# The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities #### Technical Brief ----- ## Introduction QAKBOT (detected by Trend Micro as TrojanSpy.Win32.QAKBOT) is a modular and highly evasive information-stealing malware that was first discovered in 2007. This threat is also known as QBOT and PinkSlipbot. Initial versions of QAKBOT targeted financial data and was classified as a banking trojan, but more recent versions have acted as a delivery mechanism for “second stage” malware. Specifically, QAKBOT seems to lead to targeted attacks involving data theft (exfiltration) and ransomware. ## QAKBOT Capabilities The core QAKBOT loader functionality is extended using a variety of plug-ins. In earlier QAKBOT versions, components were embedded as resources in the main executable. In more recent versions, the injection DLL, update script, and plug-ins are downloaded by the QAKBOT core after communicating with the command-and-control (C&C) server. The plug-ins listed here provide QAKBOT operators with the functionality needed to achieve their objectives. **Plug-in** **Capability** Enables theft of sensitive data (usernames, passwords) **Web-inject modules** within browser processes Enables theft of sensitive data from compromised **Password grabber module** endpoints Enables the theft of cookies from web browsers (Internet **Cookie grabber module** Explorer, Firefox, Chrome, and Microsoft Edge) Enables the theft of email threads, which are hijacked **Email Collector module** and used in follow-on campaigns **Universal Plug and Play** Enables the use of infected machine as proxies for C&C **UPnP module** traffic **Lateral Movement module** Enables propagation inside the infected network Provides hands on keyboard and lateral movement **Hidden VNC (hVNC) module** capabilities to the operators Enables remote access to the compromised network **Cobalt Strike module** with the Cobalt Strike penetration testing framework Enables remote access to the compromised network via **Atera module** Atera Remote Monitoring Management (RMM) software |Plug-in|Capability| |---|---| |Web-inject modules|Enables theft of sensitive data (usernames, passwords) within browser processes| |Password grabber module|Enables theft of sensitive data from compromised endpoints| |Cookie grabber module|Enables the theft of cookies from web browsers (Internet Explorer, Firefox, Chrome, and Microsoft Edge)| |Email Collector module|Enables the theft of email threads, which are hijacked and used in follow-on campaigns| |Universal Plug and Play UPnP module|Enables the use of infected machine as proxies for C&C traffic| |Lateral Movement module|Enables propagation inside the infected network| |Hidden VNC (hVNC) module|Provides hands on keyboard and lateral movement capabilities to the operators| |Cobalt Strike module|Enables remote access to the compromised network with the Cobalt Strike penetration testing framework| |Atera module|Enables remote access to the compromised network via Atera Remote Monitoring Management (RMM) software| ----- ## QAKBOT Links to Targeted Ransomware Attacks QAKBOT operators are key enablers for ransomware attacks. These operators achieve access to infected environments through the deployment of Cobalt Strike beacons, which function as standalone backdoors, or via a Cobalt Strike or Atera RMM plug-in. Since 2019, QAKBOT infections have led to the eventual deployment of the following human-operated ransomware families: - MegaCortex (2019) - Egregor (2020) - PwndLocker (2019) - Sodinokibi/REvil (2021) - ProLock (2020) ## QAKBOT Activity The following is a list of notable events related to QAKBOT, as well as information from Trend Micro™ Smart Protection Network™. Trend Micro has been monitoring this threat for years, and we have been able to track the spam campaigns linked to QAKBOT operators across the world. While monitoring this malware distribution activity, we found that the top countries targeted were the United States, Japan, and Germany, while, telecommunications, technology, and education were the top industries targeted. |Date|Event| |---|---| |Oct 2021|The Atera RMM plug-in is discovered.| |Sep 2021|Shathak delivers QAKBOT with malspam. “TR” delivers QAKBOT with malspam.