Adversaries constantly develop new tactics that enhance their capabilities to deploy malware across networked environments and monetize infected systems. This blog is Part 1 of a three-part series detailing research and observations by the CrowdStrike® Falcon Complete™ managed services team regarding one such malware variant, QakBot (aka QBot), and its behavior in recent campaigns.
In this blog we provide an overview of a recent QakBot campaign observed in the wild. Part 2 will feature an in-depth analysis of the evolution of QakBot tactics, techniques and procedures (TTPs) through June 2020. We will culminate the series in Part 3 by outlining the Falcon Complete team’s strategy for the remote remediation of a QakBot-infected host.
Table of Contents
Threat Background and Context
QakBot is an eCrime banking trojan that has the potential to severely impact an organization’s ability to operate. QakBot can spread laterally throughout a network utilizing a worm-like functionality through brute-forcing network shares and Active Directory user group accounts, or via server message block (SMB) exploitation.
QakBot also employs a robust set of anti-analysis features to evade detection and frustrate analysis. Despite these evasion techniques, CrowdStrike Falcon® detects and prevents this malware from completing its execution chain.
QakBot has been observed for nearly a decade, and historically, it included traditional features of banking trojans and information stealers. However, it has since evolved and expanded its capabilities.
QakBot also shows no signs of slowing down — in fact, Falcon Complete observed a notable resurgence in its delivery volume, beginning in April 2020, with regular updates through the summer months. Recent campaigns have been delivered primarily via email, with attached ZIP archives containing a Visual Basic Script (VBS) downloader. In contrast, there have also been several tactical outliers, such as Microsoft Word DOC-based deliveries along with campaigns that included secondary malware payloads like Zloader.
The following section covers static and dynamic analysis of the QakBot DOC-based delivery campaign. This analysis includes an overview of techniques used by the threat actor to obfuscate, hinder and attempt to prevent analysis of malicious documents delivered by QakBot to ensure a successful infection of the victim.
QakBot Introduces DOC-based Delivery
As QakBot surged in early April 2020, the operators leveraged a new tactic for delivery: a Microsoft Word document delivered via malspam that was weaponized with macros containing a malicious VB script. While operators shifted delivery tactics several times throughout the summer, the overall TTPs related to QakBot’s execution chain remained largely the same, and analysis of this DOC file provides useful insights into the capabilities of QakBot’s authors.
Static Analysis of Downloader DOC
Document Features
In early April, the team observed a document that was detected and blocked within a client environment.
- Filename: AGRMT_06052020_519.doc
- SHA256: b1e8b724380e6e041e3c2b4dfe5d4827fe0ae1bb0816b47d14d21d6f94194797
This was a typical phishing document that attempts to lure intended victims to enable macros that execute malicious code.
The malicious macro included in the document is locked — an example of the many anti-analysis and sandbox-evasion features included in these campaigns.
The locked macros prevent sandboxes from inspecting the macro content and also impede manual analysis. Once this protection is bypassed, the contents of the Visual Basic for Applications (VBA) project are then available.
The macros are highly obfuscated and broken down into either UserForm objects or modules containing more typical Functions and Subs. The UserForm objects are structured in a variety of different text boxes, buttons and label objects that don’t actually execute code themselves, but hold string data in their tags that is called by Functions in the macros code.
Macro De-obfuscation
The macro contents are extracted to a text editor for continued static analysis and easier de-obfuscation. The macros are extensively obfuscated with a variety of anti-analysis techniques. This includes using several lines of garbage code, along with confusing variable assignments, string reversals and an interesting string encoding technique that leverages nested conversions. The two components of greatest interest are the functions that include an encoding algorithm and a block of strings that contain the encoded URLs, from which the code will attempt to download the next-stage payload.
The encoding algorithm leverages the VBA Mid function to perform operations on URL strings. The $Mid function sets the text block, sets the starting position of the text’s index, and then instructs it to select the number of characters (in this case, 1). It is also wrapped in a For Loop that instructs the Function to loop over the length of the string in reverse order. Finally, it includes a series of string conversions following the loop operation. Each character is converted to ASCII and then subtracted by a value of 1, then converted back into a character. This new character string is actually Base64 encoded and must then be decoded to reveal the actual URL.
For example, the URLs are decoded by taking the last character in each string, converting it to ASCII, subtracting by 1 and then looping backward the length of the string. Finally, the Base64 string is decoded. The first variable in Figure 9, “dkekr(1),” which holds the string
“o6HdvhEP5hEP5h{M5iHdkS4Mu:3Zv1H[ieIciO4MwpEd1SIb,” decodes into the string “aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n.”
The VB code contains a total of six URLs that it will loop through until it receives a valid response to download the next stage payload. It is necessary to break down this obfuscation to successfully identify all six of these indicators of compromise (IOCs). If only network log data or sandbox results are used, the infection chain may stop at the first valid response and not loop through all six URLs. The complete list of IOCs may then be implemented in the appropriate network control such as a web proxy or firewall.
