Security professionals are sounding the alarms on the latest string of attacks using Qakbot malware to breach networks and deploy ransomware in less than half a day. These attacks highlight a growing trend of cybercrime collaborations where operators like the Qakbot malware group expand their operations by selling Access-as-a-Service (AaaS) to other criminal gangs. In particular, Qakbot has been tied to ransomware groups including Maze, ProLock, Egregor, Conti, and now Black Basta. A string of attacks over the last few months has revealed an aggressive and widespread Black Basta ransomware campaign, primarily targeting US companies, where attackers are using Qakbot as the initial attack vector to install a backdoor, and then move laterally within an organization’s network dropping in encryption malware.
Discovered in the wild in 2007, Qakbot (also known as Qbot, Quackbot, or Pinkslipbot) has evolved from a banking Trojan designed to steal Personally Identifiable Information (PII) into a multi-purpose botnet capable of performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering malicious payloads. Qakbot is designed to be highly evasive to avoid malicious detection tools, as well as self-propagating which makes it difficult to stop and very dangerous. Add to that a modular nature that makes it easy for attackers to custom configure it, makes Qakbot an increasingly popular choice for a malware delivery network, like TrickBot or Emotet.
Qakbot attacks are most frequently launched through phishing email campaigns which lure victims to click on either an attachment or a link containing the malicious payload. And while the phishing lures are not the most sophisticated tactic, they originate from hijacked email chains or compromised accounts and leverage contextually aware themes which makes them effective.
Excel 4.0 Macros. Weaponizing Excel 4.0 Macros is an effortless and reliable method attackers use to get a foothold into a target network as this technique simply represents an abuse of a legitimate Excel feature and does not rely on any vulnerability or exploit. XLM macros are very straightforward and easy to create, thus easily modified to bypass signature-based detection. Macros are also robust and provide various functions that can be leveraged to evade analysis, such as obfuscating the final malicious payload, modifying the control flow, or detecting automated sandbox analysis through specific host environmental checks.
Phishing Emails with Hyperlinks. Phishing emails with hyperlinks to benign domains that host the malicious payload are also commonly used. In this case, an attacker would send an email with a link to the malicious payload using password-protected ZIP files. As the domain itself is harmless, the email easily bypasses most security tools and evades detection. Once a user opens the ZIP file, the malicious link downloads a JavaScript file which then downloads the Qakbot payload.
HTML Smuggling. HTML smuggling uses specially HTML attachments and web pages to build malware directly on a compromised endpoint behind the firewall. This method leverages emails containing an HTML attachment rather than a ZIP file or document. Once a user opens the HTML attachment, the HTML would build the malicious payload through a decoding process and subsequently create a password-protected ZIP file that contains the file with the Qakbot payload.
Once the machine is infected, Qakbot copies itself onto the network and onto removable drives, mutating itself while moving laterally and leveraging Command and Control frameworks such as Cobalt Strike for post exploitation operations. Once Cobalt Strike is executed on a system, attackers can broker the system as an initial access point to other threat actors and ransomware group affiliates as part of the ransomware-as-a-service ecosystem. This means that during the course of a compromise, there could potentially be one or more adversary groups operating inside of a given network.
Recommendations
As recent Qakbot attacks are proving to be increasingly swift from the time of initial compromise to a full-blown attack, it’s critical to prioritize detection speed as a key requirement for building up your security stack. The potential for security solutions to deliver maximum threat protection rests in the quality of data used to power the solution. Commercial threat intelligence feeds like PhishBlocklist and Malicious Detailed Detection Feed from zvelo offer market-leading accuracy, coverage and detection speed enabling partners to design premium quality security solutions to protect end users around the globe.
Qakbot phishing emails are designed to take advantage of a user’s lapse in decision-making, and they are designed to appear legitimate. In addition to bolstering your security stack, zvelo shares the following recommendations to end users:
- Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the sender intended on sending the email.
- Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information. They should also instruct employees to report the threat to the company’s security operations team immediately.
- Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros. Enterprises can prevent macro malware from running executable content using ASR rules.
- Ensure systems are up to date with the latest software updates and security patches.
- Ensure antivirus software is installed, updated and actively monitoring all endpoints in your environment.