| |Feb 2021 – Jun 2021|Shathak delivers QAKBOT with malspam.| |Mar 2021|QAKBOT infections drop Cobalt Strike.1| |Mar 2020|QAKBOT infections lead to the ProLock Ransomware.| |Oct 2019|QAKBOT infections lead to the PwndLocker Ransomware.| |May 2019|QAKBOT infections lead to the MegaCortex Ransomware.| |Jun 2018|The QAKBOT malware is found on thumb drives manufactured in China.2| |2007|The initial QAKBOT version is discovered.| ----- Figure 1. A global view of QAKBOT activity from March 25, 2021 to October 25, 2021 as seen from Trend Micro Smart Protection Network (SPN) Figure 2. The top 10 countries where QAKBOT is distributed ----- ## Malware Analysis The QAKBOT infection chain usually starts with malicious spam emails and the infection spreads from there. The stages shown here are typical of QAKBOT but might vary slightly over time. |Stage|#|Description| |---|---|---| |Arrival|1| Malicious spam emails with malicious attachment  The document uses Excel 4.0 macros and themed social engineering to trick users into opening the email.| |Infection|2| The excel document contains Excel 4.0 macrso with a malicious dropper routine that will download the QAKBOT DLL from a remote server.  Social engineering is used to trick the user into “Enabling Content” (macros).| ||3| Once macros are enabled, the QAKBOT loader DLL is downloaded and executed.  Persistence is achieved through the installation of registry keys and a scheduled task.  The malicious QAKBOT process phones home to the C&C server.| ||4| The C&C server sends additional modules to the infected host .| ||5| Target information is stolen.| ----- |Post- infection|Col2| Attackers might obtain “hands on keyboard” access to the infected environment following the deployment of a backdoor (such as Cobalt Strike) as a plug-in or as a separate dropped file.  Attackers might execute discovery commands to further evaluate the environment.| |---|---|---| ||6| Attackers might move laterally from the infected host.  In some cases, attackers will deploy ransomware in the environment.| Table 1. Illustration and steps of the QAKBOT kill chain ## QAKBOT Arrival Variations QAKBOT uses a variety of delivery mechanisms, including different scripting languages and malicious documents. In the past, QAKBOT has also collaborated with other botnet operators, namely the now defunct Emotet. _*Emotet is an example of malware installation as a service, wherein operators install other_ _malware on their bots for a fee._ Figure 3. QAKBOT delivery mechanisms ----- ## QAKBOT Malicious Documents and Excel 4.0 Macros Since late 2020, QAKBOT operators have leveraged malicious Microsoft Excel documents with heavily obfuscated Excel 4.0 macros to evade detection in the initial access phase of the attack. Figure 4. Malicious document delivering QAKBOT (from June 2021 MalSpam Campaign) The primary motivation behind QAKBOT’s (and other malware distributors’) shift toward this delivery mechanism can likely be attributed to the lack of support for Excel 4.0 macros in the Windows AntiMalware Scan Interface (AMSI) at that time. Excel 4.0 macro support was only added to AMSI in March 2021, while VBA macro parsing has been supported by AMSI since 2018. ----- ## QAKBOT Operators’ Use of Hijacked Email Conversations The use of hijacked email conversations is a noteworthy technique used by QAKBOT distributors as a social engineering tactic. In the example shown in Figure 5, an email thread between Kelly and Sandy (number 1 in the figure) was stolen during a previous infection by the QAKBOT email collection module. The thread is then reused or hijacked by QAKBOT operators (number 2 in the figure) in a malicious spam campaign. The malicious email appears to come from Sandy in reply — but it actually contains the malicious document that drops QAKBOT (number 3 in the figure). The use of hijacked email threads in malicious spam emails is a tactic that was first used by the cybercriminals who operated the now defunct Emotet malware. Figure 5. The hijacked email thread delivering QAKBOT ----- ## QAKBOT Infection Routine Figure 6 shows that the XLSM files contain hidden sheets and an auto_open macro (step 1 in this figure) that executes as soon as the victim opens the