Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

An anatomy of HEAT attacks used by Qakbot campaigns

Qakbot, one of the leading banking Trojans around the globe

Share this article

Introduction

Qakbot, also known as QBot or Pinkslipbot, is a banking Trojan that has existed for over a decade. It was found in the wild in 2007 and since then it has been continually maintained and developed.

Qakbot has become one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), though it has also acquired functionality allowing it to spy on financial operations, spread itself, and install ransomware to maximize revenue from compromised organizations.

The delivery vehicle of Qakbot is usually an email to the victim. This could be either an email attachment or a link in the email. The email attachments generally involve a document that downloads the Qakbot payload. Menlo Labs has been seeing several such strains of Qakbot campaigns recently.

In this blog, we’re going to discuss the different Qakbot campaigns that use various Highly Evasive Adaptive Threat (HEAT) techniques, and we’ll also explain how the Qakbot payload works.

HEAT Techniques Used by Qakbot

The different HEAT techniques used in Qakbot campaigns identified by Menlo Labs are as follows:

  • Email lure with hyperlink
  • Excel 4.0 macros
  • Follina exploit (CVE-2022-30190)
  • HTML Smuggling

We will provide examples of each of these techniques.

Email Lure with Hyperlink

In this campaign, a benign domain is compromised to host the malicious payload, and the link to the payload is sent via an email. To evade existing defenses, Qakbot used password-protected ZIP files, a known HEAT technique. Below is a screenshot that shows the poor detection of these password-protected payloads on VT.

The screenshot below shows the initial access method that Qakbot uses to evade existing defenses.

Diagram showing that clicking on a URL in an email leads to downloading a password protected ZIP file that downloads a JS payload, leading to Qakbot

The attack kill chain is as follows:

  • An email with a URL pointing to a malicious ZIP file is sent to the victims (hxxp[://]zigmatravels[.]lk/inmo/Main3173988897[.]zip).
  • The ZIP file is password protected (pwd – U523 md5 – afd1d504d88971e6f09d89e9dde8aeb8).
  • Inside the ZIP file is a link file with the ability to easily provide PowerShell commands or JS to execute.
  • Opening the link (md5 – 622D21C40A25F9834A03BFD5FF4710C1) file downloads the JS (md5 – 76cd1dfafc4d0fd89e228fe82ea721f6) file. The JS file then downloads the Qakbot payload.

The screenshot below shows one of the malicious .lnk download JS files.

The obfuscated JS file decrypts during runtime to download and execute payload from C2, as shown below.

Excel 4.0 Macros

In this campaign, Excel 4.0 macros were used to add commands into spreadsheet cells and send the email attachments to the intended targets.

Below are some examples of emails with attachments using Excel 4.0 macros to deliver Qakbot.

Diagram showing email with Macro 4.0 leads to Macro 4.0 leads to Qakbot

Email showing attachments of Excel file.

Examples of emails with attached excel files

Upon opening the XLS document, the user is asked to enable the macro to execute the Excel 4.0 macros.

Screenshot of Excel document with warning asking to enable macros

These commands present in the XLS file download and execute payload from C2.

CVE-2022-30190

In this campaign, a CVE-2022-30190 vulnerability (also referred to as Follina) was leveraged to deliver Qakbot. When executed, the document containing the exploit calls out to an external HTML file that uses ms-msdt URL protocol to execute PowerShell code.

Below are some examples of emails with attachments using CVE-2022-30190 to deliver Qakbot.

email with cve-2022-30190 leads to cve-2022-30190 docx file leads to ms-msdt leads to qakbot

The following are some examples of documents using CVE-2022-30190 (md5 – 7a91b01a037ccbfe6589161643d0a65a) to deliver Qakbot.

When we open the document, it tries to download the HTML file, which further downloads the Qakbot payload.

HTML (md5 – ea48f95ab4f3ca3b0c687a726cb00c49)

HTML Smuggling

In this campaign, a specially crafted HTML attachment or web page was used to build the malware locally behind a firewall.

Below are some examples of emails with an HTML Smuggling attachment.

examples of emails with HTML smuggling attachments

In this campaign, the spam email contains an HTML file (md5- 2881945BDF1DB34216CC565FEF4501D4) that was encoded with Base64, as shown.

The “var text” function was Base64 encoded with an Adobe image and a password-protected ZIP file “Report Jul 14 71645.zip” (md5- 5F57C9BF0923DE15046CCB14E41CE0A6 pwd – abc444) that gets constructed on execution, as shown below.

The infection chain of the attack is shown in the following image.

