QakBot, also known as QBot, QuackBot and Pinkslipbot, is a banking Trojan that has existed for over a decade. It was found in the wild in 2007 and since then it has been continually maintained and developed.
In recent years, QakBot has become one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials( e.g ., logins, passwords, etc .), though it has also acquired functionality enable it to spy on financial operations, spread itself, and install ransomware in order to maximize revenue from compromised organizations.
To this day, QakBot continues to grow in terms of functionality, with even more capabilities and new techniques such as logging keystrokes, a backdoor functionality, and techniques to escape detecting. It’s worth mentioning that the latter includes virtual environment detection, regular self-updates and cryptor/ packer alterations. In addition, QakBot tries to protect itself from being analyzed and debugged by experts and automated tools.
Another interesting piece of functionality is the ability to steal emails. These are later used by the attackers to send targeted emails to the victims, with the obtained information being used to lure victims into opening those emails.
QakBot is known to infect its victims mainly via spam campaigns. In some suits, the emails was handed over with Microsoft Office documents( Word, Excel) or password-protected archives with the above-mentioned documents attached. The above-mentioned documents contained macros and victims were prompted to open the attachments with claims that they contained important information( e.g ., an invoice ). In some occurrences, the emails contained links to web pages distributing malicious documents.
The initial infection vectors may vary depending on what security threats performers belief has the best chance of success for the targeted organization( s ). It’s known that various threat performers perform reconnaissance( OSINT) of target organizations beforehand to decide which infection vector is most suitable.
The user receives a phishing email with a ZIP attachment containing an Office document with embedded macros, the document itself or a link to download malicious document. The customer opens the malicious attachment/ relate and is tricked into clicking” Enable content “. A malicious macro is executed. Some variants perform a’ GET’ request to a URL requesting a’ PNG’ However, the file is in fact a binary. The loaded warhead( stager) includes another binary containing encrypted resource modules. One of the encrypted resources has the DLL binary( loader) which is decrypted later during runtime. The’ Stager’ loadings the’ Loader’ into the memory, which decrypts and runs the payload during runtime. The configuration settings are recovered from another resource. The payload communicates with the C2 server. Additional menaces such as ProLock ransomware can now be pushed to the infected machine.
Typical QakBot roles
Typical QakBot malicious activity observed in the wild includes 😛 TAGEND
Collecting information about the compromised host; Creating scheduled duties( privilege escalation and persistency ); Credentials harvesting:
Password brute coerce; Registry manipulation( persistence ); Creating a photocopy of itself; Process injection to conceal the malicious process.
Communication with C2
The QakBot malware contains a list of 150 IP addresses hardcoded into the loader binary resource. Most of these addresses is a matter for other infected systems that are used as a proxy to forward traffic to other proxies or the real S2.
Communication with the S2 is a HTTPS POST request with Base6 4-encoded data. The data is encrypted with the RC4 algorithm. The static string “jHxastDcds)oMc=jvh7wdUhxcsdt2” and a random 16 -byte sequence are used for encryption. The data itself is in JSON format.
Original message in JSON format
HTTPS POST request with encrypted JSON
Usually, after infection the bot sends a’ PING’ message,’ SYSTEM INFO’ message and’ ASK for COMMAND’ message, and the C2 replies with’ ACK’ and’ COMMAND’ messages. If additional modules were pushed by the C2, the bot sends a’ STOLEN INFO’ message containing data stolen by the modules.