document and selects the “Enable Content” button. The macro code evaluates a sequence of formulas that are distributed at various indexes (step 2 in this figure) in the document. This is an obfuscation technique that is designed to thwart detection using simple strings. Figure 6. The Excel formulas containing malicious code fragments Figure 7. Hidden sheets in a QAKBOT XLSM dropper In the sample in Figure 8, the code generates a unique file name using NOW() (step 1 in this figure) to output a timestamp to be used as part of the file name. The dynamic URL formation makes it harder to block exact URLs. Next, the functions (step 2 in this figure) to be called are resolved and the first of three download attempts from hard-coded hosts begins (step 3 in this figure). The downloaded file is stored in the disk as “Post.storg*”. This is the main QAKBOT DLL, which is loaded by “regsvr32 -s” (step 4 in this figure). The QAKBOT main loader DLL is loaded by regsvr32.exe with the -s command. ----- Figure 8. Analysis of QAKBOT sample ## QAKBOT Installation ### Packed QAKBOT loader  Process hollowing The main program is unpacked in memory and injected into a new process that started in a suspended state. The injection routine targets the process memory of one of three targets (iexplore.exe, mobsync.exe, or explorer.exe) where the target is unmapped and replaced with the unpacked QAKBOT loader program. Once the code is injected, QAKBOT calls ResumeThread(). Figure 9. Process hollowing (UnmapViewOfFile -> VirtualAlloc) ----- ### Persistence mechanisms and anti-analysis/anti-sandbox routines The loader creates a persistence via a scheduled task using the now deprecated at.exe. A dropped Javascript file creates a scheduled task for persistence for the QAKBOT core. The same mechanism is executed when an update is received from the C&C server. Figure 10. Persistence mechanisms through scheduled tasks QAKBOT also includes several routines to detect the presence of security software, and to detect if it is being executed on a virtual machine (VM). Figure 11. Routines to detect if there are security solutions on the device ----- ### QAKBOT UPnP: Recruiting new proxies for QAKBOT’s botnet QAKBOT leverages Simple Service Discovery Protocol (SSDP) to identify other devices on the local network. It then parses network device information collected with SSDP to identify internet gateways. Figure 12. QAKBOT leveraging SSDP and parsing information collected with SSDP With gateways identified, it uses UPnP to create port-forwarding rules on gateway devices to route traffic from the internet to the infected endpoint. The infected device is then capable of acting as a Tier 3 proxy in the QAKBOT botnet. Figure 13. UpnP used to create port-forwarding rules ----- ## QAKBOT Information Stealing Plug-ins ### Outlook email collector QAKBOT has been exfiltrating emails from Microsoft Outlook since 2019. The stolen information is used to enhance the social engineering capabilities of future attacks by spamming email thread members. QAKBOT extracts emails, parses email headers, and extracts thread recipients from the address book. Figure 14. The emailcollector_dll Figure 15. Invoking the “GetEmailMsgRecipients()” function ----- Figure 16. Extraction of email address using email regex and CollectOutlookData() function call The QAKBOT email collector plug-in performs email header parsing to identify interesting header items. This process includes parsing email authentication results from DomainKeys Identified Mail (DKIM) signatures and antispam detection results. The email collector module also collects data from the Microsoft Outlook address book. After the collection, stolen data is uploaded with HTTPS POST (not FTP as used by QAKBOT for other data exfiltration). Figure 17. Email header parsing Figure 18. The function call to collect address book information CollectOutlookAddressBookThread() ----- Figure 19. Function showing the email data exfiltration method ### Password grabber plug-in The QAKBOT password grabber module can extract credentials (username, password, and host) from the following applications: - Outlook - Internet Explorer - Chrome - CuteFTP - Firefox Popular browser and email clients are