When executed, the final macro code as interpreted by CMD decodes into a classic PowerShell download cradle that fetches the initial QakBot payload. There is one last bit of obfuscation here as the script does contain two more encoded strings. One is the URL as seen above in Figure 8, and another is the full path to which the payload will initially be written: “C:UsersPublictmpdirfile”.
The cradle appends “1.exe” to the file named “file” and eventually writes itself to “C:UsersPublic” before continuing with the remainder of the execution chain if the appropriate anti-analysis checks are met. The execution chain for this delivery style is shown below in Figure 10. Please note that the examples in the following scenarios have CrowdStrike Falcon configured with DETECTIONS ONLY and PREVENTIONS OFF for illustrative purposes. A properly configured Falcon instance would prevent the activity presented here.
The Falcon Complete team frequently responds to detections where Falcon has prevented a successful QakBot phishing attempt. In these cases that have proper implementation of preventions, the remediation simply consists of removing the original attachment written to the disk and any associated residual script artifacts. In these cases, Falcon interrupts the infection before binaries are executed or persistence is established.
Conclusion
QakBot has the potential to severely impact an organization due to its capability for lateral movement and data theft. As we have seen, QakBot employs a robust set of anti-analysis features and has recently surged in its operational volume within the threat landscape.
In this blog, we presented an analysis of a DOC-based QakBot downloader. The threat actors behind QakBot, tracked by CrowdStrike Intelligence as MALLARD SPIDER, have demonstrated the ability to rapidly re-tool, implement anti-analysis techniques and develop methods of advanced obfuscation in a short period.
Stay tuned for Parts 2 and 3 where we delve deeper into our analysis and offer recommendations for improving your defenses against QakBot and similar threats.
As QakBot evolves, so does the Falcon Complete team’s ability to adapt, react to and remediate this threat to protect our client environments. The team provides the expertise to identify and remediate infections to help organizations recover from potentially devastating incidents. The Falcon Complete team focuses on stopping breaches so CrowdStrike clients can focus on their business goals and operations.
Appendix
Table 1 below contains a mapping of QakBot tactics to the MITRE ATT&CK® framework.
Tactic | Technique | Sub-Technique | ID |
Initial Access | Phishing | Spear-Phishing Attachment | T1566.001 |
Execution | User Execution | Malicious Link, Malicious File | T1204.001, T1204.002 |
Execution | Command and Scripting Interpreter | PowerShell, CMD Shell, Visual Basic | T1059.001, T1059.003, T1059.005 |
Execution | Signed Binary Proxy Execution | Msiexec, Rundll32 | T1218.007, T1218.011 |
Persistence | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder | T1547.001 |
Persistence | Scheduled Task/Job | Scheduled Task | T1053.005 |
Defense Evasion | Obfuscated Files or Information | None | T1027 |
Defense Evasion | Process Injection | Dynamic-link Library Injection | T1055.001 |
Defense Evasion | Virtualization/Sandbox Evasion | System Checks | T1497.001 |
Discovery | Virtualization/Sandbox Evasion | User Activity Based Checks | T1497.002 |
Discovery | Network Share Discovery | None | T1135 |
Credential Access | Brute Force | Password Guessing | T1110.001 |
Lateral Movement | Remote Services | SMB/Windows Admin Shares | T1021.002 |
Command and Control | Application Layer Protocol | Web Protocols | T1071.001 |
Table 1. MITRE ATT&CK Mapping
IOCs associated with QakBot analyses are shown in Table 2.
Indicator | Purpose |
PicturesViewer.dll, PicturesViewer.exe, PaintHelper.dll, PaintHelper.exe, file1.exe | QakBot binary names |
“[0-9]{6,9}.zip”, “NUM_[0-9]{4,6}.vbs” | Regular expression of observed filename convention of zip archives containing vbs to that launches QakBot downloader |
“dfPEZd”, “ezQVN”, “wCdZgXH” | Scheduled Task tasknames |
“””C:windowsSystem32WScript.exe”” “”C:Users*AppDataLocalTempTemp1_*.zipNUM_*.vbs”” | Command line example of initial execution |
C:Users*Downloads“[0-9]{6,9}.zip” | Initial QakBot download path. Observed as an 8 or 9-character numeric name. |
C:Users*AppDataLocalTempTemp1_“[0-9]{6,9}.zipNUM_[0-9]{4,6}.vbs | Execution path of VB downloader script |
%AppData%lwobesexydry.dll
%AppData%PicturesViewer.dll %APPDATA%dasfdsfsdf.exe %APPDATA%Iwhoqpozypua.dll %APPDATA%IEGGYJG27Zdasfdsfs.df[1].exe C:UsersPublictmpdir |
QakBot binary paths in home directories, observed as an alphabetical name under an alphabetical folder in %AppData%, or pre-named PicturesViewer, PaintHelper |
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun | Registry run key persistence |
Table 2. IOCs Associated with QakBot
Leave a Reply