QakBot — Basic Analysis
Overview
QakBot (QBot, QuakBot, Pinkslipbot) is one of the famous Banking Trojan whose main task is to steal banking credentials, online banking login information or other banking data. It has been operating for years since 2007 and is constantly maintained by the gangs behind it. Qakbot is constantly improving and making analysis more difficult by applying advanced or new techniques to evade detection and avoid reverse analysis.
Infection Flow
QakBot is known to infect its victims mostly through spam campaigns. In some cases, emails are delivered with Microsoft Office documents (Word, Excel) or password-protected archives with attached documents. Documents containing macros and victims are asked to open attachments claiming to contain important information. In some cases, the emails contain links to web pages that distribute malicious documents. Since the downloaded files are constantly changing, it can easily avoid AVs and victims can trust and execute the files.
The infection chain and findings we come across in many cases(2021 variants) are as follows;
1 — The user receives a phishing email with an Office document with embedded macros, the document itself or a ZIP attachment with a link to download the malicious document.
I have encountered the type of files downloaded is generally the same but their hashes are constantly changing. The file name consists of 3 or 4 characters,- and 10 numbers. File sizes are generally 88 KB.
Example filenames: abcd-[0–9].xls , xyz-[0–9].xls
2 — User opens malicious attachment/link and is tricked into clicking “Enable content”.
3 — A malicious macro is executed. Payload download from multiple malicious distributors (Loader DLL) by performing “GET” requests by the macro.
http://********.com/[a-Z0–9]/[a-Z].html
https://********.xyz/[a-Z0–9]/[a-Z].html
https://********.ng/[a-Z0–9]/[a-Z].htmlStagers:
C:\Datop\test.test
C:\Datop\test1.test
C:\Datop\test2.testLoaders:
C:\Users\{Username}\AppData\Roaming\Microsoft\ObsfucatedPathName}\{ObsfucatedDllNames}.dll
4 — Payload (Stager) contains another binary containing encrypted source modules. One of the encrypted resources has the DLL binary (loader) which is then decrypted during runtime.
5 — “Stager” loads the “Loader” into memory, which decrypts and executes the payload during runtime. Configuration settings are taken from another source.
6 — The payload communicates with the C2 server.
whoami /all
ipconfig /all
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.{DOMAIN}
netstat -nao
regsvr32.exe -s “C:\Users\{Username}\AppData\Roaming\Microsoft\{ObsfucatedPathName}\{ObsfucatedDllNames}.dll
…
Note: It has been observed that anti-VM techniques are used with the information collected in some analyzes.
Conclusions
QakBot is a known Banking Trojan whose techniques can vary from binary to binary (old and newer versions). It’s been active for over a decade and doesn’t look like it’s going away anytime soon. The malware is constantly getting updated, and threat actors keep adding new capabilities and updating their modules to steal information and maximize revenue. Using XLS documents often results in lower detection rates of security solutions that focus on the more common modern VBA macro malware. In addition, QakBot’s payloads also use a powerful set of anti-analysis features, advanced techniques to evade detection and nullify analysis.
References
https://securelist.com/qakbot-technical-analysis/103931/
https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html