potential targets, and CuteFTP, a rarely used FTP client, is also on the list. There are a few interesting points to note when looking over the list of targeted applications. For example, we know that QAKBOT uses stolen FTP details for the purpose of data exfiltration channels. Chrome no longer supports FTP, so malicious actors would need to grab credentials out of a separate application to steal FTP credentials. Also, QAKBOT uses Network Security Service (NSS) libraries (nss.dll) to interact with Firefox password storage and pilfer credentials from the Firefox SQLite database ----- Figure 20. The password-grabbing function “plugin_passgrabber” Figure 21. CuteFTP password extraction routines Figure 22. Chrome password extraction routines ----- Figure 23. Outlook credential extraction routines Figure 24. Internet Explorer credential extraction routines Figure 25. QAKBOT using NSS libraries to interact with Firefox ----- ### Digital certificate theft QAKBOT is also able to steal digital certificates. It enumerates the installed digital certificates with CertEnumSystemStore() and extracts both the certificate names and the data. QAKBOT leverages FTP account information stored in the configuration to exfiltrate the stolen data. The FTP accounts are legitimate user accounts that were likely compromised in previous QAKBOT infections. In other words, the domains are not simply malicious domains created for the sole purpose of harvesting data stolen by QAKBOT. Figure 26. QAKBOT function to steal and exfiltrate stolen data ----- ## QAKBOT Campaigns ### 1H 2021 campaign details In the observed campaigns, the threat actors use both “financial” (compensation, overdue debt, rebate) and “business process” (claim, complaint, document) email header lures to entrap victims. Figure 27. Detection of spam campaign lures from January 2021 to July 2021 The attachment name structure consists mainly of .ext. We show the attachment names we found, as well as when they_ were found, in the following table. |Campaign date|Date code|Attachment name| |---|---|---| |Feb 3, 2021|01192021|Complaint_Copy_369987483_01192021.xlsm| |Feb 5, 2021|02032021|CompensationClaim-1286116047-02032021.xls| |Feb 8, 2121|02082021|Claim-860207286-02082021.xls| |Feb 2, 2010|02092021|Claim-1128432364-02092021.xls| |Feb 22, 2021|02162021|Claim-1583503708-02162021.xls| |Feb 19, 2021|02182021|Complaint-919056775-02182021.xls| ----- |Feb 23, 2021|02192021|Complaint_Letter_974761194-02192021.xls| |---|---|---| |Mar 6, 2021|03042021|Overdue-Debt-1225799455-03042021.xls| |Mar 8, 2021|02022021|CompensationClaim-82785999-02022021.xls| |Mar 13, 2021|03092021|Complaint-Copy-636146074-03092021.xls| |Mar 13, 2021|03102021|Complaint-Letter-1867071504-03102021.xls| |Mar 14, 2021|03122021|CompensationClaim_1542026698_03122021.xls| |Apr 17, 2021|04152021|CompensationClaim-191863321-04152021.xlsm| |Apr 16, 2021|04162021|4275293-04162021.xlsm| |Apr 19, 2021|04192021|7374758652-04192021.xlsm| |May 4, 2021|05042021|Outstanding-Debt-711821451-05042021.xlsm| |May 6, 2021|05062021|1509454892-05062021.xlsm| |May 10, 2021|05102021|Copy-806916968-05102021.xlsm| |May 14, 2021|05132021|Debt-Details-1673749103-05132021.xlsm| |May 17, 2021|05142021|Calculation-1888078752-05142021.xlsm| ||05172021|Compensation-1231272851-05172021.xlsm| ----- |May 17, 2021|Col2|Col3| |---|---|---| |May 19, 2021|05182021|Permission-1522921359-05182021.xlsm| |May 19, 2021|05192021|Complaint-Letter-1373171828-05192021.xlsm| |Jun 1, 2021`|06012021|Overdue_Debt_592550132_06012021.xlsm| |Jun 3, 2021|06022021|Document_06022021_1550303392_Copy.xlsm| |Jun 3, 2021|06032021|DEBT_06032021_808188295.xlsm| |Jun 8, 2021|06082021|62730743159_06082021.xlsm| |Jun 9, 2021|06092021|Cancellation_Letter_1246498236_06092021.xlsm| |Jun 14, 2021|06142021|Rebate_2053672682_06142021.xlsm| Table 2. Email lures used by QAKBOT operators ### 1H 2021 second stage QAKBOT infections After the initial QAKBOT infection, the operators move onto the second stage or follow-on infections, which can be attributed to the QAKBOT loader. This table shows the indicators of compromise (IOCs) for the second stage infections, as well as descriptions of the files and the detection timeline. |Date|File name