# Duck Hunting w/Falcon Complete Pt. 3: QakBot Countermeasures **[crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/](https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/)** The Falcon Complete Team October 14, 2020 This blog is the last in a three-part series presenting the CrowdStrike® Falcon Complete™ team’s analysis of the recent QakBot campaigns observed in the wild and outlining a strategy for [the remote identification of a QakBot-infected host. While Part 1 and](https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/) [Part 2 provided an analysis](https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/) of techniques used by the threat actor to gain successful infections, Part 3 provides recommendations for countermeasures that can be deployed via the CrowdStrike Falcon® platform to prevent and contain infections before a widespread incident occurs. We also outline a strategy for how the team helps organizations recover from incidents via our remote remediation capabilities. QakBot is an eCrime banking trojan that is capable of spreading laterally throughout a network. Utilizing a worm-like functionality, it spreads through brute forcing network shares, brute forcing Active Directory user group accounts or via SMB exploitation. QakBot also employs a robust set of anti-analysis features to evade detection and frustrate [analysis. Despite these protections, the CrowdStrike Falcon® platform detects and prevents the](https://www.crowdstrike.com/endpoint-security-products/falcon-platform/) [malware from completing its execution chain.](https://www.crowdstrike.com/epp-101/malware/) ----- ## Solution: Prevention, Containment and Remediation The Falcon Complete team’s approach to defeating the QakBot threat can be defined in several ways, depending on the tailored approach created for the customer. The best way to defend against QakBot is never allowing it to get a foothold in the first place, and the Falcon platform offers the prevention policies that are effective in stopping QakBot in its tracks. For situations where prevention is not enabled, a strategy of containment and fast remote response allows our analysts to quickly remediate the infection via the Falcon Real Time Response (RTR) console, resulting in less downtime, less interference and more productivity. ### Configuring Proper Prevention Policies Prevention policies are policies configured in the Falcon UI that allow organizations to customize how aggressive the Falcon sensor is with detections and preventions. Organizations can choose to configure these policies themselves or take advantage of the Falcon Complete team’s expertise to configure and offer guidance for best practices regarding these configurations. Figure 1. Prevention policy settings as shown in the Falcon UI (click image to enlarge) Falcon’s next-gen antivirus has the ability to block malware based on machine learning and behavioral pattern analysis. Being a non-signature-reliant platform with the proper prevention policies in place, Falcon reliably prevents known QakBot infections before any second-stage payloads are executed. With prevention policies configured like those depicted in Figure 1, we can see that the execution of a senate.m4a Zloader payload was blocked, and the detection details appear in the Falcon UI for analyst review (see Figure 2). ----- Figure 2. Falcon blocking second-stage payload execution of senate.m4a (click image to enlarge) ### Host Network Containment via the Falcon UI In the event that prevention policies are not set to actively block the QakBot threat — as is sometimes the case in more sensitive environments — customers can take advantage of the [24/7/365 virtual security operations center (SOC) offered by Falcon Complete. In these cases,](https://www.crowdstrike.com/epp-101/security-operations-center-soc/) Falcon Complete will triage, stop lateral spread and remediate the QakBot banking trojan threat. In the instance of an unprevented QakBot infection, the Falcon Complete team receives a highconfidence alert for malicious files, triggered by Falcon’s machine-learning algorithms. Figure 3. Detection in the UI as shown by Falcon (click image to enlarge) Upon expanding the alert, the analyst can recognize the QakBot threat by the tactics employed — many discovered during CrowdStrike’s tracking of this threat. ----- Figure 4. Ability to network-contain hosts in emergency situations (click image to enlarge) If among the pre-approved countermeasures, the analyst can network-contain the host to prevent the lateral spread of the info-stealer within the environment. This limits business impact and productivity loss for users, and saves time and cleanup for your internal SOC team. ### Remediation with Falcon RTR QakBot malware is fairly simple in its functionality, but its capability to move laterally can be potentially devastating in enterprise networks. Because of this worm-like spreading and its costly repercussions, the Falcon Complete team has classified the difficulty of the