June 2022 Qakbot Campaign

Executive Summary

The eSentire Security Operations Center (SOC) has intercepted several incidents stemming from a recent Qakbot campaign. Qakbot is a malware-as-a-service (MaaS) known to precede ransomware intrusions associated with Maze, Egregor, and Conti ransomware groups. In a parallel analysis, eSentire’s Threat Response Unit (TRU) reports that the latest Qakbot campaigns are leading to Cobalt Strike infrastructure, which TRU tracks as INF5.

INF5-associated Cobalt Strike is also an observed outcome of attacks leveraging Matanbuchus, another MaaS known to be used by Conti. Technical analysis of Qakbot’s delivery and execution methods demonstrate three distinct clusters of activity, which suggests multiple operators may be utilizing the backdoor and infostealer – largely towards ransomware operations.

TRU notes a strong correlation between Qakbot activity and one of Conti’s subsidiary ransomware groups, BlackBasta. Previous campaigns observed by TRU also leveraged SquirrelWaffle and appeared to be aimed largely at email exfiltration. Interestingly, replaying exfiltrated emails is one of the methods that threat actors which utilize Qakbot employ to bypass email security controls. TRU has tracked and deployed detection for the Qakbot malware since it’s integration into the ransomware economy in 2020.

June 2022 Qakbot Campaign

A Qakbot campaign has been observed affecting industries and sectors across the board, including Government, Financial Services, Legal, Manufacturing, and Education. Qakbot campaigns originate from malicious email spam campaigns that are highly opportunistic in nature. At least one of the spam campaigns delivering Qakbot is attributed to TA570, recently observed attempting to exploit the Follina vulnerability via Qakbot.

As is typical of botnet campaigns, once a number of infections have been established, Qakbot operators and affiliates can prioritize infections based on information collected from infected systems. This is facilitated by Qakbot´s initial discovery phase – an important feature of modern botnet malware that allows its operators to get a broader network perspective on the victim organization. Objectives of campaigns leveraging Qakbot vary from incident to incident.

Qakbot has been observed:

1. Exfiltrating email inboxes, likely to be used later in email replay attacks and email usage analysis.
2. Stealing passwords and machine fingerprints from web browsers, which can be replicated in attacks leveraging valid credentials later.
3. Loading Cobalt Strike for ransomware intrusions.

The last significant Qakbot campaign observed by TRU was associated with SquirrelWaffle and Cobalt Strike in November 2021. In those campaigns, Qakbot was leveraged to exfiltrate emails, likely to be used in email replay attacks.

In the recent June 2022 campaign, TRU and others have observed Qakbot occasionally dropping Cobalt Strike as before.

Three Clusters of Activity

eSentire‘s Threat Response Unit (TRU) observed three distinct clusters of activity associated with Qakbot during technical analysis of the delivery and execution methods of Qakbot incidents in June 2022. Given that multiple threat actors have been observed utilizing Qakbot (including TA551, TA577, and TA570) it‘s possible that these clusters represent distinct campaigns and/or threat groups. But they could also simply reflect evolution of the Qakbot malware offering itself.

BlackBasta Association

A report of Qakbot leading to BlackBasta was published in early June by NCC Group. Tracking both Qakbot activity and BlackBasta leak site activity, TRU finds a temporal correlation between the two (Figure 2). However, given that Qakbot is offered as a service, and tends to be associated with multiple malspam campaigns it‘s likely that other groups besides BlackBasta are leveraging the malware.

Cobalt Strike Infrastructure and Matanbuchus

Cobalt Strike infrastructure associated with Qakbot in the latter half of June tended to be registered to .icu domains. TRU tracks this infrastructure as INF5. Interestingly, the same infrastructure has been observed in Matanbuchus campaigns using a similar html smuggling approach, but with .msi files, rather than .lnk files for User Execution.

Domains for the associated Cobalt Strike are listed in the IOCs section below. It‘s worth noting that these domains were not observed in the BlackBasta-associated attack reported by NCC Group.

Qakbot Attack Path and Technical Details

The sparse incident in March 2022 operated on malspam campaign that used .ocx file extensions loaded in regsvr32 while the June 2022 campaign relies on User Execution of a windows shortcut (.lnk) file that relies on HTML smuggling.

Maldoc Initial Access

A map of the attack path shows the common flow of attacks that leverage Qakbot (Figure 3). The June 2022 Qakbot campaigns rely on email for initial access (Mitre Technique T1566), delivering a zipped file (a form of Defense Evasion that helps malware bypass email filters). Qakbot C2 and second-stage payloads are typically delivered from compromised infrastructure (T1584), often making them harder to track than purpose-built infrastructure.

The malicious document contains macros (Figure 4). Reverse engineering of the Qakbot sample by TRU (Figure 5) reveals three injection targets: explorer.exe, msra.exe, and OneDriveSetup.exe.

In one incident observed by TRU, OneDriveSetup.exe was the chosen injection target (Figure 6), while in the lab, reversing the sample led to injection into explorer.exe. The injected process performed several fundamental discovery techniques, including account discovery, domain discovery, and network configuration discovery. Throughout the attack path, Qakbot makes heavy use of trusted windows processes, particularly cmd.exe, regsvr32.exe, net.exe, nslookup.exe, whoami.exe, and ipconfig.exe. See below for a full list of indicators.

HTML Smuggling Initial Access

In June 2022, a Qakbot campaign emerged leveraging HTML smuggling of .lnk (Windows shortcut) files (Figure 7). HTML smuggling and password-protected .zip files help Qakbot bypass email security, during the social engineering phase of the attack. Once User Execution is achieved, Qakbot installs itself and begins initial Discovery process (Figure 8). In some cases, Qakbot dropped Cobalt Strike, which performed additional Discovery on the infected device – presumably a first step to network-wide compromise towards ransomware deployment.

Cobalt Strike IOCs

• bande[.]icu
• extic[.]icu
• moros[.]icu
• vgroz[.]icu
• vlgeb[.]icu
• trikh[.]icu
• reykh[.]icu
• mssfr[.]icu
• drakr[.]icu
• cmdef[.]icu
• svfin[.]icu

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Cybersecurity Specialist.