indicator|IOCs| |---|---|---| |May 2021|Cobalt Strike| 95fd08cb346b2a809eb1e7a7f7ed9982715b1912ba53c bc02833c82db02274f5| ||C&C server| hxxps://restcdn[.]com/ba.css| ----- |Col1|C&C server IP| 195.123.241[.]214| |---|---|---| |||| |Apr 2021|Cobalt Strike| 7afd454c3555a46c75bfb6dc888cfa01a8126f0d8bee96 0f75f9fd06ae38db1f| ||C&C server| hxxps://onlineceoshelp[.]com/jquery-3.2.2.min.js  hxxps://108.177.235[.]180/strap/j-devmin.js| ||C&C server IP| 108.177.235[.]180| |||| |Apr 2021|Cobalt Strike| 64911d0ddd1bf9b72daf0a9ef3064f5bf45317126622573 247f2b7c712f60495| |Mar 2021|Cobalt Strike| 098caeccd3ac77fb7591c1f938161dcC&Cd8c9f437235c 53504381ed219732505| ||C&C server| hxxps://logon.securewindows[.]xyz/ptj| ||| hxxps://45.144.29[.]185/cm| Table 3. IOCs for second stage infections ## QAKBOT Infrastructure ### QAKBOT tiered C&C infrastructure QAKBOT uses a tiered (layered) network of C&C servers, which means that intermediary layers of servers facilitate communication with the C&C back end. Tier 1 is the core infrastructure, and is also the botnet back end. Tier 3 proxies relay C&C server communication to the real C&C servers represented in the diagram as Tier 2. Tier 3 proxies get blocked quickly, so they are rotated in the malware configuration and change frequently. This architecture shields the true location of back-end proxies from security researchers and law enforcement. Here is a list of TCP ports used in C&C communication by the QAKBOT core and plug-ins 22, 80, 443, 995, 1194, 2078, 2087, 2222, 3389, 8443, 32100. ----- ### QAKBOT C&C infrastructure by autonomous system We found that almost 25% of QAKBOT Tier 3 C&C server infrastructure can be associated with a single Autonomous System Number (ASN). ASNs are used by network operators to control routing and exchange routing information with other internet service providers (ISPs). |ASN|Ports|Percentage| |---|---|---| |3215|1194,2078,2087,2222|24.8%| |20473|443,995,2222,8443|10.7%| |5384|995,2078,2222|9.8%| |11427|995,2222,3389|7.2%| |6799|995,2222|5.5%| |3737|995|5.2%| |12479|2087,2222|3.8%| |29049|2222|3.3%| |22773|995|2.8%| |12302|995|2.7%| |30110|2222|2.7%| |18712|995|2.7%| |8400|995|2.3%| |4837|995|1.5%| |9443|995|1.3%| |8612|32100|1.0%| |11776|995|1.0%| |16276|80|0.8%| |42298|995|0.7%| |11215|2078|0.7%| |11260|995|0.7%| ----- |7385|995|0.7%| |---|---|---| |6871|2222|0.7%| |60117|80|0.7%| |51207|80|0.7%| |206638|80|0.7%| |21040|2222|0.7%| |20001|2222|0.7%| |13490|2222|0.5%| |47331|2222|0.5%| |12430|995|0.3%| |2856|2222|0.3%| |33363|2222|0.2%| |12334|995|0.2%| |3269|2222|0.2%| |12684|2222|0.2%| |5769|2222|0.2%| |4181|995|0.2%| |11351|2222|0.2%| |30036|2222|0.2%| |701|995|0.2%| |396122|2078|0.2%| |24560|2087|0.2%| |8452|995|0.2%| |39543|995|0.2%| |8708|2222|0.2%| |35819|995|0.2%| Table 4. QAKBOT Tier 3 C&C infrastructure ----- ## Tactics and Techniques ### Mitre ATT&CK |Tactic|Technique (MITRE ID)| |---|---| |Initial access|Spear phishing (T1566.001)| ||Spear-phishing link (T1566.002)| |Execution|Scheduled task (T1053.005)| |Persistence|Registry run reys/startup folder (T1547.001)| |Privilege escalation|Scheduled task (T1053.005)| ||Process hollowing (T1055.012)| |Defense evasion|Software packing (T1027.002)| ||DLL injection (T1055.001)| ||Code signing (T1553.002)| ||Signed binary proxy execution: regsvr32.exe (T1218.010)| ||Signed binary proxy execution: rundll32.exe (T1218.011)| ||Visualization/Sandbox evasion (T1497.001)| ||Disable or modify tools (T1562.001)| |Credential access|Man in the browser| ----- |Col1|(T1185)| |---|---| |Lateral movement|VNC (T1021.005)| |Collection|Man in the browser (T1185)| |C&C|Multi-pop proxy (T1090.003)| ## References 1ISC Handler. (March 3, 2021). SANS ISC InfoSec Forums. “Qakbot infection with Cobalt Strike.” Accessed on October 23, 2021, at [https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike/27158/.](https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike/27158/) 2Federal Bureau of Investigation. (Aug. 5, 2018). Public Intelligence. “FBI Cyber Bulletin: Identified Qakbot Malware Variant Found on Thumb Drive Manufactured in China.” Accessed on [October 23, 2021, at https://publicintelligence.net/fbi-qakbot-usb/.](https://publicintelligence.net/fbi-qakbot-usb/) -----