Cybersecurity Insights | Blog | Foregenix

Qakbot/Qbot - What to do if it got you?

Written by Foregenix | 2/19/20 12:00 PM

We have recently been reacquainted with an old “thorn” in the form of an increase in the number of cases involving Qakbot (also known as Qbot). This malware campaign has been around since early 2007 but can still be extremely dangerous, even given its age. With this in mind, we’re sharing some information so that you can protect yourself from this attack.

Qakbot, is essentially a “banking trojan” where the main goal is to harvest information relating to online bank accounts and other related personal information. It’s known to target users of financial services, aiming to steal their login credentials and ultimately empty bank accounts. Although it’s been around for a while, a group of motivated developers keep constantly updating and improving its functionality.

Quick view of the Initial Infection and Propagation

Often the malware's original infection mechanism is via a file dropper malware already on the system or malicious documents delivered through phishing campaigns. We have also seen it introduced through web browser activity in so called “drive bys”. Once infected, the victim’s machine will create a scheduled task, execute a JavaScript downloader that in turn will make a request to one of several hijacked domains for two(2) encrypted data files. Some of the IPs of hijacked domains are detailed on VirusTotal. The aforementioned JavaScript downloader will then decrypt the two encrypted data files storing them on disk and create another scheduled task designed to execute a batch file that in turn will reassemble the malicious Qakbot executable from the two (2) decrypted files stored on disk.

The malware is known to spread through the network via Server Message Block (SMB), a networking facility included in Microsoft Windows systems, commonly used to share files etc. This is achieved using credentials harvested from the infected host system, although the malware does also attempt to “brute-force” logins, using a list of common passwords hardcoded in the malware.

How does the infection work?

Right, it's about to get a bit technical!

Infection Chain

Once a system is infected, the malware campaign will create a scheduled task on the victim machine. This newly created task will attempt to execute a JavaScript downloader that makes a request to one of several hijacked (compromised) domains listed further down this article. The command line string that is used to create this task is:

 

C:\Windows\system32\schtasks.exe /create /tn {guid} /tr cmd.exe /C "start /MIN C:\Windows\system32\cscript.exe /E:javascript "C:\Users\<user>\ympoyf.wpl" /sc WEEKLY /D TUE,WED,THU /ST 12:00:00 /F

Table 1: Create Scheduled task: Download Qakbot

 

Where the highlighted (Red) section of the command relates to the specific user profile that is “compromised” with the actual filename (with the wpl extension being randomly generated). This scheduled task will execute the following command:

 

cmd.exe /C start /MIN C:\Windows\system32\cscript.exe /E:javascript C:\ProgramData\ympoyf.wpl" C:\Windows\system32\cscript.exe /E:javascript C:\ProgramData\ympoyf.wpl

Table 2: Command Line String: Download Qakbot

 

This scheduled task executes the JavaScript downloader, 'ympoyf.wpl' in the example above, that makes a request to the URI "/datacollectionservice.php3" from one of the several hijacked domains. The filename for the JavaScript downloader is found in the format of a randomized six(6) character name with the Windows Media Player Playlist (WPL) extension.

The Command and Control (C2) server returns two (2) files of encrypted data that are saved as <random file name>_1.zzz and <random file name>_2.zzz. The aforementioned JavaScript downloader is responsible for decoding the two (2) encrypted data files as well as creating another scheduled task designed to execute a batch file similar to the following:

 

@echo off
type C:\ProgramData\H1Tzw7GK_1.zzz C:\ProgramData\H1Tzw7GK_2.zzz > C:\ProgramData\H1Tzw7GK.exe
start C:\ProgramData\H1Tzw7GK.exe
schtasks.exe /Delete /TN H1Tzw7GK.exe /F
del /Q /F C:\ProgramData\H1Tzw7GK_1.zzz C:\ProgramData\H1Tzw7GK_2.zzz
DEL "%~f0"

Table 3: Contents of the batch file executed by a malicious scheduled task

 

This batch file is responsible for reassembling the malicious Qakbot executable from the two (2) decrypted '.zzz' files, using the type command.The type command is available in various command-line interpreters (shells) such as cmd.exe, and Windows PowerShell used to display the contents of specified files on the computer terminal the two (2) '.zzz' files and the scheduled task that were used to execute the batch file are then deleted from the system after the reassembled executable is run.

