QakBot Hunting: Autumn Spice

Photo by Theo Crazzolara on Unsplash

Why SOCs Should Look Out for Birds?

You might wonder, isn’t the return of this group to an operational mode just a return to normal? After all, infection attempts from this group have been typical enough that Mallard Spider’s attacks may seem commonplace in the industry. However, while QakBot, the main malware the group maintains, isn’t novel or, strictly speaking, uncommon, the combination of utilized techniques utilized in this new iteration of campaigns results in an attack that is both effective in its Social Engineering of targetted end users and in its ability to bypass/evade standard detection methods.

Email Chain Compromise \ Email Threat Injection

Perhaps one of the most powerful components of a phishing lure is the ability to inject mail yourself into existing conversations, taking advantage of the target’s established trust with the spoofed sender. Sometimes, a request to access a URL or file attachment may not seem inappropriate or unexpected based on the established relationship or previous requests. Adversaries do this by taking advantage of their access to a user’s email when they compromise an account by emailing recipients the compromised victim had contacted previously. The adversary can then use the signature and email body content the compromised victim used in the past.

Encrypted Payload Download

The cases involved show the adversary favors embedding URLs in the email body that lead to compromised infrastructure hosting a password-protected ZIP archive (although other techniques have been observed). This encrypted ZIP archive doesn’t allow security controls to perform static or dynamic analysis when the file is being downloaded or emailed (as it is in some cases). The adversary also seems to remove the infected files at some point after the attack is launched, inhibiting analysis.

Link to URL Download Map

Compromised Infrastructure: Propagation & C2

QakBot, as it is appropriately named, is a bot. As it is a part of a larger botnet, it leverages compromised infrastructure in several ways and for various reasons. It uses compromised assets and identities to send out phishing to propagate and communicate instructions. This compromised infrastructure has the added benefit of providing adversaries with well-established domain registration and site reputation to help bypass this sort of detection. It also hinders our ability to respond, as one campaign can have far more than one set of IPs, domains, and files to block.

Compromise Infrastructure: Malicious Download Hosting Domains

An extensive network of potentially compromised infrastructure is used to propagate the Qakbot malware in these fall campaigns. These devices’ function is to host the malicious compressed file containing all of the files needed to facilitate the attack, as well as other miscellaneous files such as .txt files containing text from popular literature such as Alice’s Adventures in Wonderland, Kant’s Critique of Pure Reason, and sections from Bill Watterson’s Calvin and Hobbes. Along with these benign .txt files can even be found benign image files such as .pngs and .gifs. These contain what we assume to be computer-generated images.

Automated Variety to Attempt to Slip Through Defense Cracks

I observed that a target accessing the same URL twice could get two files using different file types and infection methods. While this diversity makes response a bit more challenging, it also increases the probability that an attack will make it past our defenses. Recall from the previous two articles that this was one of the first big adversaries to be observed in the wild, leveraging their attacks’ then recently discovered Follina vulnerability. We also observed them using .LNK files when we all expected Microsoft to follow through with blocking Macros by Default.

Detection / Hunting Opportunities:

Image by Cole Miller

Email Body Patterns

Based on the samples I have been sent, we have recognized this pattern that we can apply in your Email Security solutions to identify or quarantine potential phishing emails. These Regex patterns in their current state may produce false positives and require tuning for individual environments.

  • Zip
  • RAR
  • 7zip
  • .HTML
  • .LNK
  • .ISO
  • .DB (Masquerading PE)
  • Hidden .DLL
  • JavaScript
  • CMD/Batch File
  • Insurance#<random_4_character_number>.iso
  • Contract#<random_4_character_number>.iso
  • Learn#<random_4_character_number>.iso
  • Gallery#<random_4_character_number>.iso

ProcessCreation or FileWrite

Detecting the ISO Written in a Temporary File Path

Cyber Observables (IOA/IOC)

As previously mentioned, we were able to build a larger list of infrastructure involved in facilitating the malware download. Note that at this time, it is believed that these networks may be compromised infrastructure, not adversaries deployed.

Possible Mitigation Steps to Consider:

  • Consider including training about Email Chain Compromise \ Email Threat Injection in your organization’s Security Awareness Training.
  • Consider your capacity and willingness to detect, quarantine, or prevent the transfer of Zip file downloads or email attachments.
  • Consider Detecting or Hunting on executing executables from images (ISOs/IMGs) or archives (.zip, .RAR, .7z).
  • Consider detecting, quarantining, or preventing some of the Indicators listed in this report (C2/Download Sources).
  • Consider enforcing MFA on services with external access, at least with email authentication, to reduce the risk from this attack scenario.
  • Consider Hunting or Detecting on ProcessCreation or FileWrite that matches this patern: ‘.*\\Temp1_.*\.(zip|RAR|7z)\\\.(iso|lnk|db)’
  • Consider Detecting or Preventing Traffic to the Currently Identified Compromised infrastructure at the VirusTotal Graph (temporarily)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Christian Taillon

A cyber nerd who believes that you don’t have to work at the same company to be on the same team.