-Nilaa Maharjan Logpoint Global Services & Security Research
Over the past few months, companies such as SpaceX, Go West Tours, Commercial Development Company, Inc., Furniture Row & Visser Precision, Kimchuk Inc., and Hot Line Freight Systems have been the victims of QBot-related attacks and data leaks – some more impactful than others.
The prolific modular information-stealing malware known as Qakbot, also spelled Quakbot and Pinkslipbot, was first identified in 2007 and has been around for well over a decade. Due to its design and the efforts laid in by various threat actors, it is a common tool used in multiple known ransomware campaigns. Historically considered a banking Trojan and loader, it’s evolved multiple times and sees a resurrection every few years associating itself with new vulnerabilities, actors, and industries. The pattern itself has been dubbed “QBot“.
The operators are occasionally known as “Gold Lagoon” and have been seen conducting operations since its establishment, with activity seen in various nations on most of the continents. However, the malware is not associated exclusively with any actor or group.
Trend Micro’s periodic detection rates show that in the first half of 2020, QBot accounted for almost 4000 unique detections, of which 28% were targeted to the Healthcare and Public Health(HPH) sector. The attacks subsided eventually as the latter half only saw 8% targets towards HPH.
QBot itself contains multiple modules:
There have been multiple QBot attacks. Notably on JBS, the largest meat producer in the world, and Fujifilm, a Japanese multinational conglomerate in early June 2021. Despite the fact that the two attacks, their victims, and jurisdictions are vastly different, a strong commonality reveals the same pattern and perpetrator – the REvil gang, who may have used the QBot malware to accomplish the initial infection operation.
First, we’ve witnessed instances where QBot infection timing correlated with REvil attack timing in the past. In other words, their attack – most frequently a data leak – followed a specific temporal pattern following the original QBot infection. REvil usually stays in the network for two to three weeks after launching a sophisticated attack against a primary victim, something AdvIntel identified during this same interval between QBot infiltration and the REvil breach when researching REvil-related issues. Additionally, the fact that the two crime groups’ TTPs and operational models make cooperation logical and natural.
On the one hand, QBot (as a botnet) is notorious for establishing itself by collaborating with as many top-tier ransomware gangs as possible. A typical botnet organization will have one relationship with ransomware as a service (RaaS) gang, occasionally two, but QBot deviates from this trend because they have always aimed for large partnership expansions.
Other botnets had only one liaison on the ransomware side, QBot had several. Dridex, for example, had DopplePaymer; TrickBot botnet had Ryuk; Zloader had DarkSide. At the same time, QBot was infected with Egregor, ProLock, LockerGoga, Mount Locker, and other ransomware groups.
REvil, unlike other ransomware groups, is known to diversify its attack tools. Usually, each ransomware group has its preferred tool, for instance, one infrastructural vulnerability, or one specific botnet. However, REvil aimed at covering as many attack surfaces as possible. Like many groups, they started with RDP exploitation, but they never stopped there.
In 2021 (REvil’s year of rapid diversification) they announced investments in specialists in BlueKeep vulnerability, PulseVPN exploitation, and Fortigate VPN exploitation. They have clearly expressed their interest in the novel Microsoft server CVEs, then in TrickBot malware, and then, finally, in a direct purchase of network access from underground.
The re-emergence of QBot in 2022 has been driven by Black Basta which is a whole new mess. Since its inception in April, Black Basta has gained attention for its recent attacks on 50 businesses worldwide, as well as its use of double extortion, a new ransomware method in which attackers encrypt secret data and threaten to disclose it if their demands are not met. Trend Micro has an entire report covering the TTPs by Black Basta which includes the trojan QakBot as a means of access and movement, as well as using the PrintNightmare vulnerability (CVE-2021-34527) to do privileged file actions.
As with all Emerging Threats blogs, we include a report. A recent example of the previously mentioned attack, including a detailed analysis of the malware sample, the execution chain, and the observed tactics and techniques, is included in the download of the report.
Putting aside the fact that QBot is an efficient information thief and backdoor on its own, many RaaS providers have been found employing QBot variations to get access to corporate networks before delivering ransomware.
Previously distributed via Emotet, the recent resurgence shows that the attacks are rising through very targeted malspam email campaigns. These most recent operations start with the distribution of an HTML attachment and email thread hijacking.
When the file is opened, it drops an archive (.zip) that includes an Office document, a shortcut file (.lnk), and a .dll file inside of a disk image file (.img). The DLL will be executed by the LNK to launch QBot. The document will then load and run an HTML file that contains the PowerShell exploit CVE-2022-30190 used to download and run it. But since the vulnerability has been patched, attackers are making use of native binaries through LOLBins. The attackers are clearly not taking any chances with multiple points of failure in the hopes that at least one of these strategies will work.
Another variation of the attack substitutes a .iso file (another form of disk image file), which once again contains a .docx file (Word document), a.lnk file, and a.dll file, for the .img file in the zipped bundle.
After making changes to the parent malware, QBot’s operators have been observed leaving a version tag in their samples.
For Example:
{
"Bot id": "obama182",
"Campaign": "1651756499",
"Version": "403.683",
}Before infected Windows devices shut down, the QBot samples from a December 2020 update activated their persistence mechanism, and they automatically deleted all traces when the system restarts or awakens from sleep. This enables the persistence mechanism to be engaged too quickly for security software to identify when it is shutting down. Similar strategies have been employed by Dridex and Gozi, including the use of several encryption algorithms. This hides its functioning and information from potential victims as well as security software. The sample was also observed making an attempt at legitimate process injection-based obfuscation. Once the victim’s computer has been infected, it is compromised, and due to QBot’s lateral movement skills, they could pose a threat to other machines on the local network.
The building blocks of QBot attacks. Source: Microsoft
Despite all the variations available and new changes expected, the family of Qakbot is identified by some of its use of similar building blocks. A Universal Plug-and-Play(UPnP) module embedded in QBot transforms the infected hosts without direct internet connectivity into intermediate command and control (CnC) servers and uses them as a botnet. The CnC then downloads further modules which include:
QBot has been known to make use of other dependencies than what it packs. These include:
Besides these, QBot has been seen downloading additional ransomware such as Prolock, Egregor, and REvil/Sodinokibi. As the CEO of Advance Intel was seen quoting, “A network infection attributed to QBot automatically results in risks associated with future ransomware attacks“
As QBot and other ransomware have been a steady line of attack for the past couple of years, each organization should have a baseline prevention and mitigation procedure by now. CISA‘s Alert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks provides a good outline as well.
If your organization is impacted by ransomware or QBot incident:
During this research, from the static and dynamic analysis, we uncovered multiple files, domains, and botnet networks that are still active in the wild. All artifacts are provided as lists and the associated alerts are available to download as part of Logpoint’s latest release, as well as through Logpoint’s download center.
Customized Investigation and Response playbooks were pushed to Logpoint Emerging Threat Protection customers.
The report containing the analysis, infection chain, detection and mitigation using logpoint SIEM and SOAR can be downloaded from the link below.