Behavioural Summary

Upon execution, the malware attempts to evade detection by overwriting itself with the legitimate Windows executable calc.exe using the following command:

 

C:\Windows\System32\cmd.exe /c ping.exe -n 6 127.0.0.1 & type C:\WINDOWS\System32\calc.exe > C:\Users\<user>\AppData\Local\Temp\SibKJWE.exe ping.exe -n 6 127.0.0.1

Table 4: Command Line String: Ping {Send 6 Echo requests} & overwrite malware with calc.exe

 

After performing multiple anti-reverse-engineering/Virtual Machine checks, the malware then sleeps for a randomised amount of time before executing its payload. When the payload is executed the malware creates a directory within the user’s roaming profile directory and replicates itself to this directory with a randomised name such as the following;

C:\Users\<user>\AppData\Roaming\Microsoft\Bhzwlg\feulk.exe

The malware then injects itself into the explorer.exe process and creates both a scheduled task and an entry under the following registry key for persistence:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random>

Finally, it also modifies the following registry entries for Windows Defender to exclude its location from the scanner:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\<random> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\Su

Table 5: List of registry entries modified by malware

 

Identifiers Of Compromise (IOC)

The following sections document a number of useful IOC's that can be used in order to identify this specific strain of malware within an environment.

Filenames and Directories

  • C:\Users\<user>\AppData\Microsoft\<random folder name>\<random file name>
  • C:\Users\<user>\AppData\Local\Temp\<random file name>.exe
  • C:\ProgramData\<random file name>_1.zzz
  • C:\ProgramData\<random file name>_2.zzz
  • C:\ProgramData\<random file name>.wpl
  • C:\ProgramData\<random file name>.exe
  • C:\<random file name>.exe
  • C:\<random file name>.exe.cfg
  • \\<DEVICE NAME>\C$\<random file name>.exe
  • \\<DEVICE NAME>\C$\<random file name>.exe.cfg

Registry Entries

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\<random service name>
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Antivirus bypass

The following is a list of registry entries that is modified by malware to exclude itself from the Microsoft Windows Defender antivirus scans.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  • Defender\Exclusions\Paths\C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\<random>
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\Su

MD5 Hash Values

  • 0525f64484049b05d61c0a99506fdac9
  • D21b4d09e86469005b0cead5b4736106
  • 82424de85e84b0221c803b596f807ffe
  • 33b32de14ed01244eb088d8e2b1739ba
  • Dafc6f21a68b3965141eadf83ddafa2f
  • C1999fa3b768818e8dd2ee2528cb48c5
  • Eb91e51063743a7008b8797213ef84c2
  • A39205b837c2439b5f2342aa4fc5bc51
  • 9a4598f4ef3107764dc4ef50d2dc89f1
  • E659ba240c8d65c931cc116c948b4660
  • Cba19d3c8013daa4af2dac7fe1e740d1
  • 9ade4bb72fac4d4ce30391ad3828a096

Recently observed C2 domains

Please bear in mind that the following Domains and IP addresses may no longer be occupied by malicious actors at the time of reading. Due to the nature of the game, malicious actors are quickly rotating their hijacked domains and IP addresses so as to avoid detection and monitoring.

  • lg.prodigyprinting.com (173.247.241.209)
  • hp.prodigyprinting.com (173.247.241.209)
  • layering.wyattspaintbody.net (192.249.112.44)
  • painting.duncan-plumbing.com (162.144.132.223)

Previously known C2 IP addresses and ports

  • 64.183.173.170:995
  • 67.213.243.228:993
  • 96.67.244.225:443
  • 173.25.234.18:443
  • 24.123.151.58:443
  • 76.164.161.46:995
  • 68.115.254.146:443
  • 198.57.88.73:443
  • 47.21.79.34:443
  • 174.51.185.121:465
  • 71.3.55.80:993
  • 88.244.177.127:443
  • 180.93.148.41:443
  • 101.51.40.175:443
  • 73.166.94.110:443
  • 71.88.202.122:443
  • 74.5.136.50:990
  • 89.43.179.209:443
  • 211.27.18.233:995
  • 96.82.91.67:443
  • 98.194.132.179:443
  • 98.113.137.220:443
  • 24.184.200.177:2222
  • 105.224.247.34:443

