Qakbot, also known as Pinkslipbot, Qbot and Quakbot, is a notorious Banking Trojan designed to steal account credentials and online banking session information leading to account takeover fraud. Commonly distributed via malicious unsolicited email (malspam), recent Qakbot campaigns have reportedly deployed 'Cobalt Strike' beacons likely in an attempt to move laterally as well as gaining persistency and establishing a robust communication channel back to the threat actor.
Notably the use of 'recycled' legitimate emails, likely obtained from other victims and potentially sent to known recipients of these, will appear convincing to many. As such, users should be wary of any out-of-character or unexpected email, especially when including unusual links or attachments.
Whilst reports vary on the first observation of Qakbot, potentially as early as 2007, the Trojan continues to be heavily maintained and updated by its creators leading to the active threat observed today. Demonstrating this continued development, recent features include a worm-like ability to spread over networks, advanced web-injection techniques to steal credentials and a persistence mechanism that some believe to be the best in its class.
Additionally, the Trojan has implemented anti-debug, anti-sandbox and anti-VM functionally in addition to regularly shifting their command and control (C2) infrastructure to prevent the retrieval of malicious payloads in an attempt to thwart security analysis and research attempts.
In an attempt to further evade detection, Qakbot is considered a polymorphic threat in that it can modify itself even after it has infected an endpoint. Additionally, Qakbot constantly modifies files, including the payloads involved, resulting in newer variants continuously cycling through C2 servers.
The combination of all of these abilities ensures that Qakbot remains a highly effective threat responsible for countless successful attacks on organizations, including governmental structures, worldwide, leading to the infection of tens of thousands of hosts and high financial losses for both victims and their associated financial institutions.
Since Qakbot predominantly targets the corporate sector, the primary infection vector involves the delivery of an initial malicious payload, typically using malicious unsolicited email (malspam) or phishing campaigns, as well as exploiting common vulnerabilities to infiltrate target organizations.
In addition to this common delivery methods, reports suggest that the threat has also been distributed by a dropper that installs the threat using a delayed execution function. Specifically, after a dropper is deployed to a target machine, likely through some malware-as-a-service (MaaS) campaign such as those orchestrated by 'Emotet', it waits approximately fifteen minutes before dropping the Qakbot payload, likely in an attempt to evade detection by security solutions such as sandboxes.
In this recently observed campaign, victims were targeted with malicious email lures that appear to be in response to, or modified versions of, legitimate business communications between two parties (Figure 1).
Figure 1 - Example lure email seemingly using content known to the recipient/victim
The use of an existing legitimate email, aside from making the lure appear far more convincing to a recipient recognizing their own message and possibly the purported sender, is consistent with previously identified Qakbot behavior in which email accounts are compromised and message threads hijacked. This tactic effectively creates a 'snowball effect' in which more and more organizations can be targeted with lures derived from legitimate email messages obtained from previously compromised victims.
As is common with this delivery method, the malicious document, in this case a Microsoft Excel spreadsheet, is compressed and attached as a Zip archive. Notably, of the samples observed thus far in recent Qakbot campaigns, the filename of these archives appear somewhat similar in that they utilize common phrases followed by a two digit number, for example:
Furthermore, the compressed Microsoft Excel spreadsheet filenames also appear to follow a naming convention beginning with
document- and followed nine to ten digits and
.xls, for example,
Given this, any suspicious email attachment exhibiting similar naming conventions should be considered potentially malicious.
Victim's falling for the email lure, opening the Zip archive and subsequently the malicious spreadsheet will be presented with content that claims to be 'encrypted by [the] Docusign® Protect Service' (Figure 2).
Figure 2 - Qakbot fake 'Docusign Protect Service' encrypted spreadsheet
Fake content such as this is an attempt to socially engineer the victim into bypassing the security controls within Microsoft Office by clicking on 'Enable Editing' and 'Enable Content' which in turn will allow embedded macro code to be executed. This tactic is not unique to Qakbot and is regularly observed across multiple cybercrime campaigns such as those conducted by 'Emotet' and 'Trickbot'.
Likely in an attempt to evade detection, malicious code embedded within this spreadsheet is obfuscated and split across multiple cells on Excel macro sheets (XLM) that sit alongside the main 'DocuSign' sheet. To prevent a casual visual inspection of these values, with the additional sheets appearing blank, the font color is set to 'white' so as to match the cell background albeit this text can easily be revealed (Figure 3).
Figure 3 - Obfuscated code hidden within the lure spreadsheet (Revealed in 'red')
Once the victim has lowered the security posture of Microsoft Office, the malicious code is automatically executed using the
Auto_Open() function leading to the reassembly of the download and execution commands by concatenating the various strings (Figure 4).
