Last Updated: 2021-01-20 00:23:18 UTC
by Brad Duncan (Version: 1)
Although the botnet infrastructure behind Qakbot was active as we entered this year, we hadn't seen any active campaigns spreading Qakbot. Qakbot had been quiet since a few days before Christmas. We saw no new malicious spam (malspam), and we saw no new Excel spreadsheets that we typically find during active campaigns.
Today's diary examines a Qakbot infection from Tuesday 2021-01-19.
No changes here. Qakbot malspam typically spoofs stolen email chains from previously-infected Windows hosts, and it feeds the data to currently-infected Windows hosts that send new malspam pushing updated files for Qakbot. See the image below for an example from Tuesday 2021-01-19.
See the images below for my analysis of network traffic from the Qakbot infection.
Forensics on infected Windows host
See the images below for my forensic investigation on the infected Windows host.
Indicators of Compromise (IOCs)
- File size: 25,543 bytes
- File name: Complaint_Copy_1206700885_01192021.xlsm
- File description: Spreadsheet with macro for Qakbot
- File size: 1,545,688 bytes
- File location: hxxp://senzo-conseil-expat[.]fr/bqkckb/5555555555.jpg
- File location: C:\Users\[username]\AppData\Roaming\KKEEDTT.DEEREDTTDVD
- File description: Initial DLL for Qakbot
- Run method: rundll32.exe [filename],DllRegisterServer
HTTP request caused by Excel macro to retrieve DLL for Qakbot:
- 51.210.14[.]58 port 80 - senzo-conseil-expat[.]fr - GET /bqkckb/5555555555.jpg
HTTPS traffic from the infected host:
- 95.76.27[.]6 port 443
- 185.14.30[.]127 port 443
- 172.115.177[.]204 port 2222
Web traffic connectivity checks from the infected host (HTTPS traffic):
- port 443 - www.openssl.org
- port 443 - api.ipify.org
TCP traffic from the infected host:
- 54.36.108[.]120 port 65400
Connectivity checks to mail servers from the infected host:
- 184.108.40.206 port 993 - imap.gmail.com
- 220.127.116.11 port 25 - smtp-relay.gmail.com
- 18.104.22.168 port 465 - smtp-relay.gmail.com
- 22.214.171.124 port 587 - smtp-relay.gmail.com
- 126.96.36.199 port 110 - mail.myfairpoint.net
- 188.8.131.52 port 143 - mail.myfairpoint.net
- 184.108.40.206 port 995 - inbound.att.net
Certificate issuer data for HTTPS traffic to 95.76.27[.]6 over TCP port 443:
- id-at-organizationName=Letx Uqe Dzcmtewzs Kctonlfg Inc.
Certificate issuer data for HTTPS traffic to 185.14.30[.]127 over TCP port 443:
- id-at-localityName=New York
Certificate issuer data for HTTPS traffic to 172.115.117[.]204 over TCP port 2222:
- id-at-organizationName=Cepasduq Nqo Ooifzetkp Mqen
A pcap of the infection traffic along with malware (Excel file and DLL) from an infected host can be found here.
brad [at] malware-traffic-analysis.net