What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Aug 17, 2022
Increase in Observations of Socgholish Malware
THE THREAT Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. FakeUpdates) malware incidents. Socgholish is a loader type…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Aug 29, 2022

June 2022 Qakbot Campaign

5 minutes read
Speak With A Security Expert Now

Executive Summary

The eSentire Security Operations Center (SOC) has intercepted several incidents stemming from a recent Qakbot campaign. Qakbot is a malware-as-a-service (MaaS) known to precede ransomware intrusions associated with Maze, Egregor, and Conti ransomware groups. In a parallel analysis, eSentire’s Threat Response Unit (TRU) reports that the latest Qakbot campaigns are leading to Cobalt Strike infrastructure, which TRU tracks as INF5.

INF5-associated Cobalt Strike is also an observed outcome of attacks leveraging Matanbuchus, another MaaS known to be used by Conti. Technical analysis of Qakbot’s delivery and execution methods demonstrate three distinct clusters of activity, which suggests multiple operators may be utilizing the backdoor and infostealer – largely towards ransomware operations.

TRU notes a strong correlation between Qakbot activity and one of Conti’s subsidiary ransomware groups, BlackBasta. Previous campaigns observed by TRU also leveraged SquirrelWaffle and appeared to be aimed largely at email exfiltration. Interestingly, replaying exfiltrated emails is one of the methods that threat actors which utilize Qakbot employ to bypass email security controls. TRU has tracked and deployed detection for the Qakbot malware since it’s integration into the ransomware economy in 2020.

June 2022 Qakbot Campaign

A Qakbot campaign has been observed affecting industries and sectors across the board, including Government, Financial Services, Legal, Manufacturing, and Education. Qakbot campaigns originate from malicious email spam campaigns that are highly opportunistic in nature. At least one of the spam campaigns delivering Qakbot is attributed to TA570, recently observed attempting to exploit the Follina vulnerability via Qakbot.

As is typical of botnet campaigns, once a number of infections have been established, Qakbot operators and affiliates can prioritize infections based on information collected from infected systems. This is facilitated by Qakbot´s initial discovery phase – an important feature of modern botnet malware that allows its operators to get a broader network perspective on the victim organization. Objectives of campaigns leveraging Qakbot vary from incident to incident.

Qakbot has been observed:

  1. Exfiltrating email inboxes, likely to be used later in email replay attacks and email usage analysis.
  2. Stealing passwords and machine fingerprints from web browsers, which can be replicated in attacks leveraging valid credentials later.
  3. Loading Cobalt Strike for ransomware intrusions.

The last significant Qakbot campaign observed by TRU was associated with SquirrelWaffle and Cobalt Strike in November 2021. In those campaigns, Qakbot was leveraged to exfiltrate emails, likely to be used in email replay attacks.

In the recent June 2022 campaign, TRU and others have observed Qakbot occasionally dropping Cobalt Strike as before.

Figure 1: Timeline of Qakbot campaigns

Three Clusters of Activity

eSentire‘s Threat Response Unit (TRU) observed three distinct clusters of activity associated with Qakbot during technical analysis of the delivery and execution methods of Qakbot incidents in June 2022. Given that multiple threat actors have been observed utilizing Qakbot (including TA551, TA577, and TA570) it‘s possible that these clusters represent distinct campaigns and/or threat groups. But they could also simply reflect evolution of the Qakbot malware offering itself.

BlackBasta Association

A report of Qakbot leading to BlackBasta was published in early June by NCC Group. Tracking both Qakbot activity and BlackBasta leak site activity, TRU finds a temporal correlation between the two (Figure 2). However, given that Qakbot is offered as a service, and tends to be associated with multiple malspam campaigns it‘s likely that other groups besides BlackBasta are leveraging the malware.

Figure 2: BlackBasta leak site posts compared to Qakbot incidents observed by TRU

Cobalt Strike Infrastructure and Matanbuchus

Cobalt Strike infrastructure associated with Qakbot in the latter half of June tended to be registered to .icu domains. TRU tracks this infrastructure as INF5. Interestingly, the same infrastructure has been observed in Matanbuchus campaigns using a similar html smuggling approach, but with .msi files, rather than .lnk files for User Execution.

Domains for the associated Cobalt Strike are listed in the IOCs section below. It‘s worth noting that these domains were not observed in the BlackBasta-associated attack reported by NCC Group.

Qakbot Attack Path and Technical Details

The sparse incident in March 2022 operated on malspam campaign that used .ocx file extensions loaded in regsvr32 while the June 2022 campaign relies on User Execution of a windows shortcut (.lnk) file that relies on HTML smuggling.

Maldoc Initial Access

A map of the attack path shows the common flow of attacks that leverage Qakbot (Figure 3). The June 2022 Qakbot campaigns rely on email for initial access (Mitre Technique T1566), delivering a zipped file (a form of Defense Evasion that helps malware bypass email filters). Qakbot C2 and second-stage payloads are typically delivered from compromised infrastructure (T1584), often making them harder to track than purpose-built infrastructure.

Figure 3: A common attack path observed in March 2022 Qakbot incidents via TA577

The malicious document contains macros (Figure 4). Reverse engineering of the Qakbot sample by TRU (Figure 5) reveals three injection targets: explorer.exe, msra.exe, and OneDriveSetup.exe.

In one incident observed by TRU, OneDriveSetup.exe was the chosen injection target (Figure 6), while in the lab, reversing the sample led to injection into explorer.exe. The injected process performed several fundamental discovery techniques, including account discovery, domain discovery, and network configuration discovery. Throughout the attack path, Qakbot makes heavy use of trusted windows processes, particularly cmd.exe, regsvr32.exe, net.exe, nslookup.exe, whoami.exe, and ipconfig.exe. See below for a full list of indicators.

Figure 4:Malicious Document used in March 2022 Qakbot incidents


Figure 5: Debugging the Qakbot sample


Figure 6: Qakbot injecting into OneDriveSetup in an observed incident.

HTML Smuggling Initial Access

In June 2022, a Qakbot campaign emerged leveraging HTML smuggling of .lnk (Windows shortcut) files (Figure 7). HTML smuggling and password-protected .zip files help Qakbot bypass email security, during the social engineering phase of the attack. Once User Execution is achieved, Qakbot installs itself and begins initial Discovery process (Figure 8). In some cases, Qakbot dropped Cobalt Strike, which performed additional Discovery on the infected device – presumably a first step to network-wide compromise towards ransomware deployment.

Figure 7: HTML smuggling in June Qakbot samples


Figure 8: Initial Discovery commands run by Qakbot leveraging Trusted Windows Processes

Cobalt Strike IOCs

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Cybersecurity Specialist.

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.