QakBot malware
September 11, 2023
QakBot is a banking stealer, which appeared back in 2007. Through such a long timeline, it changed a lot of its properties and gained new functions. It was used to attack both individuals and corporations, mainly applying email spam and dropper malware to propagate itself to target systems. QakBot is also known under the names of QBot, QuackBot and Pinkslipbot. Key features that made it distinctive compared to other malware samples is its ability to self-propagate through email and in local networks, and the ability to act as a malware loader.
Received QakBot samples
Throughout its long history, it had several long-time surges of activity. Last one started around 2021, and keeps going today. This time, however, it rather aims at corporations than single users – thanks to the aforementioned ability to act as a dropper. In particular, hackers who stand behind it use its primary functions to steal as much data as possible, combining it with other stealers. Then, QBot drops ransomware, which obviously ends up with ciphered files and scared personnel.
2023 Botnet Takedown
Great success obviously attracts great attention. In the cybercrime world this means being wanted by law enforcement. This touches not only physical detainment of the hackers, but also disruptions of malware operations. And that is what happened in late August 2023, when the FBI managed to dismantle the entire QakBot botnet at once.
The operation nicknamed “Duck Hunt” started with tracing the web hosting that was used by malware developers as a Tier 2 command server node and testbed for new malware samples. After the corresponding court decision, law enforcement also forced the hosting to pass them a copy of an entire infrastructure stored on their servers. This uncovered servers involved in phishing campaigns used by QBot to spread itself, and also info about crypto wallets related to cybercriminals. Additionally, having server copies in hands uncovered the encryption keys used for secure communications with infected machines and the “main” server.
The next phase of the operation was to force the botnet, hosted mostly on ordinary work or home systems, to subordinate not the original servers but their FBI-controlled copies. The encryption keys mentioned above helped a lot, as it allowed for sending a valid command for switching the Tier 2 server IPs. Then, feds have simply sent an uninstaller, which on August 25 led to a complete removal of QakBot from over 700,000 machines.
Such a wreck definitely changes QakBot’s future. As malware masters did not divide their botnet into several parts, that may have saved other parts when one is disrupted, they are about to start all things from scratch. And nowadays, it is much harder than back in the times when this humongous botnet was starting. Nonetheless, we don’t think QBot will have a fate similar to Emotet – but will be happy to be wrong.
QakBot delivery methods
Before getting to the functionality of QakBot, let’s have a look at the ways this malware propagates. Key method of spreading over the last 3 years is, obviously, email spam. It became pretty much meta during the last couple of years, and QBot decided to align to this trend. Still, nothing stops it from using other ways of propagation.
Email spam that propagates QBot generally contains a MS Office file that keeps malicious macro inside. This trick was working for over a decade, until Microsoft forcibly disabled execution of any macros that come from the Internet. However, crooks know a lot about diversification, and have a way to circumvent this problem. Such a way is links within the email body, that lead the victim to a compromised web page. Visiting it returns an archive that contains a PS script. Running the latter ends up with pretty much the same consequences as with malicious macro.
More advanced method that was often chosen in the past is dropper malware. In particular, it used Emotet as a downloader. Extensive botnets under the rule of this malware had alarming scales since 2017, but after some of its actors were arrested in Ukraine back in January 2021, it was inactive for more than a year. Within such a network, a single command from the C2 was enough to deploy any sort of malware – and QBot was just another one in this list. This approach was also used pretty often when targeting companies, along with preliminary reconnaissance of the target.
QBot Trojan Analysis
Same as any other banking stealer, QBot does a good job at keeping itself as stealthy as possible, both in internal operations and connectivity. Over time it gained more and more sophistication in avoiding analysis and advanced security solutions. Thus, we will review only its latest versions – ones that appeared after 2020.
Packing and unpacking
First thing that gets into your eyes when you look upon several samples of QBot is the wide difference of packing between each sample. That is reached with the unique packer that mixes file sections in a random order. Such an approach helps not only to confuse signature-based detection, but also makes it harder to detect with heuristic rules. Nonetheless, it does not cause trouble for analysis, as the behaviour of malware after its launch is pretty predictable, and thus may be exploited to get clean code samples.
Initial payload arrives in the form of an encrypted binary file. A part of this binary is a DLL, which runs the decryption process. But before, it should be launched, and it is generally performed with the other part of the aforementioned binary. Using VirtualAlloc functions, QBot on its first stage locates itself the memory area and uses it to place the initial code sample. Then, the same VirtualAlloc function is used to mount the other memory part, and then malware unpacks itself to this spare memory. The DLL file hooks up at this moment, injecting the QBot code into a legit process, generally explorer.exe. After the successful execution, that DLL is getting wiped.
