If It Walks Like a Qakbot and Quacks Like a Qakbot…

Qakbot Conversation Hijacking Phishing Campaigns Targeting Government, Law Enforcement, and Financial Sector Organizations.

Beginning July 2022, the Ingalls SOC began to observe an increase in malware infection attempts involving Qakbot (aka Qbot aka Pinkslipbot) across our client base but with a particular focus on state and local government and law enforcement organizations (especially government/law enforcement organizations in Louisiana) and, to a lesser extent, financial industry organizations. With ongoing international tensions in several regions and upcoming elections, the Ingalls SOC wants to ensure that our clients are protected from emerging threats within the threat landscape.

Qakbot is a modular information stealer trojan that has existed since at least 2007 and has continued to evolve since then and which has been associated with initial access by ransomware groups, including Black Basta recently.

Qakbot is often distributed via phishing campaigns and has recently been observed being dropped alongside or by SmokeLoader, Emotet, Cobalt Strike, and Brute Ratel (a penetration framework similar to Cobalt Strike).

Phishing campaigns delivering Qakbot often use one of the two following methods for initial delivery:

1. HTML Smuggling Email Attachments
2. Excel Document with Hidden v4.0 Macro Email Attachments

HTML Smuggling Email Attachments

HTML Smuggling is a malware delivery technique that delivers malware using HTML5 and JavaScript contained within a malicious .HTML attachment.

Figure 1 - HTML Smuggling Overview
(source: Microsoft)

As shown above, the attack chain starts with the threat actor sending phishing emails with an included URL or HTML attachment.  Once opened, the user is presented with a seemingly legitimate download page (usually an Adobe or Google Drive image) that presents the user with a password. In the background, javascript downloads the Qakbot malware in a password-protected zip file to bypass security detections.

Figure 2 - Example HTML Page displaying the file password

Upon opening the zip file, the user is presented with an .ISO. By default, double-clicking the .ISO will mount the .ISO as a virtual CD-ROM drive. Because the virtual CD-ROM drive is “read-only”, the malware contained within the drive may be detected by antivirus software, but it likely will not actually be able to quarantine the files until they are written to disk.

Figure 3 - Screenshot of the virtual CD-ROM .ISO file presented to the user

The virtual CD-ROM drive contains a hidden folder and shortcut (.LNK) file masquerading as a folder (using a folder icon). When the user double-clicks on the .LNK file, the shortcut calls a command script (or series of scripts) resulting in the installation of the Qakbot payload.

Figure 4 - Screenshot of the .LNK shortcut file masquerading as a folder.

There are several different infection chains that may play out after the user double clicks on the .LNK file. In some cases, the .LNK file contains the instructions to use curl.exe to download the Qakbot malware from a compromised web server and then to install it using regsvr32.exe. In some cases, the .LNK file calls a Javascript or .VBS script which then calls a .CMD script or .BAT script that loads the malware from a hidden directory on the virtual CD-ROM. In other cases, the .LNK file calls the .CMD script to load the malware from the hidden directory directly. In a recent case, Ingalls observed the .CMD script utilizing DLL side loading to deliver the payload via an executable masquerading as a .GIF image and .DLL masquerading as .BAT script.

Excel Document with Hidden v4.0 Macro Email Attachments

While not as prevalent as HTML Smuggling Email Attachments lately, the Excel v4.0 Macro distribution method has also been used recently in attempts to deliver Qakbot trojan to intended victims. This method relies on users enabling editing and enabling content within Excel and, upon doing so, executes a series of hidden macros that download the Qakbot payload.

Figure 5 - Malicious Excel Document containing Excel v4.0 Macros Delivering Qakbot

After enabling editing and content, the macros will self-execute resulting in the download and installation of the Qakbot .dll, masquerading as a .png file, from a compromised web server. After downloading and loading the Qakbot malware, the malware will establish a scheduled task for persistence. The scheduled tasks contain a Base64 Encoded Powershell script to reload the malware.

Conversation Hijacking

Conversation hijacking phishing emails use previous, legitimate email threads as a pretext to establish legitimacy with the intended victims.

Threat actors using conversation hijacking will copy and paste the contents of previous conversations with the “sender” into the body of the phishing email with a malicious attachment or link included.

While not all of the phishing emails seen delivering Qakbot payloads utilize conversation hijacking, many of them do. This also implies that the threat actors have likely successfully compromised the email account of one of the participants in the original, legitimate email conversation and have exfiltrated those conversations. Usually, in conversation hijacking phishing attacks, the threat actors will also change the display name on the sender account to the name of the individual who they are masquerading as.

Corresponding to the exfiltration of email conversations, the Ingalls SOC has also observed an increase in credential harvesting phishing attacks against many of the same government agencies, law enforcement organizations, and financial institutions where we’ve observed an increase in Qakbot attacks. Once an email account has been compromised, threat actors may export the emails in that user’s inbox in order to target their email contacts with conversation hijacking phishing attacks.

Recommendations

The Ingalls SOC is actively threat-hunting for any IoCs within client environments, but we recommend that organizations, especially government, law enforcement, and financial institutions:

1. Train users to be aware that phishing emails may contain the contents of previous, legitimate email conversations and that the sender’s display name is not necessarily the person who sent the email.
2. Train users not to download or open unknown attachments, especially .html or office documents.
3. Ensure that MFA is enabled for all users email access.
4. Consider implementing email filtering rules to block .html attachments and office documents from external senders (if your legitimate email business use allows for this).
5. Perform a mail trace to look for emails from any of the “Compromised/Email Sender Domain IoCs” listed below. Quarantine and remediate accordingly.
6. Prevent mounting .ISO or .VHD files via double-click or the context menu (Right-click > Mount) for end users. Administrators may still mount .ISO or .VHD files using the Mount-DiskImage command. In order to disable "double-click" or context menu .ISO/.VHD mounting, we recommend that clients create the following Windows Registry (this can be done via GPO) on user workstations:

• Registry Key: HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount
  • Registry Value: ProgrammaticAccessOnly
  • Value Type: String Value (REG_SZ)
  • Value Data: Empty
• Registry Key: HKEY_CLASSES_ROOT\Windows.VhdFile\shell\mount
  • Registry Value: ProgrammaticAccessOnly
  • Value Type: String Value (REG_SZ)
  • Value Data: Empty

Figure 6 - Example of the registry value that needs to be set for ISO files.

7. Prevent mounting virtual DVD-ROM devices on user workstations via GPO. This can be set via the "Prevent installation of devices that match any of these device IDs" policy within the Local Group Policy > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions settings. Set this to "Enabled" and set the value to SCSI\CdRomMsft____Virtual_DVD-ROM_.

Figure 7 - Example of the Group Policy setting that should be configured on user workstations.

8. Block the IP addresses and Domains listed in Compromised/Email Sender Domain IoCs and Command and Control (C2) IP Address IoCs listed below at the firewall.

Contact Us for Help

Need assistance responding to this advisory or are concerned about an incident? Call our 24x7 emergency hotline at 888-860-0452.

For those of you who may want to dig into the Indicators of Compromise, download the list here: