Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
The eSentire Security Operations Center (SOC) has intercepted several incidents stemming from a recent Qakbot campaign. Qakbot is a malware-as-a-service (MaaS) known to precede ransomware intrusions associated with Maze, Egregor, and Conti ransomware groups. In a parallel analysis, eSentire’s Threat Response Unit (TRU) reports that the latest Qakbot campaigns are leading to Cobalt Strike infrastructure, which TRU tracks as INF5.
INF5-associated Cobalt Strike is also an observed outcome of attacks leveraging Matanbuchus, another MaaS known to be used by Conti. Technical analysis of Qakbot’s delivery and execution methods demonstrate three distinct clusters of activity, which suggests multiple operators may be utilizing the backdoor and infostealer – largely towards ransomware operations.
TRU notes a strong correlation between Qakbot activity and one of Conti’s subsidiary ransomware groups, BlackBasta. Previous campaigns observed by TRU also leveraged SquirrelWaffle and appeared to be aimed largely at email exfiltration. Interestingly, replaying exfiltrated emails is one of the methods that threat actors which utilize Qakbot employ to bypass email security controls. TRU has tracked and deployed detection for the Qakbot malware since it’s integration into the ransomware economy in 2020.
A Qakbot campaign has been observed affecting industries and sectors across the board, including Government, Financial Services, Legal, Manufacturing, and Education. Qakbot campaigns originate from malicious email spam campaigns that are highly opportunistic in nature. At least one of the spam campaigns delivering Qakbot is attributed to TA570, recently observed attempting to exploit the Follina vulnerability via Qakbot.
As is typical of botnet campaigns, once a number of infections have been established, Qakbot operators and affiliates can prioritize infections based on information collected from infected systems. This is facilitated by Qakbot´s initial discovery phase – an important feature of modern botnet malware that allows its operators to get a broader network perspective on the victim organization. Objectives of campaigns leveraging Qakbot vary from incident to incident.
Qakbot has been observed:
The last significant Qakbot campaign observed by TRU was associated with SquirrelWaffle and Cobalt Strike in November 2021. In those campaigns, Qakbot was leveraged to exfiltrate emails, likely to be used in email replay attacks.
In the recent June 2022 campaign, TRU and others have observed Qakbot occasionally dropping Cobalt Strike as before.
eSentire‘s Threat Response Unit (TRU) observed three distinct clusters of activity associated with Qakbot during technical analysis of the delivery and execution methods of Qakbot incidents in June 2022. Given that multiple threat actors have been observed utilizing Qakbot (including TA551, TA577, and TA570) it‘s possible that these clusters represent distinct campaigns and/or threat groups. But they could also simply reflect evolution of the Qakbot malware offering itself.
A report of Qakbot leading to BlackBasta was published in early June by NCC Group. Tracking both Qakbot activity and BlackBasta leak site activity, TRU finds a temporal correlation between the two (Figure 2). However, given that Qakbot is offered as a service, and tends to be associated with multiple malspam campaigns it‘s likely that other groups besides BlackBasta are leveraging the malware.
Cobalt Strike infrastructure associated with Qakbot in the latter half of June tended to be registered to .icu domains. TRU tracks this infrastructure as INF5. Interestingly, the same infrastructure has been observed in Matanbuchus campaigns using a similar html smuggling approach, but with .msi files, rather than .lnk files for User Execution.
Domains for the associated Cobalt Strike are listed in the IOCs section below. It‘s worth noting that these domains were not observed in the BlackBasta-associated attack reported by NCC Group.
The sparse incident in March 2022 operated on malspam campaign that used .ocx file extensions loaded in regsvr32 while the June 2022 campaign relies on User Execution of a windows shortcut (.lnk) file that relies on HTML smuggling.
A map of the attack path shows the common flow of attacks that leverage Qakbot (Figure 3). The June 2022 Qakbot campaigns rely on email for initial access (Mitre Technique T1566), delivering a zipped file (a form of Defense Evasion that helps malware bypass email filters). Qakbot C2 and second-stage payloads are typically delivered from compromised infrastructure (T1584), often making them harder to track than purpose-built infrastructure.
The malicious document contains macros (Figure 4). Reverse engineering of the Qakbot sample by TRU (Figure 5) reveals three injection targets: explorer.exe, msra.exe, and OneDriveSetup.exe.
In one incident observed by TRU, OneDriveSetup.exe was the chosen injection target (Figure 6), while in the lab, reversing the sample led to injection into explorer.exe. The injected process performed several fundamental discovery techniques, including account discovery, domain discovery, and network configuration discovery. Throughout the attack path, Qakbot makes heavy use of trusted windows processes, particularly cmd.exe, regsvr32.exe, net.exe, nslookup.exe, whoami.exe, and ipconfig.exe. See below for a full list of indicators.
In June 2022, a Qakbot campaign emerged leveraging HTML smuggling of .lnk (Windows shortcut) files (Figure 7). HTML smuggling and password-protected .zip files help Qakbot bypass email security, during the social engineering phase of the attack. Once User Execution is achieved, Qakbot installs itself and begins initial Discovery process (Figure 8). In some cases, Qakbot dropped Cobalt Strike, which performed additional Discovery on the infected device – presumably a first step to network-wide compromise towards ransomware deployment.
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Cybersecurity Specialist.
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.