Launching
Once unpacked, QBot uses the rundll32.exe process to inject itself into a legit process, generally explorer.exe. Mobsync.exe and msra.exe – Windows system processes dedicated to establishing remote connections – are used as auxiliary. Possibly, malware exploits their functionality to establish a stealthy connection to the C&C server.
The original file loaded to the memory is likely to have an uncertain extension, like .dat or .htm – in order to go below the radars of security systems. The name of the unpacked version is generally random, as well as the name of the folder it creates in %APPDATA%\Microsoft to store its files. What’s more interesting, this randomising depends on the computer it is running on – within the same system all names will always remain the same, even if the different sample is started. The location, however, may be altered depending on the checkups it does during the launch.
Even before that, QBot enumerates the processes to see if there is any anti-malware software running in the environment. It mainly searches for the ones typical for EDR solutions. It searches for the extensive list processes; having a match changes the way malware will behave in the system. QakBot will deviate from its regular way of launching depending on the detected software package, according to which behaviour does it track.
- Mcshield.exe
- WRSA.exe
- fshoster.exe
- fmon.exe
- ccSvcHst.exe
- bdagent.exe/vsservppl.exe/vsserv.exe
- coreServiceShell.exe/NTRTScan.exe/PccNTMon.exe
- MsMpEng.exe
- ByteFence.exe
- avp.exe
- kavtray.exe
- egui.exe/ekrn.exe
- AvastSvc.exe
- SavService.exe/SAVAdminService.exe
- mbamgui.exe/MBAMService.exe
- avgsvcx.exe/avgcsrva.exe/avgcsrvx.exe
*The list is not complete as it may alter with time, due to malware adaptation to new releases and changes in EDR architecture.
The next step malware does is establishing persistence by adding a specific task to Task Scheduler. It can barely be called vulnerability exploitation, since at this point, malware had already been legitimised in the system. The Scheduler task aims at escalating privileges for malware (running it as SYSTEM) and contains the following command:
schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn juqpxmakfk /tr "regsvr32.exe -s \"C:\Users\REDACTED\ocrafh.html\"" /SC ONCE /Z /ST *time* /ET *time*
Shortly after gaining persistence, QakBot gets to doing its dirty job in the infected system. First of all, it executes several commands that give it a complete set of information related to the system it is running in.
- arp -a
- ipconfig /all
- route print
- net localgroup
- net view /all
- cmd /c set
- whoami /all
- nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs[%domain_name%]
- net share
- netstat -nao
The information received from these commands is too extensive to be just a fingerprint of a system malware was launched in. It is definitely a part of a stealer activity, which aims at collecting data about all profiles present in the system and all local network entities. Further activities of this malware are related to collecting credentials, including taking ones from web browsers.
Anti-analysis techniques
Being protected from anti-malware software detection is an obvious need for malicious software. However, avoiding analysis done by peaky persons like malware analysts is what may also be important for advanced malware pieces. Once dismantled, it may easily be analysed and a unified solution for its countering may be found. QakBot contains certain counteraction features, not a lot, but enough to confuse attempts to analyse it without the use of specific software.
First of all, it checks the environment it is running in for the processes that may be related to a sandbox. This step is done simultaneously with checking if there are any processes related to the EDR system. Among the ones it checks for are frida-winjector-helper-32.exe, frida-winjector-helper-64.exe, srvpost.exe and others. The list of processes may alter in future, as malware receives corresponding updates.
Another thing QakBot pays attention to is the name of its own file. The blacklist here consists of the names like artifact.exe, sample, sandbox, cuckoo-***, virus, mlwr_smpl, malware, and so on. This is possibly the most basic check that is present even in much older malware – if it was designed to avoid analysis, of course.
Final check reviews the presence of any artefacts related to the virtual machine. Using the WinAPI functions SetupDiEnumDeviceInfo and SetupDiGetClassDevsA, malware checks if there are devices named VboxVideo, Red Hat VirtIO, QEMU, and so on. Additionally, it checks whether there are logon accounts with the word “Virtual” in its name.
Detecting any of these signatures will make malware run in an infinite loop, until these checkups are passed. Hence, using sandboxes is enough to get information for static analysis of this malware, while dynamic analysis requires the use of debug environments.
