot Detection: DUCK HUNT

Photo by Ravi Palwe on Unsplash

Threat Hijacking -> Follina -> QakBot

On Monday, May 30, 2022, Microsoft issued CVE-2022–30190 along with the workaround. It was highly advised the workaround be implemented quickly as not only were adversaries already abusing the vulnerability that day, but adversaries were abusing it months before and with its public release the general expectation was to see more abuse in the wild.

Thread Hijacking

This adversary is well known for Threat Hijacking. This is where they will compromise email accounts and “pick up conversations” by replying to existing email threads with emails with lures designed to get people to open links and attachments.

Duncan, SANS

Embraced by the Support of a Spiders Nest

Another relevant Operational Intelligence to consider of this group is that their efforts recently received a boost when, on March 23rd, Wizard Spider’s Emotet Botnet began, once again, delivering QakBot. This is the first time we have observed Emotet dropping QakBot since the return of the Emotet Botnet after LE’s takedown in January of 2021. Since then, Mallard Spider has also released a new version that expands the tactics used by QakBot to include dropping a Dynamic Link Library packed with QakBot through a legitimate MSI install file.

Adversary Objectives

While QakBot may be considered by many to be a commodity malware, its uses and adversary objectives bring significant personal or enterprise risk. Compromises by this group have been seen to result in serious financial losses via Financial Fraud, or even ransomware such as Twisted Spiders Egregor and ProLock.

Lets Improve Follina Detection

Initially, the Threat Hunting and Detection community reviewed the intelligence of the April attacks using Follina before it was popular and simply looked for Microsoft Word, Excel, and Outlook launching the problematic binary msdt.exe. Such searches can be found currently in as logic for some security controls or on forums where Hunting and Detection are discussed such as r/crowdstrike.

DeviceProcessEvents
| where ProcessCommandLine contains "msdt.exe"
| where InitiatingProcessFileName has_any (@"WINWORD.EXE", @"EXCEL.EXE", @"OUTLOOK.EXE")
index=main sourcetype=ProcessRollup* event_simpleName=ProcessRollup2
| search ParentBaseFileName IN (winword.exe, excel.exe, powerpnt.exe, outlook.exe)
| search FileName=msdt.exe
| table _time, aid, ComputerName, UserName, UserSid_readable, ParentBaseFileName, FileName, CommandLine
| lookup local=true aid_master aid OUTPUT AgentVersion, Version, MachineDomain, OU, SiteName
WINWORD.EXE
EXCEL.EXE
POWERPNT.EXE
MSPUB.EXE
VISIO.EXE
OUTLOOK.EXE
MSACCESS.EXE
MSPROJECT.EXE
ONENOTE.EXE

Follina will Put a Spotlight on MSDT

As is often the case, the discovery of a ZeroDay has drawn additional attention to the affected protocol handler. Issues are being discovered or rediscovered, that could enable more effective abuse of MSDT such as DogWalk which not only lacks a patch but also a CVE-ID.

Conclusion

Mallard Spider has capable and agile developers. They were quick to put the vulnerability to use, but there will be others who will try this vulnerability on us in the future. The lack of an easy patch that can be automatically updated on a personal device or easily deployed via traditional patching solutions will likely keep this vulnerability in use for a while, which will make development efforts to implement/execute more rewarding for adversaries. Consider patching and hunting for this threat starting from early April if you haven’t yet.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Christian Taillon

A cyber nerd who believes that you don’t have to work at the same company to be on the same team.