Diagram showing email with html leading to html smuggling leading to password protected ZIP file leading to JSO leading to DLL leading to regsvr leading to DLL leading to Qakbot

The infection chain of the Qakbot attack using the HTML Smuggling technique is as follows:

  • The victim opens the HTML email attachment.
  • The HTML file constructs the payload by decoding the Base64 format and displays the Adobe image and a password-protected ZIP file.
  • On extracting the ZIP file with the password, an ISO file “Report Jul 14 71645.iso” is dropped in the victim’s machine.
  • The ISO file that contains the Qakbot payload makes its way to the victim’s machine.

Qakbot Payload Analysis

Next, we’ll explain the working of Qakbot payload, which uses the ISO file and the components present inside that are responsible for the Qakbot execution.

Report Jul 14 71645.iso

The ISO file downloaded from the archive contains 7533.dll, calc.exe, Report Jul 14 71645.lnk, and WindowsCodecs.dll.

The functionality and details of the file are as follows:

  • Report Jul 14 71645.lnk (md5 – 622D21C40A25F9834A03BFD5FF4710C1)
    • Shortcut file used to execute the payload
  • Calc.exe (md5 – 60B7C0FEAD45F2066E5B805A91F4F0FC)
    • Legitimate Windows 7 calculator application
  • Windows Codecs.dll (md5 – 21930ABBBB06588EDF0240CC60302143)
    • Malicious .dll used as a DLL sideload with calc.exe to run regsrv.exe and load 7533.dll
  • 7533.dll (md5 – 1FFFB3FDB0A4B780385CC5963FD4D40C)
    • Qakbot payload

Upon executing the ISO file, the .lnk file executes calc.exe and uses .dll sideloading to load WindowsCodecs.dll, which then loads 7533.dll (Qakbot) using regsrv32.exe.

To detonate the Qakbot payload, the DLL sideloading attack evasive technique is used. Using this technique, calc.exe loads the masqueraded WindowsCodecs.dll to load 7533.dll using regsv32.exe, as shown below.

This final payload finally injects its malicious code into the wermgr.exe.

The Qakbot payload using regsrv32.exe to load the .dll file is packed using a runtime packer. The packer involves an XOR decryption to get the unpacked version of Qakbot, as shown below.

The unpacked payload is a 32-bit .dll file compiled on June 21, 2022.

This unpacked binary stores the C2 and Botnet ID in the resource section RCDATA (3C91E639 – C2, 89210AF9- Botnet ID).

It uses RC4 to decrypt its C2 and Botnet ID present in the resource section, as shown below.

We created a Python script (shown in the Appendix) to decrypt the Botnet ID and C2 using RC4. The binary we analyzed was using BotnetID Obama 201.

Menlo Protection Against QakBot

Customers using Menlo are protected against the initial access, thereby preventing endpoint infection.

The Menlo Platform protects against the following HEAT techniques employed by the Qakbot malware:

Password-Protected ZIP Files

The Menlo Platform opens all documents and archives downloaded from the Internet in the Isolation Core™, away from the user’s endpoint device. Malware actors commonly password protect malicious payloads to evade security defenses. If a download is password protected, then the Menlo Platform prompts a user to enter the password. Once the password is provided, the platform inspects the file and ensures that it’s safe for download.

Excel 4.0 Macros

The Menlo email product wraps any attachments received from outside the organization. The wrapped attachment is then opened in the Isolation Core™, where the document is converted to a safe version that can be viewed by the user, while the inspection engines determine whether the file is good or bad. Policies can also be configured to ensure that all documents downloaded from the Internet are always viewed, or that a SAFE version of a document is downloaded to the endpoint. Menlo’s Safedoc feature strips out all active content, thereby ensuring that any malicious aspect is removed.

Follina Exploit

Follina is the name given to the exploit that takes advantage of Microsoft Diagnostic Tools to fetch and execute remote code. The Menlo Platform opens all documents and archives downloaded from the Internet in the Isolation Core™, away from the user’s endpoint. The document is converted to a safe version that can be viewed by the user, while the inspection engines determine whether the file is good or bad. Policies can also be configured to ensure that all documents downloaded from the Internet are always viewed, or that a SAFE version of a document is downloaded to the endpoint. Menlo’s Safedoc feature strips out all active content, thereby ensuring that the malicious aspect is removed.

HTML Smuggling

The goal of HTML Smuggling is to make use of HTML5/JavaScript features to deliver file downloads, and it usually comes in two flavors:

While Qakbot uses HTML Smuggling via email attachments, Menlo Security has identified many malicious campaigns using the web vector for HTML Smuggling. A malicious payload that gets downloaded to the endpoint via HTML Smuggling evades all network inspection, because the payload is constructed on the browser. The Menlo Isolation Core™ has visibility into all types of JS and payloads constructed on the browser, and thus detects and blocks these kinds of attacks when delivered via the web vector.