Figure 4 - Excel 'malicious command' string concatenation formula
De-obfuscating these formulas and reassembling the strings allows the first stage payload download and execution commands to be viewed:
- Uses the Visual Basic for Applications (VBA)
CALLstatement to access the
URLMon.dllto downloads the first stage payload from the specified URL to the specified path, in this case the parent directory as signified by
..\\and a seemingly random or nonsense filename
- Uses the VBA
EXECfunction to execute the
rundll32.exeutility to register the downloaded payload, a dynamic link library (DLL), allowing its malicious code to be executed:
Notably, utilizing hardcoded domains and URLs for these payloads likely indicates that each lure document is tailored to the campaign and/or victim, behavior somewhat consistent with the tactics, techniques and procedures (TTP) observed in campaigns conducted by other threat actors such as 'Emotet'.
Having downloaded the first stage payload, a dynamic link library (DLL),
rundll32.exe is executed by the malicious Microsoft Office 'downloader' macro to register and spawn the malicious Qakbot payload.
Subsequently a scheduled task is created, using the Windows Task Scheduler,
schtasks.exe, to load the DLL payload with the Register Server utility,
regsvr32.exe, using the following parameters:
/Create- Schedules a new task;
/RU "NT AUTHORITY\\SYSTEM"- Executes the task with elevated system privileges;
/tn <RANDOM_STRING>- Specifies the task name, seemingly using a random string;
/tr "regsvr32.exe -s \\"<PAYLOAD>"- The process to be executed, in this case
regsvr32is passed a malicious dynamic link library (DLL);
/SC ONCE- Task scheduled to execute once at the specified time;
/Z- Delete the task upon completion of the schedule;
/ST <Now + 3 minutes as hh:mm>- Start time, used by the
/ET <Now + 15 minutes as hh:mm>- End time, used by the
Of the samples observed thus far, the start time is consistently set three minutes into the future and end time fifteen minutes later, presumably allowing the malicious process to act on its objectives within a twelve minute window.
Whilst not observed in our attempts to execute this threat, a recent SANS ISC diary entry  suggests that a 'Cobalt Strike' payload is delivered by Qakbot leading to additional command and control (C2) traffic.
Likely used by the threat actor for managing and tracking their attack activity, both a botnet and campaign identifier is embedded within the payload and can be extracted alongside C2 IP addresses. This data, whilst encrypted and packed, can be easily seen within the sandbox analysis results within 'Hatching Triage'  (Figure 5).
Figure 5 - Example 'Hatching Triage' Qakbot analysis (https://tria.ge)
- Employee security awareness training can help them to identify and handle suspicious content such as unexpected or out-of-character communications, especially those containing email attachments or external links.
- Reinforce the message that Microsoft Office files that encourage users to 'Enable Editing', 'Enable Content' or disable any other security setting are almost certainly malicious.
- Consider the use of Group Policy to disable macros from running in Microsoft Office applications altogether; legitimate macros should be digitally signed to allow an exception to the disable rule.
- Administrative tools and script interpreters, such as PowerShell, should be disabled to prevent misuse by malicious payloads.
- Enhance the overall security of your infrastructure network monitoring for, and denying access to, malicious domains, hosts and IP addresses as detailed in the Indicators of Compromise section.
Indicators of Compromise
First Stage Payload Domains
The following domains have been identified as hosting the first stage payload as downloaded by the macro within the initial lure spreadsheet.
First Stage Payload IP Addresses
Based on passive DNS resolution of the first stage payload domains, the following IP addresses were identified and may be reused for nefarious purposes by those responsible for this threat.
First Stage Payload URLs
The following first stage payload URLs were identified as related to initial Qakbot lures and should be considered malicious.
Based on these recent observations, similarly structured URLs ending with the following paths and resource names could potentially be considered malicious.
Initial Lure Attachment SHA256
The following hashes are examples of recent Qakbot attachments (Zip-compressed archives) containing Microsoft Excel spreadsheet lures. Given that these seemingly generated for each campaign and/or victim, these samples are unlikely to be reused in the future and are provided for reference only.
Botnet & Campaign Identifiers
The following botnet (alpha-numeric) and campaign (numeric) identifiers have been observed during March 2021 with those behind Qakbot recently using US President names as well some less 'catchy' botnet identifiers:
Command & Control IP Addresses
The following Qakbot command and control (C2) IP addresses have been observed as in use across multiple botnets and campaigns during March 2021:
|T1027 - Obfuscated Files or Information||Defense Evasion|
|T1027.002 - Obfuscated Files or Information: Software Packing||Defense Evasion|
|T1053 - Scheduled Task/Job||Execution, Persistence, Privilege Escalation|
|T1053.005 - Scheduled Task/Job: Scheduled Task||Execution, Persistence, Privilege Escalation|
|T1055 - Process Injection||Defense Evasion, Privilege Escalation|
|T1055.001 - Process Injection: Dynamic-link Library Injection||Defense Evasion, Privilege Escalation|
|T1056 - Input Capture||Collection, Credential Access|
|T1057 - Process Discovery||Discovery|
|T1082 - System Information Discovery||Discovery|
|T1497 - Virtualization/Sandbox Evasion||Discovery, Defense Evasion|
|T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion||Discovery, Defense Evasion|
|T1518 - Software Discovery||Discovery|
|T1518.001 - Software Discovery: Security Software Discovery||Discovery|