Today's diary is a review of a Qakbot (Qbot) infection I generated on Tuesday 2020-12-08.
Qakbot generally includes follow-up malware like Cobalt Strike (such as this example), but my infection on Tuesday 2020-12-08 was a basic Qakbot infection that didn't run long enough for follow-up malware or other activity.
Of note, in late-November 2020, Qakbot underwent a version update. I've noticed this in my day-to-day research, but nothing comprehensive has been published yet. A few tweets about it:
I'll review some of the changes I've noticed about the update in today's diary.
Malspam examples I found from Tuesday 2020-12-08 were fake replies to legitimate email chains, although the example shown below might be a Qakbot-generated reply for an unsolicited spam message.
The attached ZIP archive has an Excel spreadsheet with macros designed to infect a vulnerable Windows host with Qakbot malware. Even with the version update, these spreadsheets distributing Qakbot have the same template we've seen for the past several months.
Typical for Qakbot, we see an HTTP GET request for a URL ending in .jpg that returned a Windows binary (in this case a DLL). This often is an HTTPS URL, where we would not see the Windows binary in a pcap. In recent moths, I've seen as many HTTPS URLs for this as I have regular HTTP URLs.
Filtering the traffic in Wireshark, we find typical Qakbot post-infection activity. But approximately 3 hours after the initial infection, I also saw web traffic to wellsfargo[.]com, which was unusual--especially since no browser had opened on the desktop of the infected Windows host.
The user-agent string in HTTP traffic to wellsfargo[.]com indicated it may have been caused by Google Chrome. Keep in mind the user-agent string is often spoofed during malware infections. I also saw web traffic associated with the Firefox web browser. This traffic is likely related to one of the Qakbot modules; however, I could not find any modules saved to disk on my infected host.
Qakbot malware version update
Sometime in late-November 2020, Qakbot malware was updated. I know of at least 3 related things that are noticeably different than before.
1) The Qakbot binary retrieved by Microsoft Office macros changed from an EXE to a DLL.
2) Qakbot now creates other Windows registry updates. These updates are located at HKCU\SOFTWARE\Microsoft under a key that consists of a unique alphabetical string for each infected host. It consists of several entries containing encoded binary data as shown in the example below.
3) The directory for Qakbot artifacts under C:\Users\[username]\AppData\Roaming\Microsoft now has fewer files. Before the version update, we saw a Windows EXE for Qakbot in this directory, and it was kept persistent in the Windows registry (see item 1 above). Now, the folder no longer has an EXE and some other files are missing. Compare the two images below.
Qakbot's version update has resulted in other characteristics of the malware, and I'm certain someone will publish a more detailed write-up about it. These three changes are the one's I've noticed, but I focus mostly on dynamic analysis (not code analysis or reverse engineering).
Indicators of Compromise (IoC)
The following are IoCs from my Qakbot infection from Tuesday 2020-12-08.
ZIP archives from 4 malspam examples:
Excel spreadsheets extracted from the above ZIP archives:
HTTP traffic after enabling that returned a Qakbot DLL file:
Qakbot post-infection traffic:
Unusual (to me) activity from Qakbot-infected host:
Malware from an infected Windows host:
Qakbot been active for several years, and it continues to evolve. The latest version update has some significant changes, but infection traffic on vulnerable Windows hosts remains similar to what we've seen before with Qakbot.
A pcap of the infection traffic reviewed in this dairy and 4 examples of Qakbot malspam are available here.
Dec 9th 2020
|Thread locked Subscribe||
Dec 9th 2020
7 months ago