What We Do
How We Do
Get Started

June 2022 Qakbot Campaign

BY eSentire Threat Response Unit (TRU)

August 29, 2022 | 5 MINS READ


Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?


Executive Summary

The eSentire Security Operations Center (SOC) has intercepted several incidents stemming from a recent Qakbot campaign. Qakbot is a malware-as-a-service (MaaS) known to precede ransomware intrusions associated with Maze, Egregor, and Conti ransomware groups. In a parallel analysis, eSentire’s Threat Response Unit (TRU) reports that the latest Qakbot campaigns are leading to Cobalt Strike infrastructure, which TRU tracks as INF5.

INF5-associated Cobalt Strike is also an observed outcome of attacks leveraging Matanbuchus, another MaaS known to be used by Conti. Technical analysis of Qakbot’s delivery and execution methods demonstrate three distinct clusters of activity, which suggests multiple operators may be utilizing the backdoor and infostealer – largely towards ransomware operations.

TRU notes a strong correlation between Qakbot activity and one of Conti’s subsidiary ransomware groups, BlackBasta. Previous campaigns observed by TRU also leveraged SquirrelWaffle and appeared to be aimed largely at email exfiltration. Interestingly, replaying exfiltrated emails is one of the methods that threat actors which utilize Qakbot employ to bypass email security controls. TRU has tracked and deployed detection for the Qakbot malware since it’s integration into the ransomware economy in 2020.

June 2022 Qakbot Campaign

A Qakbot campaign has been observed affecting industries and sectors across the board, including Government, Financial Services, Legal, Manufacturing, and Education. Qakbot campaigns originate from malicious email spam campaigns that are highly opportunistic in nature. At least one of the spam campaigns delivering Qakbot is attributed to TA570, recently observed attempting to exploit the Follina vulnerability via Qakbot.

As is typical of botnet campaigns, once a number of infections have been established, Qakbot operators and affiliates can prioritize infections based on information collected from infected systems. This is facilitated by Qakbot´s initial discovery phase – an important feature of modern botnet malware that allows its operators to get a broader network perspective on the victim organization. Objectives of campaigns leveraging Qakbot vary from incident to incident.

Qakbot has been observed:

  1. Exfiltrating email inboxes, likely to be used later in email replay attacks and email usage analysis.
  2. Stealing passwords and machine fingerprints from web browsers, which can be replicated in attacks leveraging valid credentials later.
  3. Loading Cobalt Strike for ransomware intrusions.

The last significant Qakbot campaign observed by TRU was associated with SquirrelWaffle and Cobalt Strike in November 2021. In those campaigns, Qakbot was leveraged to exfiltrate emails, likely to be used in email replay attacks.

In the recent June 2022 campaign, TRU and others have observed Qakbot occasionally dropping Cobalt Strike as before.

Figure 1: Timeline of Qakbot campaigns

Three Clusters of Activity

eSentire‘s Threat Response Unit (TRU) observed three distinct clusters of activity associated with Qakbot during technical analysis of the delivery and execution methods of Qakbot incidents in June 2022. Given that multiple threat actors have been observed utilizing Qakbot (including TA551, TA577, and TA570) it‘s possible that these clusters represent distinct campaigns and/or threat groups. But they could also simply reflect evolution of the Qakbot malware offering itself.

BlackBasta Association

A report of Qakbot leading to BlackBasta was published in early June by NCC Group. Tracking both Qakbot activity and BlackBasta leak site activity, TRU finds a temporal correlation between the two (Figure 2). However, given that Qakbot is offered as a service, and tends to be associated with multiple malspam campaigns it‘s likely that other groups besides BlackBasta are leveraging the malware.

Figure 2: BlackBasta leak site posts compared to Qakbot incidents observed by TRU

Cobalt Strike Infrastructure and Matanbuchus

Cobalt Strike infrastructure associated with Qakbot in the latter half of June tended to be registered to .icu domains. TRU tracks this infrastructure as INF5. Interestingly, the same infrastructure has been observed in Matanbuchus campaigns using a similar html smuggling approach, but with .msi files, rather than .lnk files for User Execution.

Domains for the associated Cobalt Strike are listed in the IOCs section below. It‘s worth noting that these domains were not observed in the BlackBasta-associated attack reported by NCC Group.

Qakbot Attack Path and Technical Details

The sparse incident in March 2022 operated on malspam campaign that used .ocx file extensions loaded in regsvr32 while the June 2022 campaign relies on User Execution of a windows shortcut (.lnk) file that relies on HTML smuggling.

Maldoc Initial Access

A map of the attack path shows the common flow of attacks that leverage Qakbot (Figure 3). The June 2022 Qakbot campaigns rely on email for initial access (Mitre Technique T1566), delivering a zipped file (a form of Defense Evasion that helps malware bypass email filters). Qakbot C2 and second-stage payloads are typically delivered from compromised infrastructure (T1584), often making them harder to track than purpose-built infrastructure.

Figure 3: A common attack path observed in March 2022 Qakbot incidents via TA577

The malicious document contains macros (Figure 4). Reverse engineering of the Qakbot sample by TRU (Figure 5) reveals three injection targets: explorer.exe, msra.exe, and OneDriveSetup.exe.

In one incident observed by TRU, OneDriveSetup.exe was the chosen injection target (Figure 6), while in the lab, reversing the sample led to injection into explorer.exe. The injected process performed several fundamental discovery techniques, including account discovery, domain discovery, and network configuration discovery. Throughout the attack path, Qakbot makes heavy use of trusted windows processes, particularly cmd.exe, regsvr32.exe, net.exe, nslookup.exe, whoami.exe, and ipconfig.exe. See below for a full list of indicators.

Figure 4:Malicious Document used in March 2022 Qakbot incidents

Figure 5: Debugging the Qakbot sample

Figure 6: Qakbot injecting into OneDriveSetup in an observed incident.

HTML Smuggling Initial Access

In June 2022, a Qakbot campaign emerged leveraging HTML smuggling of .lnk (Windows shortcut) files (Figure 7). HTML smuggling and password-protected .zip files help Qakbot bypass email security, during the social engineering phase of the attack. Once User Execution is achieved, Qakbot installs itself and begins initial Discovery process (Figure 8). In some cases, Qakbot dropped Cobalt Strike, which performed additional Discovery on the infected device – presumably a first step to network-wide compromise towards ransomware deployment.

Figure 7: HTML smuggling in June Qakbot samples

Figure 8: Initial Discovery commands run by Qakbot leveraging Trusted Windows Processes

Cobalt Strike IOCs

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Cybersecurity Specialist.

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire