Qakbot Inserting itself in your Conversations

-

A recent threat report by Sophos Labs details techniques and tactics utilized by the infamous Qakbot/Qbot malware. By inserting itself into existing email conversations and using the account of compromised victims, it is able to spread quickly across a target's network. Qakbot leverages reply-all messages equipped with a link to a download URL containing the zip file of a MS Office maldoc. 

See below:


There are hundreds of variants of the distributed emails, in different languages and with slightly different one-liners.

The primary malicious document analyzed by the Sophos team was an uncommon .xlsb, or Excel Binary Workbook extension. On par with expectations, the embedded payload executed upon enabling content. Here are some key takeaways from their analysis:

  • the payload was dropped into a random 5-character folder in the root of the C: drive.
  • via MS Edge, it contacts a compromised website and injects itself into an Edge instance
  • the malware profiled the machine it was on (ie: public facing IP)
  • it downloaded additional payloads

Once injected into Msedge.exe and/or Explorer.exe, Qakbot starts retrieving additional payloads and injects them into two main system programs. Explorer allowed the main malware payload to C2 every five minutes. Sophos labs observed the C2 address remain active for at least five months.

One of the malicious payloads retrieved by the main malware appeared to be a Web proxy used for opening session to a website's admin interface with stolen credentials. This provided the malware the ability to upload files to that websites storage. Another payload resolved a dozen or more SMTP servers and attempted to connect to each and send spam.

A third payload analyzed by the Sophos team looked to perform an ARP scan of the whole IP address range of their test NAT network address space, likely looking for lateral movement opportunities.

Communication between the the controller and the bots is done through HTTPS POST and GET requests where the data is encrypted and wrapped in TLS. Once shed of TLS, the traffic is still encoded and the POST paths always (in this test) contained /t4

"This encoded data, which appears just as a blob of base64-encoded text, can be hard to decode because the bot generates an encryption key for each message, with part of the key being the first few characters of the message, and a static salt value", Sophos Labs.

Once unencrypted and decoded, the team was able to observe data in JSON format. This data contains another layer of encoding but was easier to decode. Analysis uncovered a table of "message types" used in C2 communications. See below.


Sophos labs noted upon first contact with the C2 address, the bot transmitted out a very detailed information blob about the victim machine to the C2 controller including users and permissions, speeds, drivers, running services, scheduled tasks and more. In return, the bot receives a large blob of data from the controller; mostly more DLL payloads.



Qakbot is growing in popularity and has shown its ability to wreak havoc quietly. The researchers concluded their report with the following detection and mitigation advice:

"The easiest advice is to treat email with a reflexive distrust unless demonstrated to be otherwise, even when messages appear to come as replies to existing email threads. While the attackers seem to have moved on from the use of Latin phrases in their URLs, one aphorism in that ancient language appears to remain good advice: Caveat lector – let the reader beware", Sophos Labs.

Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more