QakBot Hunting: Autumn Spice
Autumn marks the beginning of the return of many familiar experiences. Familiar Halloween movies return to the screen; charming Fall time decor returns to the seasonal shopping aisle; many rejoice at the return of the seasonal Pumpkin Spice Latte to their cafe of choice. Unfortunately, the end of this Summer was also marked with the return of a less charming adversary: Mallard Spider.
The sophisticated Access Broker group called Mallard Spider has returned from its Summer-end hiatus with a mature, evasive, and effective process that compliments their tried and true Social Engineering and Email Threat Injection tactics. They now employ an elusive combination of Defense Evasion techniques. Because this group is one we have discussed previously, I’ll link to those articles discussing the adversary and their primary malware and jump right into what’s new.
QakBot Detection: DUCK HUNT Part 2 — The .LNK
Why SOCs Should Look Out for Birds?
You might wonder, isn’t the return of this group to an operational mode just a return to normal? After all, infection attempts from this group have been typical enough that Mallard Spider’s attacks may seem commonplace in the industry. However, while QakBot, the main malware the group maintains, isn’t novel or, strictly speaking, uncommon, the combination of utilized techniques utilized in this new iteration of campaigns results in an attack that is both effective in its Social Engineering of targetted end users and in its ability to bypass/evade standard detection methods.
It is also worth keeping in mind that Mallard Spider infections have previously been observed to drop Cobalt Strike Beacons, Brute Ratel C4, and other malware, occasionally resulting in Hands-on-Keyboard (HoK). This activity has also resulted in the deployment of Ransomware in corporate environments.
Email Chain Compromise \ Email Threat Injection
Perhaps one of the most powerful components of a phishing lure is the ability to inject mail yourself into existing conversations, taking advantage of the target’s established trust with the spoofed sender. Sometimes, a request to access a URL or file attachment may not seem inappropriate or unexpected based on the established relationship or previous requests. Adversaries do this by taking advantage of their access to a user’s email when they compromise an account by emailing recipients the compromised victim had contacted previously. The adversary can then use the signature and email body content the compromised victim used in the past.
It is good to include warnings of this tactic in your security training. Many lower their guard when they see a reply to a conversation they had only a few weeks or months ago.
Encrypted Payload Download
The cases involved show the adversary favors embedding URLs in the email body that lead to compromised infrastructure hosting a password-protected ZIP archive (although other techniques have been observed). This encrypted ZIP archive doesn’t allow security controls to perform static or dynamic analysis when the file is being downloaded or emailed (as it is in some cases). The adversary also seems to remove the infected files at some point after the attack is launched, inhibiting analysis.
“GalleryA” Sample: Provided here is an example of the files contained in the malicious ISO. The ISO contains a shortcut file that is used to execute a JavaScript file which runs a CMD file to run Qbot loaded in from the randomly named Database File (.db) file, which is a portable executable dynamic link library (PE DLL).
Another tactic observed involved using an attached HTML document that downloaded a similarly encrypted archive file with an image to mount and a .LNK to execute. This HTML page also instructs the user to open the password encrypted .ZIP file and provides the password.
Compromised Infrastructure: Propagation & C2
QakBot, as it is appropriately named, is a bot. As it is a part of a larger botnet, it leverages compromised infrastructure in several ways and for various reasons. It uses compromised assets and identities to send out phishing to propagate and communicate instructions. This compromised infrastructure has the added benefit of providing adversaries with well-established domain registration and site reputation to help bypass this sort of detection. It also hinders our ability to respond, as one campaign can have far more than one set of IPs, domains, and files to block.
Involved in this Fall Campaign is a list of C2 IP Addresses. The Threat Intelligence community has been able to share the observed IP address involved in the Qbot’s C2. Consider reviewing the C2 IP address provided in the observable section of this article.
Compromise Infrastructure: Malicious Download Hosting Domains
An extensive network of potentially compromised infrastructure is used to propagate the Qakbot malware in these fall campaigns. These devices’ function is to host the malicious compressed file containing all of the files needed to facilitate the attack, as well as other miscellaneous files such as .txt files containing text from popular literature such as Alice’s Adventures in Wonderland, Kant’s Critique of Pure Reason, and sections from Bill Watterson’s Calvin and Hobbes. Along with these benign .txt files can even be found benign image files such as .pngs and .gifs. These contain what we assume to be computer-generated images.
I will provide a link to the list of Domains hosting the Qakbot infection files in the Observables section of this article.