C2 communication
All QBot samples bring up to 150 IP addresses of command and control servers, although this number is commonly much smaller in real-world tests. During the building process the operator specifies the IPs that malware should communicate with. If it fails with one, it snaps randomly to the other from the list. In the situations where QBot performs lateral movement to other machines, it adds the IP address of its initial access point as the way to contact the command and control server. In that case, the first computer acts as a proxy server in the route of C2 communication.
The exact communication between QBot and C2 happens through the encrypted and packed HTTPS requests. Typically, malware applies RC4 for data encryption and base64 for encoding. The exact messages, aside from stolen data and payloads, contain the messages from a fixed set. First such a message is PING, sent moments after malware started running. As you may guess, that is a simple notification for the C2 that a new QBot was activated. Among other basic information, it contains bot ID.
Messages that follow the previous one are “SYSTEM INFO” and “ASK FOR COMMAND”. The former sends the information about the environment QakBot is running in, the other informs the C2 that malware is ready for the further instructions. The only response from the command server if it successfully received these messages is ACK (acknowledged). Aside from junk rows, this message also contains the data about external IP of the infected system. Actually, the other type of reaction is COMMAND message, that expectedly headlines the following instruction for malware. One more message type that may be sent by malware is STOLEN INFO – headlining the pack of exfiltrated data from the attacked system.
SYSTEM INFO message contains the entire pack of information received after the commands we listed above. Overall, it carries data about system architecture (x32 or x64), OS version and build, screen resolution, system time (in the form of UNIX timestamp), system uptime, installation path of the bot, list of currently running processes, and some other things.
COMMAND message, that goes from the C2 server, can contain 24 different commands for malware. It may be sent only after receiving an ASK FOR COMMAND message, since it works as a marker that malware is ready to operate. They are related both to QakBot and payloads it can deploy to the infected system. Using commands, operators may not only specify the malware to download and deploy, but also to change the way it will be launched in the system.
Within the COMMAND message, there is yet another anti-analysis trick, which appeared only in the recent QBot samples. After the connection with C&C is established and the SYSTEM INFO message is sent, C2 sends a blank COMMAND message, which does not contain anything. Only after 40 minutes of idle it sent a message that had relevant instructions.
One more interesting feature of the QBot messages is that they contain a salt value in each message. That likely serves as a way to prevent the possibility of bot hijacking or spoofing the messages sent to the bot or command server.
Stealer capabilities
One of two functions QakBot is known for is data stealing. Actually, this classification offered by the vast majority of analysts is banking stealer, and we agree with it. And when it comes to grabbing data from different parts of the system, it acts professionally and meticulously. Malware masters may choose which functionality they want to use in each attack, as functions that exceed listing system specifications and system credentials dumping are delivered as separated modules.
Basic functionality, however, already contains the ability to grab certain passwords from the system. The LSASS.exe process, a whipping boy of a great number of hack tools, contains password hashes of all users present in the system. Dumping these hashes makes it possible to impersonate them. If malware makes its way towards domain controllers, it uses LSASS dumping to obtain admin credentials. Having such permissions hackers are free to do whatever they want within the entire network. Actually, these functions are what Mimikatz hacktool does to the system.
Banking attacks
QakBot lives up to its name by making an extensive attack on victims’ banking sites. It targets a large lineup of banks, both from the US and other countries of the world. If the banking module is loaded, it starts monitoring browser activity, seeking for the specific sites. If QBot detects that the victim opens one of these sites, it triggers JavaScript injection to the browser. That script forces the site to log out the user, and thus request it to type login and password. In the background, malware collects all the keystrokes. Some deep infections which were active for a long time were reportedly complemented with a JS that automates money transfers from the victim’s account. Hence, it seems that operators may be free to use JScripts of any purpose and source.
List of banks QakBot aims for
| J.P. Morgan Chase | Fifth Third Direct | Citibank |
| SinglePoint | Citizens Financial | Key Bank |
| Bank of America | Capitan One Financial | First Citizens Bank |
| First Horizon Bank | SunTrust Bank | Compass Bank |
| TreasuryDirect | Wells Fargo | TCF Bank |
| Frost Bank | Huntington Bank | M&T Bank |
| TD Bank | Scotiabank | FirstMerit Bank |
| Eastern Treasury | First Republic Bank | ABN AMRO |
| PNC Bank | Silicon Valley Bank | CashPlus Bank |
| Webster Bank | FundsXpress |
Email grabber
Key point of interest of the email grabber module is Microsoft Outlook. If malware detects it among the installed programs, the grabber module will dump all messages present in the inbox and an entire contact book. As further research has shown, emails and contact books are then used to commit so-called thread hijack, or for a more common spear phishing. Moreover, emails as it may contain valuable data, which can act as a basis to blackmail the company. Information collected by email grabber is stored in the directory where malware is located, and is deleted as soon as QBot manages to send it to the C2 server.