remediation process as “Hard.” The following is a brief illustration of the remote remediation process via Falcon Real Time Response (RTR). **The remediation of QakBot can be broken into three distinct steps:** 1. Killing the malicious processes (e.g., injected explorer) ----- 2. Removing the persistence mechanism (e.g., scheduled task, registry run key) 3. Removing disk artifacts (e.g., binaries and directories). **_Please note: Some of the examples in the following scenario have CrowdStrike Falcon_** **_configured with DETECTIONS ONLY and PREVENTIONS off for illustrative purposes. A_** **_properly configured Falcon instance, as noted previously, would prevent the activity_** **_presented here._** **STEP 1. Finding and Killing the Malicious** `explorer.exe Process` QakBot will create a new instance of the `explorer.exe process and` [inject itself into the new](https://attack.mitre.org/techniques/T1055/) process. It is possible for multiple instances of this process to occur, but responders must determine the malicious instance. It may not be immediately clear which `explorer.exe` process is legitimate, but this can be determined by querying the process with the “-Module” parameter, as shown in Figure 5. Figure 5. Query for explorer.exe process injection (click image to enlarge) [In the example in Figure 5, “gps” is a built-in alias for the “Get-Process” cmdlet, and the process](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7) id was determined by an early query (not shown). The legitimate explorer process will have several modules associated with it, but the malicious instance will have very few — typically less than ten. In this case, Falcon had already prevented the injected process, but if there were a malicious instance present, it could be killed with the following command: “kill ‘.’” **STEP 2. Removing Persistence** [QakBot typically employs a scheduled task and a registry run key for persistence mechanisms](https://attack.mitre.org/techniques/T1053/) on compromised hosts. Figure 6 shows a query for scheduled tasks on the affected host. The search can be assisted by the historical knowledge that will point to a binary in %AppData%, so this is used as a search string to quickly identify not only the malicious TaskName but also the full path to the main binary. ----- Figure 6. Query to find the path for scheduled task persistence mechanism (click image to enlarge) The parent directory of the QakBot binary is a key indicator of compromise (IOC) and can be used later in the manual remediation process and as an integral search string. In the query shown in Figure 6, the parameter “-context 10” shows the surrounding ten lines and will reveal the actual name of the task that is required for removal. This can simply be deleted with the built-in CMD program schtasks.exe, like so: Figure 7. Removing the scheduled task (click image to enlarge) In addition to scheduled tasks, QakBot will often create a registry run key to establish persistence. The modified value is placed under this key name: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Figure 8 shows the output of the query for this registry key. Figure 8. Registry query (click image to enlarge) In Figure 8, we obtain the value of the malicious run key and again encounter the path to the main QakBot binary location. Removal of the key is performed with the command shown in Figure 9. Figure 9. Removing the run key (click image to enlarge) ----- **STEP 3. Removing Remaining Artifacts** QakBot leaves file system residue in a few specific locations on infected hosts. The first one is the random alphabetically named folder located in ``` C:\Users\*\AppData\Roaming\Microsoft, identified in the remediation steps above. The ``` name of this directory is dynamic, but it will reliably contain QakBot’s core binary, .dat files and other resources. This initial download along with the temporary location of the loader’s initial execution may also require removal, as shown in Figure 10. Figure 10. Removal of residual file system artifacts (click image to enlarge) The steps outlined above are the general process for identifying QakBot artifacts and successfully remediating a host for the QakBot malware. This process is quite effective in singular instances, but in reality this is rarely the case due to QakBot’s lateral movement capabilities. A properly configured Falcon platform is a critical component of a successful defense strategy to defeat this threat. ## Conclusion QakBot has undergone a resurgence in both its delivery volumes and technical evolution. The potential impact from a successful QakBot infection includes (but is certainly not limited to) widespread lateral infections, theft of confidential data, deployment of secondary payloads and loss of organizational prestige. Remediating these types of infections becomes more complicated with these variants’ ability to spread laterally to many hosts. Furthermore, with a transition to a more remote workforce, the capability to remotely remediate infections on hosts that are geographically distributed will become increasingly important as rebuilding systems becomes impractical. The Falcon Complete team will continue to track this threat and monitor our clients’ environments for any notable developments. Despite QakBot’s anti-analysis and evasive capabilities, the CrowdStrike Falcon platform prevents this malware from completing its execution chain when it detects the VBScript execution. The Falcon Complete team deals with threats like this every day, providing our customers with the expertise required to remediate these infections and help organizations recover from potentially devastating incidents. ----- ## Appendix Table 1 below contains a mapping of QakBot tactics to the MITRE ATT&CK framework.® **Tactic** **Technique** **Sub-Technique** **ID** Initial Access Phishing Spear-Phishing Attachment Execution User Execution Malicious Link, Malicious File [T1566.001](https://attack.mitre.org/techniques/T1566/001/) [T1204.001,](https://attack.mitre.org/techniques/T1204/001) [T1204.002](https://attack.mitre.org/techniques/T1204/002) [T1059.001,](https://attack.mitre.org/techniques/T1059/001) [T1059.003,](https://attack.mitre.org/techniques/T1059/003) [T1059.005](https://attack.mitre.org/techniques/T1059/005) Execution Command and Scripting Interpreter Execution Signed Binary Proxy Execution Persistence Boot or Logon Autostart Execution PowerShell, CMD Shell, Visual Basic Registry Run Keys / Startup Folder Msiexec, Rundll32 [T1218.007,](https://attack.mitre.org/techniques/T1218/007/) [T1218.011](https://attack.mitre.org/techniques/T1218/011/) [T1547.001](https://attack.mitre.org/techniques/T1547/001) Persistence Scheduled Task/Job Scheduled Task [T1053.005](https://attack.mitre.org/techniques/T1053/005) Defense Evasion Defense Evasion Defense Evasion Obfuscated Files or Information Virtualization/Sandbox Evasion None [T1027](https://attack.mitre.org/techniques/T1027/) Process Injection Dynamic-link Library Injection [T1055.001](https://attack.mitre.org/techniques/T1055/001) System Checks [T1497.001](https://attack.mitre.org/techniques/T1497/001) Discovery Virtualization/Sandbox Evasion Discovery Network Share Discovery User Activity Based Checks [T1497.002](https://attack.mitre.org/techniques/T1497/002/) None [T1135](https://attack.mitre.org/techniques/T1135/) Credential Access Lateral Movement Command and Control Brute Force Password Guessing [T1110.001](https://attack.mitre.org/techniques/T1110/001/) Application Layer Protocol Remote Services SMB/Windows Admin Shares [T1021.002](https://attack.mitre.org/techniques/T1021/002/) Web Protocols [T1071.001](https://attack.mitre.org/techniques/T1071/001/) Table 1. MITRE ATT&CK mapping **IOCs associated with QakBot analyses are available in Table 2.** **Indicator** **Purpose** ----- PicturesViewer.dll, PicturesViewer.exe, PaintHelper.dll, PaintHelper.exe, file1.exe QakBot binary names “[0-9]{6,9}\.zip”, “NUM_[0-9]{4,6}\.vbs” Regular expression of observed filename convention of zip archives containing VBS that launches QakBot downloader “dfPEZd”, “ezQVN”, “wCdZgXH” Scheduled Task tasknames “””C:\windows\System32\WScript.exe”” “”C:\Users\*\AppData\Local\Temp\Temp1_*.zip\NUM_*.vbs”” Command line example of initial execution C:\Users\*\Downloads\“[0-9]{6,9}\.zip” Initial QakBot download path. Observed as an 8 or 9character numeric name. C:\Users\*\AppData\Local\Temp\Temp1_“[0-9]{6,9}\.zip\NUM_[0-9]{4,6}\.vbs Execution path of VB downloader script %AppData%\lwob\esexydry.dll %AppData%\PicturesViewer.dll %APPDATA%\dasfdsfsdf.exe %APPDATA%\Iwhoq\pozypua.dll %APPDATA%\IE\GGYJG27Z\dasfdsfs.df[1].exe C:\Users\Public\tmpdir QakBot binary paths in home directories, observed as a alphabetical name under an alphabetical folder in %AppData%, or pre-named PicturesViewer, PaintHelper HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry run key persistence ----- Table 2. IOCs associated with QakBot **Additional Resources** _[Read “Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1” and](https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/)_ _[“Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2” in this](https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/)_ _series._ _Find out how CrowdStrike can help your organization answer its most important security_ _questions:_ _[Visit the CrowdStrike Services webpage.](https://www.crowdstrike.com/services/)_ _Learn how any size organization can achieve optimal security with Falcon Complete by_ _visiting the product webpage._ _[Learn more about Falcon X™ threat intelligence by visiting the webpage.](https://www.crowdstrike.com/endpoint-security-products/falcon-x-threat-intelligence/)_ _Learn about CrowdStrike’s comprehensive next-gen endpoint protection platform by_ _visiting_ _[the Falcon products webpage.](https://www.crowdstrike.com/endpoint-security-products/)_ _Test CrowdStrike next-gen AV for yourself:_ _[Start your free trial of Falcon Prevent™.](https://go.crowdstrike.com/try-falcon-prevent.html)_ -----