QakBot Detection: DUCK HUNT Part 2 — The .LNK

Photo by Kerin Gedge on Unsplash

Christian, can you tell me more about QakBot?

I am glad you asked! QakBot malware, also known as QBot or QuakBot and sometimes Pinkslipbot, has been a prolific BankingTrojan from at least mid-2009. It is not exclusive to Mallard Spider, as many other groups use QakBot, but this eCrime adversary prolifically leverages the banking trojan for its operations. Adversary objectives include selling compromised credentials, financial fraud, and even laying the groundwork for Ransomware Attacks (most notably Egregor and ProLock ransomware).

A Modern Feature Set for a Modern Mallard

Although it may be old enough to find in an antique store, QakBot has many modern features to keep it relevant today. The malware benefits from an elusive and mature C2 (Command and Control) mechanism. It can conduct its own host enumeration and its own network scans. It can move laterally through a network via SMB with both passwords stolen from memory and credential brute-forcing. It can perform keylogging, accomplish process injection, and data exfiltration. It has its own mal-spam propagation methods and can download and run additional payloads. Frustratingly, researching the malware is hindered by various anti-analysis and anti-virtual machine techniques. And, of course, what would a banking Trojan be without its ability to locate and exfiltrate credentials.

A Twice Encrypted and Encoded “Quack”

QakBot’s C2 communication, for example, is highly mature. The operators went through a lot of work to evade detection and inhibit deconstruction and analysis using multiple levels of obfuscation and encryption. For example, the malware will uniquely encrypt each C2 communication over HTTP POST and GET requests and send this communication in an encrypted format over a TLS session (Transport Layer Security session). The bot generates a unique encryption key for each message sent in the POST request data, and the encryption uses a static salt unique to the infected host value.

If it Quacks Like a Duck…

Due to the bot’s scope of use and modularity, there isn’t necessarily a standard operating procedure that we can observe with each Qak-Attack, as I like to call it. The diversity of past intrusions makes it challenging to identify specific TTPs (Tools, Techniques, and Procedures) for the Detection or Prevention of future attacks that will be relevant in every case. QakBot continues to evolve and, as noted in Part 1, has even been observed to use novel new attacks such as Follina in its campaigns. Another example is a recent spotting of QakBot being delivered through a Malicious .LNK file downloaded from a malicious URL (Uniform Resource Locators) in a Phishing email (more on this method will be covered in a future article).

ATT&CK techniques:

T1218.011 Signed Binary Proxy Execution: Rundll32, T1218.010 Signed Binary Proxy Execution: Regsvr32

Malicious processes will be executed via regsvr32.exe is often executed by an Office document. Consider looking for a process with the command-line containing *rundll* OR *regsvr* with a parent process of any of the following office programs:

T1053.005 Scheduled Task/Job: Scheduled Task

QakBot’s use of a Scheduled Task for persistence is also another standard. This creates an opportunity for us to look at Scheduled Task creations. If you are hunting, you may consider looking for the rare values for scheduled task names. If you are trying to create a detection, using an algorithm to determine the randomness of the name may prove valuable here.

Additional Detection / Hunting Opportunities

Network / Email Level:

Data Source: Firewalls, proxies, Zeek, packet captures, simple NetFlow logs, possibly EDR

Endpoint Level: PowerShell, EDR, Host Logs, Sysmon, OSQuery

Additional Resources

Samples For Analysis at Malware Bazaar

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Christian Taillon

A cyber nerd who believes that you don’t have to work at the same company to be on the same team.