Password grabber
Password grabber for QBot is an advanced modification of the LSASS dumper we discussed above. Passgrabber aims at gathering passwords and login information from browser files, primarily Mozilla and Chrome. It also attempts to extract passwords from Microsoft auth mechanisms and in particular Microsoft Vault, substituting the LSASS dumping with a different algorithm.
Cookie stealing
Cookies are an obvious target for a wide variety of cyberattacks. They can contain a lot of personal information, including names, email addresses, dates and even passwords. Aside from using social engineering to obtain cookies, crooks may also try to simply steal them. QBot offers such functionality with the add-on module; it can steal cookies from Chrome and Chromium browsers, Edge, Firefox, IE, Opera and Blink-based browsers.
Virtual Network Computing Connectivity
Even having banking credentials does not mean having full access and freedom of money management. Most banks nowadays use geolocation checkup to assure transactions. If there is something unusual, the client will receive a call, and all the disguise will be ruined. VNC functionality allows the hacker to connect to the infected system and use it as if it was its own PC. That not only masks the crook’s geolocation for a bank, but also allows the hacker to disguise itself as its victim – which may be pretty useful during some other cybercrimes.
Dropper functionality
The ability to deliver additional payloads may be useful not only in an extensive cyberattacks, but also for increasing the profitability of the attack upon a single user PC. QBot operators are known to deploy ransomware in both cases, generally ProLock, Conti and Egregor. The more typical action for attacks upon corporations is deploying Cobalt Strike beacon that offers backdoor and dropper functionality – a more extensive one that QakBot can offer.
As you may guess, payload delivery happens only after the “main course”, i.e. bot initialisation and data grabbing. Most commonly, running the payload and its spreading to other systems will be completed with the use of credentials that were leaked primarily to the additional payload delivery. After getting access to a new device via credentials theft, QakBot drops a malicious DLL – actually, a sleeping payload precursor. After that, crooks may both deploy only additional payloads via that access, or bring another instance of QBot before other things. It is also noteworthy that some payloads already contain the aforementioned DLL, and thus may be launched in the newly-discovered systems. Additional batch script files may be introduced in order to disable anti-malware solutions.
How to protect yourself from QakBot?
As you could have seen above, QBot gained a lot of different abilities during its 15-year lifespan. Its detection evasion techniques are pretty hard to counter, but fortunately, they are not all-encompassing and are absent in numerous parts of QakBot activity. Along with the ability to prevent this malware completely, or stop it using something meticulous it forms a pretty efficient list of countermeasures.
Keep an eye upon emails you receive. Email spam touches both individual users and employees. It has too big a share in malware propagation to be effectively ignored. Any suspicious thing, like an email that duplicates the already received one, or a message that contains a file when it should not to, must not be trusted. If you are not sure about such messages, it will be better to ask someone with corresponding qualification, and leave the email untouched before this check. Clogging the key way of malware spreading may sometimes decrease the risks as effective as the use of next-gen antiviruses.
Use advanced security solutions to keep an eye upon certain system elements. The important ones for QBot counteraction are the Task Scheduler and DLLs that are running in the system. Controlling them may help to prevent not only QakBot, but numerous other malicious things that rely upon exploiting DLLs and Scheduler. However, not each security software you may opt for will be able to fulfil that task effectively. EDR/XDR are capable of paying attention to specific changes in the protected environment. However, their capabilities go far beyond that – heuristic systems they generally rely upon are much more effective against sophisticated threats like QBot than “classic” signature method.
Set up a Windows Defender Credential Guard. This application changes the way credentials are stored within your system by adding an extra security layer. After that, any LSASS exploitation, including dumping its memory for password hashes extraction, will be useless. On single-user systems, however, a simple creation of a Microsoft account will be enough to keep your system secure. When you use Windows with MS account as a login version, your credentials do not stay in the LSASS memory, as they are now kept on Microsoft servers.
Change your passwords regularly. Yet another preventive technique that may help with different other malware samples. Social networks, banking accounts, services related to your job – leaking any of them is unpleasant and potentially dangerous. Sure, any leak takes some time to start dealing direct damage to you. But the less time you give the crooks to do their dirty things – the less problems you will have.
QakBot Trojan IoC
IP addresses
| 24.229.150.54:995 | 68.186.192.69:443 | 89.101.97.139:443 |
| 185.250.148.74:443 | 196.218.227.241:995 | 27.223.92.142:995 |
| 75.188.35.168:443 | 72.252.201.69:443 | 109.12.111.14:443 |
| 68.204.7.158:443 | 136.232.34.70:443 | 82.77.137.101:995 |
| 173.21.10.71:2222 | 189.210.115.207:443 | 105.198.236.99:443 |
| 76.25.142.196:443 | 73.151.236.31:443 | 185.250.148.74:2222 |
| 47.22.148.6:443 | 24.55.112.61:443 | 24.139.72.117:443 |
| 45.46.53.140:2222 | 92.59.35.196:2222 | 95.77.223.148:443 |
| 173.25.166.81:443 | 97.69.160.4:2222 | 196.151.252.84:443 |
| 140.82.49.12:443 | 120.150.218.241:995 | 71.74.12.34:443 |
MITRE ATT&CK
| Indicator Code | Description |
|---|---|
| T1043 | Commonly Used Port |
| T1071.001 | Web Protocols |
| T1114 | Email Collection |
| T1055 | Process Injection |
| T1069.001 | Local Groups |
| T1087.001 | Local Account |
| T1555.003 | Gathering Credentials from Web Browsers |
| T1041 | Exfiltration Over C2 Channel |
| T1218.011 | Rundll32 |
| T1049 | System Network Connections Discovery |
| T1053.005 | Scheduled Task |
| T1016 | System Network Configuration Discovery |
| T1016.001 | Internet Connection Discovery |
| T1135 | Network Share Discovery |
| T1003.001 | LSASS Memory Dumping |
| T1562.001 | Disable or Modify Tools |
| T1566.001 | Phishing: Spearphishing attachment |
| T1059.001 | Command and Scripting Interpreter: PowerShell |
| T1059.005 | Command and Scripting Interpreter: VBasic |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys |
| T1027 | Obfuscated Files or Information |
| T1497 | Virtualisation/Sandbox Evasion |
Hashes
MD5:2897721785645ad5b2a8fb524ed650c0 MD5:e0fafe1b4eb787444ed457dbf05895a4 MD5:b6ed9b2819915c2b57d4c58e37c08ba4 MD5:2a8cf6154e6a129ffd07a501bbc0b098 MD5:43660d21bfa1431e0ee3426cd12ddf38 MD5:ad413cd422c1a0355163618683e936a0 MD5:5dd964c8d9025224eb658f96034babea MD5:000df43b256cdc27bb22870919bb1dfa MD5:88834d17d2cdce884a73e38638a4e0dd MD5:a4de7922bd0c5910e7bca65a5c99ceeb MD5:8073492bd9936a88aa24147024679709 MD5:9f947b2ca60778c52d78e3d1bfc878b2 MD5:68e029f0a50037c323c004c3d08753c5 MD5:40e8e10b249dc72f046432a7652fabba
SHA256:956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85 SHA256:9f6e3b0b18f994950b40076d1386b4da4ce0f1f973b129b32b363aac4a678631 SHA256:70a49561f39bb362a2ef79db15e326812912c17d6e6eb38ef40343a95409a19a SHA256:e510566244a899d6a427c1648e680a2310c170a5f25aff53b15d8de52ca11767 SHA256:cbfc135bff84d63c4a0ccb5102cfa17d8c9bf297079f3b2f1371dafcbefea77c SHA256:1411250eb56c55e274fbcf0741bbd3b5c917167d153779c7d8041ab2627ef95f SHA256:3d913a4ba5c4f7810ec6b418d7a07b6207b60e740dde8aed3e2df9ddf1caab27 SHA256:ca564c6702d5e653ed8421349f4d37795d944793a3dbd1bb3c5dbc5732f1b798 SHA256:c789bb45cacf0de1720e707f9edd73b4ed0edc958b3ce2d8f0ad5d4a7596923a SHA256:c29f81c9b97430de739c2c384cd545d4ea4c32dd0daf87c3dd31dd735e2eb343 SHA256:87905ab95f35afdd81ed082ba2d42f9fd2c191a7076c98d115c2d993f9559d90 SHA256:8e7d8db4ee2395f1c57543d33bf83f6851843b242c95c4a6090bcff9ec092f67 SHA256:c9d4980ccac2d516e333ab9512a3464a88c95a9e9506bae51e84a2a2e593188b SHA256:061c4ee97af5ff9e8c64a0f21509a3953e6afe486add2346da705e5dd6c1b9b5