‘ PING’ message- bot petition message to C2 with’ BOT ID’ in order to verify if S2 is active:
‘ ACK’ message- C2 response message with battleground “16” containing the external IP address of the infected system, the only valuable information:
‘ SYSTEM INFO’ message- bot petition message to C2 with info collected about the infected system. In addition to general system knowledge such as OS version and bitness, customer name, computer name, realm, screen resolution, system day, system uptime and bot uptime, it also contains the results of the following utilities and WMI queries:
whoami/ all arp -a ipconfig/ all net view/ all cmd/ c determined nslookup -querytype= ALL -timeout= 10 _ldap._tcp.dc._msdcs . DOMAIN nltest/ domain_trusts/ all_trusts net share route publish netstat -nao net localgroup qwinsta WMI Query ROOT \ CIMV2: Win3 2_BIOS WMI Query ROOT \ CIMV2: Win3 2_DiskDrive WMI Query ROOT \ CIMV2: Win3 2_PhysicalMemory WMI Query ROOT \ CIMV2: Win3 2_Product WMI Query ROOT \ CIMV2: Win3 2_PnPEntity
‘SYSTEM INFO’ message
‘ ASK for COMMAND’ message- bot command petition message to C2. After the’ SYSTEM INFO’ message is mailed, the bot starts asking the C2 for a command to execute. One of the main fields is “14”- the SALT. This battleground is unique and changes in every request. It is used to protect against hijacking or takeover of a bot. After receiving this petition, the S2 uses the SALT in the signing procedure and places the signature in the response, so the bot can check the signed data. Simply a valid and signed command will be executed.
‘ASK for COMMAND’ message
‘ COMMAND’ message- C2 response message with command to execute. The current version of the bot supportings 24 commands, most of them related to download, executing, drop-off of additional modules and module configuration files with different options, or setup/ update configuration values. This type of message contains the signed value of the SALT( obtained from the bot’s request field ” 14″ ), COMMAND ID and MODULE ID. The other values of the message are not signed.In previous versions, the bot received modules and commands immediately after infection and sending a’ SYSTEM INFO’ message. Now, the C2 reacts with an empty command for about an hour. Merely after that will the C2 send commands and modules in the response. We believe that this time delay is used to make it difficult to receive and analyze new commands and modules in an isolated controlled environment.
‘COMMAND’ C2 response with empty command
If the C2 pushes some modules, the Base6 4-encoded binary is placed into field “20” of the message.
‘COMMAND’ C2 response with additional module to load
‘ STOLEN INFO’ message- bot message to C2 with stolen datum like passwords, accounts, emails, etc. Stolen information is RC4 encrypted and Base6 4 encoded. The key for the RC4 encryption is generated in a different way and based on the infected system ID( aka Bot ID) values, and not based on a static string such as in the case of traffic encryption.
‘STOLEN INFO’ message
The additional modules differ from sample to sample and may include:’ Cookie grabber ‘,’ Email Collector ‘,’ Credentials grabber ‘, and’ Proxy module’ among others.
These modules may be written by the threat actors themselves or may be borrowed from third-party repositories and accommodated. It can differ from sample to sample. For example, there are older samples that may use Mimikatz for credentials dumping.
Cookie Grabber- accumulates cookies from popular browsers( Edge, Firefox, Chrome, Internet Explorer ).
Hidden VNC- permits menace actors to connect to the infected machine and interact with it without the real user knowing.
Email Collector- tries to find Microsoft Outlook on the infected machine, then iterates over the software folders and recursively accumulates emails. Eventually, the module exfiltrates the compiled emails to the remote server.
Hooking module- hooks a hardcoded determine of WinAPI and( if they exist) Mozilla DLL Hooking is used to perform web injects, sniff traffic and keyboard data and even avoid DNS resolution of certain domains. Hooking works in the following way: QakBot injects a hooking module into the appropriate process, the module acquires parts from the hardcoded fixed and modifies the functions so they hop to custom code.
The module contains a ciphered list of DLLs and functions that the bot will hook
Passgrabber module- accumulates logins and passwords from various sources: Firefox and Chrome files, Microsoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects passwords employing its own algorithms.
Procedure that compiles passwords from different sources
Proxy module- tries to determine which ports are available to listen to using the UPnP port forwarding and tier 2 S2 query. Comparing current and old proxy loader versions exposed some interesting things: the threat performers decided to remove the cURL dependency from the binary and perform all HTTP communications using their own code. Besides removing cURL, they likewise removed OpenSSL dependencies and embedded all functions into a single executable- there are no more proxy loaders or proxy modules, it’s a single file now.
UPnP port forwarding query construction
After trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module likewise starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy protocol composed of: QakBot proxy command( 1 byte ), version( 1 byte ), conference id( 4 bytes ), total packet length( dword ), data( total packet length-1 0 ). Incoming and outgoing packets are stored in the buffers and may be received/ transmitted one by one or in multiple packets in a single TCP data segment( streamed ).