Automated Variety to Attempt to Slip Through Defense Cracks
I observed that a target accessing the same URL twice could get two files using different file types and infection methods. While this diversity makes response a bit more challenging, it also increases the probability that an attack will make it past our defenses. Recall from the previous two articles that this was one of the first big adversaries to be observed in the wild, leveraging their attacks’ then recently discovered Follina vulnerability. We also observed them using .LNK files when we all expected Microsoft to follow through with blocking Macros by Default.
Detection / Hunting Opportunities:
Email Body Patterns
Based on the samples I have been sent, we have recognized this pattern that we can apply in your Email Security solutions to identify or quarantine potential phishing emails. These Regex patterns in their current state may produce false positives and require tuning for individual environments.
$pattern1 = ((password|pass|passwd|passcode)\:(\s|)[a-zA-Z][0–9]{1,4})
$pattern2 = ((https|http)\:\/\/[a-zA-Z|0–9|-]{1,25}\.([a-zA-Z|0–9|-|\.]{1,5}){1,4})\/[a-zA-Z]{1,5}\/[a-zA-Z]{3,52}
$pattern1 AND $pattern2
If your Email Security controls allow you to search, detect and block emails with body content matching a specific pattern, this may be helpful for you.
File Indicators:
Behavioral Indicator: file writes of the following types from Archive (such as a Zip) downloaded from the Internet via a URL link in an email or from an Archive attached in an email:
Common Archvie Files:
- Zip
- RAR
- 7zip
Links the Adversary has been using:
- .HTML
- .LNK
- .ISO
- .DB (Masquerading PE)
- Hidden .DLL
- JavaScript
- CMD/Batch File
Archive FileName:
- Insurance#<random_4_character_number>.iso
- Contract#<random_4_character_number>.iso
- Learn#<random_4_character_number>.iso
- Gallery#<random_4_character_number>.iso
ProcessCreation or FileWrite
Detecting the ISO Written in a Temporary File Path
Regular Expression Template for detecting FileCreation or ProcessExecution relating to the files used in this attack. We can use this in a Detection or Prevention capacity, but it should be tested and tuned in either case. This matches the execution of ISO, LNK, and DB files generated on Windows by the built-in archive tool.
CommandLine or FullPath: .*\\Temp1_.*\.(zip|RAR|7z)\\\.(iso|lnk|db)
Hunting for Images Mount Events (CS Example):
The following search is an example of searching for events of image mounts in an environment. For many organizations, these events may be rare enough that this search could be used as a Threat Hunt lead with some filtering.
event_simpleName IN (FsVolumeMounted, RemovableMediaVolumeMounted, SnapshotVolumeMounted) VirtualDriveFileType_decimal=1
| rex field=VirtualDriveFileName “.*\\\(?<isoName>.*\.(img|iso))”
| stats earliest(_time) as firstTime latest(_time) as lastTime values(VirtualDriveFileName) as VirtualDriveFileName values(VolumeDriveLetter) as VolumeDriveLetter values(VolumeName) as VolumeName count by ComputerName isoName
| eval firstTime=strftime(firstTime,”%Y-%m-%d %H:%M:%S”)
| eval lastTime=strftime(lastTime,”%Y-%m-%d %H:%M:%S”)
Cyber Observables (IOA/IOC)
As previously mentioned, we were able to build a larger list of infrastructure involved in facilitating the malware download. Note that at this time, it is believed that these networks may be compromised infrastructure, not adversaries deployed.
In addition to the infrastructure hosting the malicious files victims download, we also observed the previously mentioned C2 IP addresses. You can find a maintained list here:
Possible Mitigation Steps to Consider:
- Consider including training about Email Chain Compromise \ Email Threat Injection in your organization’s Security Awareness Training.
- Consider your capacity and willingness to detect, quarantine, or prevent the transfer of Zip file downloads or email attachments.
- Consider Detecting or Hunting on executing executables from images (ISOs/IMGs) or archives (.zip, .RAR, .7z).
- Consider detecting, quarantining, or preventing some of the Indicators listed in this report (C2/Download Sources).
- Consider enforcing MFA on services with external access, at least with email authentication, to reduce the risk from this attack scenario.
- Consider Hunting or Detecting on ProcessCreation or FileWrite that matches this patern: ‘.*\\Temp1_.*\.(zip|RAR|7z)\\\.(iso|lnk|db)’
- Consider Detecting or Preventing Traffic to the Currently Identified Compromised infrastructure at the VirusTotal Graph (temporarily)
