QakBot Detection: DUCK HUNT Part 2 — The .LNK
As promised in Part 1 of QakBot Detection: DUCK HUNT, we have a few more concepts to examine regarding the QakBot malware. In Part 1, we focus on the adversary group Mallard Spider, discuss their use of the then recently popularized Follina vulnerability, and reveal some practical issues and opportunities relating to detection. Follina now has an official patch in the June Microsoft patch release, although it is not listed in the bulletin at the time of this writing.
While Part 1 focuses on the who, Part 2 focuses on the what, how, and how do I stop it. In this article, we will focus on the piece of malware that gave this adversary group its name and prominence and consider additional hunting and detection techniques.
Christian, can you tell me more about QakBot?
I am glad you asked! QakBot malware, also known as QBot or QuakBot and sometimes Pinkslipbot, has been a prolific BankingTrojan from at least mid-2009. It is not exclusive to Mallard Spider, as many other groups use QakBot, but this eCrime adversary prolifically leverages the banking trojan for its operations. Adversary objectives include selling compromised credentials, financial fraud, and even laying the groundwork for Ransomware Attacks (most notably Egregor and ProLock ransomware).
Being a BankingTrojan, its original purpose was to steal credentials, typically banking credentials, which adversaries used to commit Financial Fraud. Like most banking trojans that have kept their relevance for over a decade, QakBot has received many new features and capabilities and been updated many times resulting in the well-polished and versatile adversarial tool it is today. QakBot is no longer the simple banking trojan that it once was, capturing credentials according to its webinjects ruleset. Over the years, it has developed into something much more sophisticated.
A Modern Feature Set for a Modern Mallard
Although it may be old enough to find in an antique store, QakBot has many modern features to keep it relevant today. The malware benefits from an elusive and mature C2 (Command and Control) mechanism. It can conduct its own host enumeration and its own network scans. It can move laterally through a network via SMB with both passwords stolen from memory and credential brute-forcing. It can perform keylogging, accomplish process injection, and data exfiltration. It has its own mal-spam propagation methods and can download and run additional payloads. Frustratingly, researching the malware is hindered by various anti-analysis and anti-virtual machine techniques. And, of course, what would a banking Trojan be without its ability to locate and exfiltrate credentials.
With multiple groups using and abusing QBot, it is constantly adapting, receiving new features, or being paired with additional libraries to run upon execution.
A Twice Encrypted and Encoded “Quack”
QakBot’s C2 communication, for example, is highly mature. The operators went through a lot of work to evade detection and inhibit deconstruction and analysis using multiple levels of obfuscation and encryption. For example, the malware will uniquely encrypt each C2 communication over HTTP POST and GET requests and send this communication in an encrypted format over a TLS session (Transport Layer Security session). The bot generates a unique encryption key for each message sent in the POST request data, and the encryption uses a static salt unique to the infected host value.
If it Quacks Like a Duck…
Due to the bot’s scope of use and modularity, there isn’t necessarily a standard operating procedure that we can observe with each Qak-Attack, as I like to call it. The diversity of past intrusions makes it challenging to identify specific TTPs (Tools, Techniques, and Procedures) for the Detection or Prevention of future attacks that will be relevant in every case. QakBot continues to evolve and, as noted in Part 1, has even been observed to use novel new attacks such as Follina in its campaigns. Another example is a recent spotting of QakBot being delivered through a Malicious .LNK file downloaded from a malicious URL (Uniform Resource Locators) in a Phishing email (more on this method will be covered in a future article).
That being said, some properties seem to be shared among the variants of QakBot and their attacks. Based on what appears relatively common, here are some Detection / Hunting Opportunities to walk away with.
T1218.011 Signed Binary Proxy Execution: Rundll32, T1218.010 Signed Binary Proxy Execution: Regsvr32
Malicious processes will be executed via regsvr32.exe is often executed by an Office document. Consider looking for a process with the command-line containing *rundll* OR *regsvr* with a parent process of any of the following office programs:
T1053.005 Scheduled Task/Job: Scheduled Task
QakBot’s use of a Scheduled Task for persistence is also another standard. This creates an opportunity for us to look at Scheduled Task creations. If you are hunting, you may consider looking for the rare values for scheduled task names. If you are trying to create a detection, using an algorithm to determine the randomness of the name may prove valuable here.
A search to look for processes where the command line contains both “schtask.exe” as well as “regsvr32.exe”. Most tasks should not be executing “regsvr32.exe”. The string after /tn <random_string> will be the name of the task. It is possible that instead of a random name, you may find infections that use a GUID. GUIDs have a predictable format, allowing us to “match them” with a simple regex string.
Additional Detection / Hunting Opportunities
Network / Email Level:
Data Source: Firewalls, proxies, Zeek, packet captures, simple NetFlow logs, possibly EDR
1. Qakbot has obfuscated C2 using zipped files; look for mime_type of app/zip
2. SMTP traffic with multiple sender addresses sourced from an individual host
3. DNS / Netflow for a large number of SMTP services (Outlook, Gmail, etc.)
4. Rare DNS query (since randomly generated)
5. Internal scans (one to many connections or ARP scans if you can query)
6. Consider quarantining or investigating emails with .LNK file attachments (though most frequently, these are delivered through malicious URLs)
Endpoint Level: PowerShell, EDR, Host Logs, Sysmon, OSQuery
1. If possible, query for keys in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. For QakBot, look for uncommon key names targetting a PE in %APPDATA%\Roaming\Microsoft\ .
2. Rare PE or DLL in APPDATA or randomly named APPDATA dir (write or execute)
3. VBS Script Execution (network calling)
4. Look for a randomly generated five-character directory in the root dir of the C:\ drive that doesn’t belong
5. Find rare names in an environment scheduled task and see if it triggers PowerShell execution (they are randomly named)
6. Find rare registry key names within the path HKCU\Software\Microsfot (they are randomly named)
7. Look for .LNK execution from Browsers or Office Products
Microsoft Reversed their Macro Blocking Decision
In the preceding article, we also briefly covered Microsofts April 2022 action to move forward with disabling macros in Microsoft Office products by default and the implications this had on adversarial techniques. Presumably, adversaries such as Mallard Spider were trying their hand at Follina, PowerShell Embedded .LNK files, .msi (Microsoft Windows Installer) files, and .img files (Image Files) due to Microsoft’s decision to end-of-life this attack vector for attackers. On July 7th 2022, Microsoft announced its intention to roll back the change to the default behavior in Microsots handling of macros. Instead, Microsoft Office will present a modified warning banner to denote the risk of documents obtained from the internet “web” and add steps for users to execute Macros in a document.
Microsoft customers can still block Macros in their environment by configuration/policy. Read more about Microsoft’s response and how to take protective action here.