An anatomy of HEAT attacks used by Qakbot campaigns

Introduction

Qakbot, also known as QBot or Pinkslipbot, is a banking Trojan that has existed for over a decade. It was found in the wild in 2007 and since then it has been continually maintained and developed.

Qakbot has become one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), though it has also acquired functionality allowing it to spy on financial operations, spread itself, and install ransomware to maximize revenue from compromised organizations.

The delivery vehicle of Qakbot is usually an email to the victim. This could be either an email attachment or a link in the email. The email attachments generally involve a document that downloads the Qakbot payload. Menlo Labs has been seeing several such strains of Qakbot campaigns recently.

In this blog, we’re going to discuss the different Qakbot campaigns that use various Highly Evasive Adaptive Threat (HEAT) techniques, and we’ll also explain how the Qakbot payload works.

HEAT Techniques Used by Qakbot

The different HEAT techniques used in Qakbot campaigns identified by Menlo Labs are as follows:

• Email lure with hyperlink
• Excel 4.0 macros
• Follina exploit (CVE-2022-30190)
• HTML Smuggling

We will provide examples of each of these techniques.

Email Lure with Hyperlink

In this campaign, a benign domain is compromised to host the malicious payload, and the link to the payload is sent via an email. To evade existing defenses, Qakbot used password-protected ZIP files, a known HEAT technique. Below is a screenshot that shows the poor detection of these password-protected payloads on VT.

The screenshot below shows the initial access method that Qakbot uses to evade existing defenses.

The attack kill chain is as follows:

• An email with a URL pointing to a malicious ZIP file is sent to the victims (hxxp[://]zigmatravels[.]lk/inmo/Main3173988897[.]zip).
• The ZIP file is password protected (pwd – U523 md5 – afd1d504d88971e6f09d89e9dde8aeb8).
• Inside the ZIP file is a link file with the ability to easily provide PowerShell commands or JS to execute.
• Opening the link (md5 – 622D21C40A25F9834A03BFD5FF4710C1) file downloads the JS (md5 – 76cd1dfafc4d0fd89e228fe82ea721f6) file. The JS file then downloads the Qakbot payload.

The screenshot below shows one of the malicious .lnk download JS files.

The obfuscated JS file decrypts during runtime to download and execute payload from C2, as shown below.

Excel 4.0 Macros

In this campaign, Excel 4.0 macros were used to add commands into spreadsheet cells and send the email attachments to the intended targets.

Below are some examples of emails with attachments using Excel 4.0 macros to deliver Qakbot.

Email showing attachments of Excel file.

Upon opening the XLS document, the user is asked to enable the macro to execute the Excel 4.0 macros.

These commands present in the XLS file download and execute payload from C2.

CVE-2022-30190

In this campaign, a CVE-2022-30190 vulnerability (also referred to as Follina) was leveraged to deliver Qakbot. When executed, the document containing the exploit calls out to an external HTML file that uses ms-msdt URL protocol to execute PowerShell code.

Below are some examples of emails with attachments using CVE-2022-30190 to deliver Qakbot.

The following are some examples of documents using CVE-2022-30190 (md5 – 7a91b01a037ccbfe6589161643d0a65a) to deliver Qakbot.

When we open the document, it tries to download the HTML file, which further downloads the Qakbot payload.

HTML (md5 – ea48f95ab4f3ca3b0c687a726cb00c49)

HTML Smuggling

In this campaign, a specially crafted HTML attachment or web page was used to build the malware locally behind a firewall.

Below are some examples of emails with an HTML Smuggling attachment.

In this campaign, the spam email contains an HTML file (md5- 2881945BDF1DB34216CC565FEF4501D4) that was encoded with Base64, as shown.

The “var text” function was Base64 encoded with an Adobe image and a password-protected ZIP file “Report Jul 14 71645.zip” (md5- 5F57C9BF0923DE15046CCB14E41CE0A6 pwd – abc444) that gets constructed on execution, as shown below.

The infection chain of the attack is shown in the following image.

The infection chain of the Qakbot attack using the HTML Smuggling technique is as follows:

• The victim opens the HTML email attachment.
• The HTML file constructs the payload by decoding the Base64 format and displays the Adobe image and a password-protected ZIP file.
• On extracting the ZIP file with the password, an ISO file “Report Jul 14 71645.iso” is dropped in the victim’s machine.
• The ISO file that contains the Qakbot payload makes its way to the victim’s machine.

Qakbot Payload Analysis

Next, we’ll explain the working of Qakbot payload, which uses the ISO file and the components present inside that are responsible for the Qakbot execution.

Report Jul 14 71645.iso

The ISO file downloaded from the archive contains 7533.dll, calc.exe, Report Jul 14 71645.lnk, and WindowsCodecs.dll.

The functionality and details of the file are as follows:

• Report Jul 14 71645.lnk (md5 – 622D21C40A25F9834A03BFD5FF4710C1)
  • Shortcut file used to execute the payload
• Calc.exe (md5 – 60B7C0FEAD45F2066E5B805A91F4F0FC)
  • Legitimate Windows 7 calculator application
• Windows Codecs.dll (md5 – 21930ABBBB06588EDF0240CC60302143)
  • Malicious .dll used as a DLL sideload with calc.exe to run regsrv.exe and load 7533.dll
• 7533.dll (md5 – 1FFFB3FDB0A4B780385CC5963FD4D40C)
  • Qakbot payload

Upon executing the ISO file, the .lnk file executes calc.exe and uses .dll sideloading to load WindowsCodecs.dll, which then loads 7533.dll (Qakbot) using regsrv32.exe.

To detonate the Qakbot payload, the DLL sideloading attack evasive technique is used. Using this technique, calc.exe loads the masqueraded WindowsCodecs.dll to load 7533.dll using regsv32.exe, as shown below.

This final payload finally injects its malicious code into the wermgr.exe.

The Qakbot payload using regsrv32.exe to load the .dll file is packed using a runtime packer. The packer involves an XOR decryption to get the unpacked version of Qakbot, as shown below.

The unpacked payload is a 32-bit .dll file compiled on June 21, 2022.

This unpacked binary stores the C2 and Botnet ID in the resource section RCDATA (3C91E639 – C2, 89210AF9- Botnet ID).

It uses RC4 to decrypt its C2 and Botnet ID present in the resource section, as shown below.

We created a Python script (shown in the Appendix) to decrypt the Botnet ID and C2 using RC4. The binary we analyzed was using BotnetID Obama 201.

Menlo Protection Against QakBot

Customers using Menlo are protected against the initial access, thereby preventing endpoint infection.

The Menlo Platform protects against the following HEAT techniques employed by the Qakbot malware:

Password-Protected ZIP Files

The Menlo Platform opens all documents and archives downloaded from the Internet in the Isolation Core™, away from the user’s endpoint device. Malware actors commonly password protect malicious payloads to evade security defenses. If a download is password protected, then the Menlo Platform prompts a user to enter the password. Once the password is provided, the platform inspects the file and ensures that it’s safe for download.

Excel 4.0 Macros

The Menlo email product wraps any attachments received from outside the organization. The wrapped attachment is then opened in the Isolation Core™, where the document is converted to a safe version that can be viewed by the user, while the inspection engines determine whether the file is good or bad. Policies can also be configured to ensure that all documents downloaded from the Internet are always viewed, or that a SAFE version of a document is downloaded to the endpoint. Menlo’s Safedoc feature strips out all active content, thereby ensuring that any malicious aspect is removed.

Follina Exploit

Follina is the name given to the exploit that takes advantage of Microsoft Diagnostic Tools to fetch and execute remote code. The Menlo Platform opens all documents and archives downloaded from the Internet in the Isolation Core™, away from the user’s endpoint. The document is converted to a safe version that can be viewed by the user, while the inspection engines determine whether the file is good or bad. Policies can also be configured to ensure that all documents downloaded from the Internet are always viewed, or that a SAFE version of a document is downloaded to the endpoint. Menlo’s Safedoc feature strips out all active content, thereby ensuring that the malicious aspect is removed.

HTML Smuggling

The goal of HTML Smuggling is to make use of HTML5/JavaScript features to deliver file downloads, and it usually comes in two flavors:

• Deliver the download via Data URLs on the client device.
• Create a JavaScript blob with the appropriate MIME-type that results in a download on the client device.

While Qakbot uses HTML Smuggling via email attachments, Menlo Security has identified many malicious campaigns using the web vector for HTML Smuggling. A malicious payload that gets downloaded to the endpoint via HTML Smuggling evades all network inspection, because the payload is constructed on the browser. The Menlo Isolation Core™ has visibility into all types of JS and payloads constructed on the browser, and thus detects and blocks these kinds of attacks when delivered via the web vector.

Conclusion

In this post, we have showcased the different HEAT techniques used by Qakbot campaigns we analyzed. Customers using the Menlo Isolation platform are protected.

IOC

MITRE ATT&CK Technique

Appendix

Qakbot Config Decryption Code

—----------------------Config Decrptor—-----------------------------------
import hashlib
from arc4 import ARC4  
import struct
import socket, sys

key = b"\\System32\\WindowsPowerShel1\\v1.0\\powershel1.exe"
key = hashlib.sha1(key).digest()
print(key.hex())

file_res = open(sys.argv[1],"rb+") # c2 data from resource section
file_data = file_res.read()
file_res.close()
rc4 = ARC4(key)
data = rc4.decrypt(file_data)
print(data)

if len(data) > 70:
    data = data[20:]  
    out = ""
    while data:
   	 flag, ip, port = struct.unpack(">BLH",data[:7])
   	 ip = socket.inet_ntoa(struct.pack('!L', ip))
   	 data = data[7:]
   	 out += "{}:{}\n".format(ip,port)
    print(out)

Output Image