Conclusion

In this post, we have showcased the different HEAT techniques used by Qakbot campaigns we analyzed. Customers using the Menlo Isolation platform are protected.

IOC

NameMd5
7533.dll1FFFB3FDB0A4B780385CC5963FD4D40C
Report Jul 14 71645.lnk622D21C40A25F9834A03BFD5FF4710C1
calc.exe60B7C0FEAD45F2066E5B805A91F4F0FC
WindowsCodecs.dll21930ABBBB06588EDF0240CC60302143
Report Jul 14 71645.ZIP5F57C9BF0923DE15046CCB14E41CE0A6
Report Jul 14 71645.ISO0C9164296949B72BF82EC1951AB7AC3B
C2
70.46.220.114:443
179.111.8.52:32101
208.107.221.224:443
176.45.218.138:995
24.158.23.166:995
24.54.48.11:443
89.101.97.139:443
24.55.67.176:443
24.139.72.117:443
120.150.218.241:995
174.69.215.101:443
38.70.253.226:2222
41.228.22.180:443
217.165.157.202:995
172.115.177.204:2222
173.21.10.71:2222
69.14.172.24:443
47.23.89.60:993
104.34.212.7:32103
66.230.104.103:443
81.158.239.251:2078
179.158.105.44:443
189.253.167.141:443
24.178.196.158:2222
174.80.15.101:2083
187.116.126.216:32101
100.38.242.113:995
74.14.5.179:2222
40.134.246.185:995
172.114.160.81:443
72.252.157.93:995
70.51.137.244:2222
82.41.63.217:443
197.89.11.218:443
37.34.253.233:443
67.209.195.198:443
67.165.206.193:993
93.48.80.198:995
111.125.245.116:995
1.161.118.53:443
76.25.142.196:443
148.64.96.100:443
217.128.122.65:2222
32.221.224.140:995
47.180.172.159:443
39.57.56.11:995
186.90.153.162:2222
37.186.58.99:995
86.97.10.37:443
39.44.116.107:995
182.191.92.203:995
86.98.78.118:993
117.248.109.38:21
39.52.44.132:995
1.161.118.53:995
91.75.85.128:1194
121.7.223.45:2222
39.41.90.210:995
46.107.48.202:443
190.252.242.69:443
187.172.31.52:443
72.252.157.93:993
72.252.157.93:990
47.145.130.171:443
63.143.92.99:995
197.92.136.122:443
45.46.53.140:2222
196.203.37.215:80
94.59.138.43:2222
92.132.132.81:2222
39.49.48.167:995
103.246.242.202:443
84.241.8.23:32103
94.59.15.180:2222
89.211.209.234:2222
94.36.193.176:2222
47.156.129.52:443
201.172.20.105:2222
109.12.111.14:443
85.6.232.221:2222
96.37.113.36:993
2.178.120.112:61202
193.136.1.58:443
103.133.11.10:995
120.61.3.142:443
182.52.159.24:443
78.100.219.38:50010
173.174.216.62:443
106.51.48.188:50001
67.69.166.79:2222
45.241.254.69:993
88.240.59.52:443
86.213.75.30:2078
24.43.99.75:443
101.50.67.155:995
108.56.213.219:995
5.32.41.45:443
39.53.139.2:995
80.11.74.81:2222

MITRE ATT&CK Technique

TacticTechnique IDTechnique Name
Initial AccessT1566SpearPhishing
Defense EvasionT1027.006Html Smuggling
Defense EvasionT1027Password Protected zip
ExecutionT1204User Execution
Defense EvasionT1574.002DLL Side-Loading
Defense EvasionT1055Process Injection
Command and ControlT1573.001RC4 Encryption

Appendix

Qakbot Config Decryption Code

—----------------------Config Decrptor—-----------------------------------
import hashlib
from arc4 import ARC4  
import struct
import socket, sys

key = b"\\System32\\WindowsPowerShel1\\v1.0\\powershel1.exe"
key = hashlib.sha1(key).digest()
print(key.hex())

file_res = open(sys.argv[1],"rb+") # c2 data from resource section
file_data = file_res.read()
file_res.close()
rc4 = ARC4(key)
data = rc4.decrypt(file_data)
print(data)

if len(data) > 70:
    data = data[20:]  
    out = ""
    while data:
   	 flag, ip, port = struct.unpack(">BLH",data[:7])
   	 ip = socket.inet_ntoa(struct.pack('!L', ip))
   	 data = data[7:]
   	 out += "{}:{}\n".format(ip,port)
    print(out)

Output Image

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.