1 min read
Critical Advisory Notice for SquirrelWaffle and Qakbot
In September 2021, multiple security research teams observed and reported email reply-chain attacks that distributed new SquirrelWaffle Loader and...
24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management
CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support
If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.
Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.
At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.
5 min read
Cyrus Robinson : Nov 1, 2022 12:00:00 AM
Qakbot Conversation Hijacking Phishing Campaigns Targeting Government, Law Enforcement, and Financial Sector Organizations.
Beginning July 2022, the Ingalls SOC began to observe an increase in malware infection attempts involving Qakbot (aka Qbot aka Pinkslipbot) across our client base but with a particular focus on state and local government and law enforcement organizations (especially government/law enforcement organizations in Louisiana) and, to a lesser extent, financial industry organizations. With ongoing international tensions in several regions and upcoming elections, the Ingalls SOC wants to ensure that our clients are protected from emerging threats within the threat landscape.
Qakbot is a modular information stealer trojan that has existed since at least 2007 and has continued to evolve since then and which has been associated with initial access by ransomware groups, including Black Basta recently.
Phishing campaigns delivering Qakbot often use one of the two following methods for initial delivery:
HTML Smuggling is a malware delivery technique that delivers malware using HTML5 and JavaScript contained within a malicious .HTML attachment.
Figure 1 - HTML Smuggling Overview
(source: Microsoft)
As shown above, the attack chain starts with the threat actor sending phishing emails with an included URL or HTML attachment. Once opened, the user is presented with a seemingly legitimate download page (usually an Adobe or Google Drive image) that presents the user with a password. In the background, javascript downloads the Qakbot malware in a password-protected zip file to bypass security detections.
Figure 2 - Example HTML Page displaying the file password
Upon opening the zip file, the user is presented with an .ISO. By default, double-clicking the .ISO will mount the .ISO as a virtual CD-ROM drive. Because the virtual CD-ROM drive is “read-only”, the malware contained within the drive may be detected by antivirus software, but it likely will not actually be able to quarantine the files until they are written to disk.
Figure 3 - Screenshot of the virtual CD-ROM .ISO file presented to the user
The virtual CD-ROM drive contains a hidden folder and shortcut (.LNK) file masquerading as a folder (using a folder icon). When the user double-clicks on the .LNK file, the shortcut calls a command script (or series of scripts) resulting in the installation of the Qakbot payload.
Figure 4 - Screenshot of the .LNK shortcut file masquerading as a folder.
There are several different infection chains that may play out after the user double clicks on the .LNK file. In some cases, the .LNK file contains the instructions to use curl.exe to download the Qakbot malware from a compromised web server and then to install it using regsvr32.exe. In some cases, the .LNK file calls a Javascript or .VBS script which then calls a .CMD script or .BAT script that loads the malware from a hidden directory on the virtual CD-ROM. In other cases, the .LNK file calls the .CMD script to load the malware from the hidden directory directly. In a recent case, Ingalls observed the .CMD script utilizing DLL side loading to deliver the payload via an executable masquerading as a .GIF image and .DLL masquerading as .BAT script.
While not as prevalent as HTML Smuggling Email Attachments lately, the Excel v4.0 Macro distribution method has also been used recently in attempts to deliver Qakbot trojan to intended victims. This method relies on users enabling editing and enabling content within Excel and, upon doing so, executes a series of hidden macros that download the Qakbot payload.
Figure 5 - Malicious Excel Document containing Excel v4.0 Macros Delivering Qakbot
After enabling editing and content, the macros will self-execute resulting in the download and installation of the Qakbot .dll, masquerading as a .png file, from a compromised web server. After downloading and loading the Qakbot malware, the malware will establish a scheduled task for persistence. The scheduled tasks contain a Base64 Encoded Powershell script to reload the malware.
Conversation hijacking phishing emails use previous, legitimate email threads as a pretext to establish legitimacy with the intended victims.
While not all of the phishing emails seen delivering Qakbot payloads utilize conversation hijacking, many of them do. This also implies that the threat actors have likely successfully compromised the email account of one of the participants in the original, legitimate email conversation and have exfiltrated those conversations. Usually, in conversation hijacking phishing attacks, the threat actors will also change the display name on the sender account to the name of the individual who they are masquerading as.
Corresponding to the exfiltration of email conversations, the Ingalls SOC has also observed an increase in credential harvesting phishing attacks against many of the same government agencies, law enforcement organizations, and financial institutions where we’ve observed an increase in Qakbot attacks. Once an email account has been compromised, threat actors may export the emails in that user’s inbox in order to target their email contacts with conversation hijacking phishing attacks.
The Ingalls SOC is actively threat-hunting for any IoCs within client environments, but we recommend that organizations, especially government, law enforcement, and financial institutions:
Figure 6 - Example of the registry value that needs to be set for ISO files.
Prevent mounting virtual DVD-ROM devices on user workstations via GPO. This can be set via the "Prevent installation of devices that match any of these device IDs" policy within the Local Group Policy > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions settings. Set this to "Enabled" and set the value to SCSI\CdRomMsft____Virtual_DVD-ROM_.
Figure 7 - Example of the Group Policy setting that should be configured on user workstations.
Need assistance responding to this advisory or are concerned about an incident? Call our 24x7 emergency hotline at 888-860-0452.
For those of you who may want to dig into the Indicators of Compromise, download the list here:
About the AuthorCyrus Robinson, CISSP, MCSE, MCITP, CEH, CHFI, Sec+
Mr. Robinson is a skilled Information Security professional with experience working with diversified technologies and environments. Mr. Robinson’s professional IT career began as an electronic forensics engineer as an active duty Airman with primary responsibilities with testing and evaluating digital forensic software, policies, and procedures. In this capacity, he worked alongside federal investigators and various DoD, CIA, FBI, NSA, and NIST employees. Following his active duty role with the USAF, Mr. Robinson went on to work in change management and system administration as a DoD Contractor. Mr. Robinson also has extensive experience in the roles of Information Security Officer and IT Director for a large medical group which contribute to his knowledge with security risk assessments, HIPAA compliance, and drafting and implementing corporate IT security and business continuity policies. Mr. Robinson holds various industry standard certifications and a Masters of Science in Information Security and Assurance.
|
1 min read
In September 2021, multiple security research teams observed and reported email reply-chain attacks that distributed new SquirrelWaffle Loader and...
On July 14, 2020, Microsoft released a security update for the issue described in CVE-2020-1350 | Windows DNS Server Remote Code Execution...
CVE-2021-1675(akaPrintNightmare) is a vulnerability in the built-in Windows “Print Spooler” service. Microsoft released a patch for CVE-2021-1675as