The usual proxy module execution flowing is as follows 😛 TAGEND
Communicate with the C2, try to forward ports with UPnP and specify available ports and report them to the C2. The usual C2 communication protocol used here is HTTP POST RC4-ciphered JSON data. Download the OpenSSL library. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file. Determine up external PROXY-C2 connection that was received with command 37( update config )/ module 274( proxy) by the stager.
Communicating with the external PROXY-C2 😛 TAGEND
Send initial proxy module request. The initial request contains the bot ID, external IP address of the infected machine, overrule DNS lookup of the external IP address, internet hastened( measured earlier) and seconds since the proxy module started. Establish a linkage( proxy commands sequence 1-> 10 -> 11) with the PROXY-C2. Initialize sessions, perform socks5 authorization with login/ password( received from PROXY-C2 with command 10 ). Begin SOCKS5-like communication wrapped into the QakBot proxy module protocol.
QakBot proxy commands are as follows 😛 TAGEND
Command Description 1 Hello( bot-> C2)
10 Set up auth credentials( C2-> bot)
11 Show credentials setup( bot-> C2)
2 Make new proxy session( C2-> bot)
3 SOCKS5 AUTH( bot-> C2)
4 SOCKS5 requests processing( works for both sides)
5 Close conference( works for both sides)
6 Update conference nation/ conference government updated notification( works for both sides)
7 Update conference state/ session country updated notification( works for both sides)
8 PING( C2-> bot)
9 PONG( bot-> C2)
19 Save current time in registry( C2-> bot)
Parsed packets from C2
Tracking single proxy
We analyzed statistics on QakBot assaults collected from our Kaspersky Security Network( KSN ), where anonymized data voluntarily provided by Kaspersky consumers is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number be less than the detection number from January to July 2020, though the number of users affected grew by 65% compared to the previous year and reached 17,316.
We observed the largest campaigns in Q1 2021 when 12,704 customers encountered QakBot, with 8,068 Kaspersky users being targeted in January and 4,007 in February.
QakBot is a known Trojan-Banker whose techniques may vary from binary to binary( older and newer versions ). It has been active for over a decade and doesn’t look like going away anytime soon. The malware is continuously receiving updates and the threat actors keep adding new capabilities and updating its modules in order to steal information and maximize revenue.
We know that threat actors alter how they perform their malicious activities based on security vendor activities, employing sophisticated techniques to stay under the radar. Although QakBot employs different techniques to avoid detection, for example, process enumeration in order to find running anti-malware solutions, our products are able to detect the threat using behavior analysis. The judgments usually assigned to this malware 😛 TAGEND
Backdoor.Win3 2. QBot Backdoor.Win64.QBot Trojan.JS.QBot Trojan.MSOffice.QBot Trojan.MSOffice.QbotLoader Trojan.Win32.QBot Trojan-Banker.Win3 2. QBot Trojan-Banker.Win32.QakBot Trojan-Banker.Win6 4. QBot Trojan-Downloader.JS.QBot Trojan-PSW.Win3 2. QBot Trojan-Proxy.Win32.QBot
Indicators of compromise( C2 server addresses)