Remediation Steps

If your company has been infected, we recommend the following remediation steps :

  1. Stop the spread of the Malware
    1. Cut off communication with its command-and-control (C2) server. This is achieved by blocking external or outbound communications with its C2 server at the network perimeter, such as implementing firewall rules
    2. Cut off Internet access or disconnect the affected machines from the network until they have been fully cleaned
    3. Block infected machines via firewall rules or create rules on Windows Defender Advanced Firewall and push these out via Group Policy Objects (GPO)
    4. Disable windows share folders that show signs of infection
    5. Where possible, set shared folders to read-only
    6. Reset affected credentials, remove unnecessary privileges, or disable accounts that have been observed to spread malware using SMB
    7. CAUTION: Removal of admin shares is an option that should only be used as a last resort as this can cause other issues within your environment and hinder management
  2. Monitor for new service creation and scheduled tasks
    1. Ensure Windows audit logs are enabled for the entire domain
    2. Monitor for new service creations by tracking events in the system log (event ID 4697) for created services with randomly generated number strings as the name and .exe name
    3. Monitor for new scheduled tasks in the task schedule log (also event ID 4698)
  3. Remove all traces of Malware
    1. Remove any and all remnants of the malware's files on the infected systems highlighted in the IOC’s above
    2. Remove any and all malicious registry entries on the infected systems highlighted in the IOC’s above.
    3. Remove any and all malicious scheduled tasks on the infected systems akin to that in table 1 above or referencing a batch file to that in table 3 above
    4. Terminate any running processes or services relating to the malware on the system
    5. If after termination the malware reinitialise, it may be necessary to restart the system once you have fully removed all persistence mechanisms described above
  4. Monitor the network for possible reinfection
    1. Monitor for any connections relating to the malicious domains and IP addresses listed in the IOC’s above
    2. Monitor for any connections identified from the running malware within your environment
    3. Monitor for any connection identified in Open Source Research on Qakbot
    4. Ideally network access would be monitored and controlled, but it can be effective to Introduce firewall rules to whitelist trusted domains and IP addresses. This is however a task that needs to be maintained.
    5. Slowly reintroduce network connectivity to the subset of the machines that have been cleaned
    6. Reintroduce network connectivity to all affected machines that are believed to be clean, monitoring closely for signs of the malware, unusual scheduled tasks and services.

How to avoid getting infected in the first place?

There no easy answer for this. To avoid infection, it’s up to the user to be conscious of what he/she is installing on their device and be aware of phishing campaigns. We recommend training your staff regarding phishing campaigns and other cybersecurity threats.

Conclusion

Qakbot has been seen in the wild for quite a while now, but this does not mean it’s outdated or dying, in fact it’s evolving and becoming more dangerous than ever. The initial infection, like most malware, depends on the user taking an action, either falling to recognise a phishing campaign or opening a malicious document, therefore it’s worth having an internal education campaign within your organisation to highlight these threats and raise awareness around combating them.

If your organisation is currently infected, or becomes infected, follow our advice on how to remediate immediately. This can be a daunting task and can certainly disrupt your normal day-to-day activities.

Our Pitch

We hope the information on this article has helped you understand how Qakbot operates. Following the steps above will help you identify and stop the malware from propagating in your system.

Full disclosure - we’re a cybersecurity company. And this is our very short pitch… Our Proactive Incident Response solution, takes advantage of Serengeti, our in-house technology, to monitor your network and endpoints, while our Threat Intelligence Group (TIG) monitors your system and takes immediate action if a suspicious activity is detected.

With our solution, you’d be able to identify Qakbot and other malware in your system, stopping and removing it. Learn more about Foregenix Proactive IR here.

 

This blog post was written in collaboration with our Threat Intelligence Group (TIG).