75.67.192 [.] 125:443 24.179.77[.]236:443 70.163.161 [.] 79:443
72.240.200 [.] 181:2222 184.185.103[.]157:443 78.63.226 [.] 32:443
83.196.56 [.] 65:2222 95.77.223[.]148:443 76.168.147 [.] 166:993
105.198.236 [.] 99:443 73.151.236[.]31:443 64.121.114 [.] 87:443
213.122.113 [.] 120:443 97.69.160[.]4:2222 77.27.207 [.] 217:995
105.198.236 [.] 101:443 75.188.35[.]168:443 31.4.242 [.] 233:995
144.139.47 [.] 206:443 173.21.10[.]71:2222 125.62.192 [.] 220:443
83.110.109 [.] 155:2222 76.25.142[.]196:443 195.12.154 [.] 8: 443
186.144.33 [.] 73:443 67.165.206[.]193:993 96.21.251 [.] 127:2222
149.28.98 [.] 196:2222 222.153.122[.]173:995 71.199.192 [.] 62:443
45.77.117 [.] 108:2222 45.46.53[.]140:2222 70.168.130 [.] 172:995
45.32.211 [.] 207:995 71.74.12[.]34:443 82.12.157 [.] 95:995
149.28.98 [.] 196:995 50.29.166[.]232:995 209.210.187 [.] 52:995
149.28.99 [.] 97:443 109.12.111[.]14:443 209.210.187 [.] 52:443
207.246.77 [.] 75:8443 68.186.192[.]69:443 67.6.12 [.] 4:443
149.28.99 [.] 97:2222 188.27.179[.]172:443 189.222.59 [.] 177:443
149.28.101 [.] 90:443 98.192.185[.]86:443 174.104.22 [.] 30:443
149.28.99 [.] 97:995 189.210.115[.]207:443 142.117.191 [.] 18:2222
149.28.101 [.] 90:8443 68.204.7[.]158:443 189.146.183 [.] 105:443
92.59.35 [.] 196:2222 75.137.47[.]174:443 213.60.147 [.] 140:443
45.63.107 [.] 192:995 24.229.150[.]54:995 196.221.207 [.] 137:995
45.63.107 [.] 192:443 86.220.60[.]247:2222 108.46.145 [.] 30:443
45.32.211 [.] 207:8443 193.248.221[.]184:2222 187.250.238 [.] 164:995
197.45.110 [.] 165:995 151.205.102[.]42:443 2.7.116 [.] 188:2222
45.32.211 [.] 207:2222 71.41.184[.]10:3389 195.43.173 [.] 70:443
96.253.46 [.] 210:443 24.55.112[.]61:443 106.250.150 [.] 98:443
172.78.59 [.] 180:443 24.139.72[.]117:443 45.67.231 [.] 247:443
90.65.234 [.] 26:2222 72.252.201[.]69:443 83.110.103 [.] 152:443
47.22.148 [.] 6:443 175.143.92[.]16:443 83.110.9 [.] 71:2222
149.28.101 [.] 90:995 100.2.20[.]137:443 78.97.207 [.] 104:443
207.246.77 [.] 75:2222 46.149.81[.]250:443 59.90.246 [.] 200:443
144.202.38 [.] 185:995 207.246.116[.]237:8443 80.227.5 [.] 69:443
45.77.115 [.] 208:995 207.246.116[.]237:995 125.63.101 [.] 62:443
149.28.101 [.] 90:2222 207.246.116[.]237:443 86.236.77 [.] 68:2222
45.32.211 [.] 207:443 207.246.116[.]237:2222 109.106.69 [.] 138:2222
149.28.98 [.] 196:443 45.63.107[.]192:2222 84.72.35 [.] 226:443
45.77.117 [.] 108:443 71.163.222[.]223:443 217.133.54 [.] 140:32100
144.202.38 [.] 185:2222 98.252.118[.]134:443 197.161.154 [.] 132:443
45.77.115 [.] 208:8443 96.37.113[.]36:993 89.137.211 [.] 239:995
45.77.115 [.] 208:443 27.223.92[.]142:995 74.222.204 [.] 82:995
207.246.77 [.] 75:995 24.152.219[.]253:995 122.148.156 [.] 131:995
45.77.117 [.] 108:8443 24.95.61[.]62:443 156.223.110 [.] 23:443
45.77.117 [.] 108:995 96.61.23[.]88:995 144.139.166 [.] 18:443
45.77.115 [.] 208:2222 92.96.3[.]180:2078 202.185.166 [.] 181:443
144.202.38 [.] 185:443 71.187.170[.]235:443 76.94.200 [.] 148:995
207.246.77 [.] 75:443 50.244.112[.]106:443 71.63.120 [.] 101:443
140.82.49 [.] 12:443 24.122.166[.]173:443 196.151.252 [.] 84:443
81.214.126 [.] 173:2222 73.25.124[.]140:2222 202.188.138 [.] 162:443
216.201.162 [.] 158:443 47.196.213[.]73:443 74.68.144 [.] 202:443
136.232.34 [.] 70:443 186.154.175[.]13:443 69.58.147 [.] 82:2078
* Can be performed as an external command( widened module ).