Skip to content

If it mails like a qak, signs like a qak and injects like a qak, it’s definitely a qakbot.

If it mails like a qak, signs like a qak and injects like a qak, it’s definitely a qakbot.

Ever since 2007 when the first samples were observed in the wild, QBot (also known as Qakbot or Pinkslipbot) suffered multiple transformations and mutations making it the most submitted malware family on multiple platforms that offer hosting for artifacts available to analyze.

It first appeared as a banking Trojan used to steal financial information from infected systems and evolved into a backdoor tool used for delivering malicious payloads for ransomware. Using sophisticated TTPs that constantly change, it manages to evade detection mechanisms and abuses zero-day vulnerabilities to achieve its purpose.

Qbot was observed across multiple world regions and within various industries, therefore no one should consider themselves safe.

One of our customers submitted a suspicious e-mail, so I started analyzing – and since the start of the process, I realized I’m dealing with a new QBot variant.

If it mails like a qak, signs like a qak and injects like a qak, it’s definitely a qakbot 

The favorited delivery method for Qakbot is through phishing e-mails, exploiting the most vulnerable part of the entire security chain: the user.

BlogPicOne

The e-mail received carries an html attachment that impersonates a Google Drive instance and, in the background, uses a technique called HTML smuggling, by obfuscating an encoded script within the HTML code that gets executed by the browser, assembling the malware in memory and delivering the malicious file as a download performed from a legitimate website (the service that is being impersonated).

The impersonated service is being stored inside the HTML file as a base64 encoded GIF:

BlogPicTwo

Another base64 encoded string is stored in a reverse form and it gets reversed using a custom obfuscated function:

BlogPicThree

In an attempt to evade analysis and to make manual investigation harder, it uses obfuscation to conceal its activity:

BlogPicFour

But, to sweeten the analyst’s work, it contains some excerpt from Lewis Carroll’s Alice in Wonderland:

BlogPicFive

Once opened, the HTML file impersonates a legitimate service and downloads the malicious file assembled by the browser engine:

BlogPicSix

To evade automatic detection tools that get triggered whenever a file is being downloaded, the archive file is password protected and this might give some users a fake sense of security – seeing a file that is password protected means it comes from a trusted source and it hasn’t been tampered with. Well, nothing is further from the truth – because this is a known technique used by malicious actors.  

Once extracted the encrypted archive reveals an ISO file that gets mounted automatically when opened and the content of the ISO, though harmless looking, is the Qbot payload used to infect the machine where it resides:

BlogPicSevenBlogPicEight


Agreement.js
file is a JScript (not to be mistaken with JavaScript, although shares the same file extension) that executes a shell command, registering a malicious DLLnewsstand.temp by calling the legitimate Windows program – regsvr32:

BlogPicNine

Furthermore, the JS file carries a malformed signature used to bypass the Mark-of-the-Web (MOTW) security feature, a zero-day vulnerability at the time this sample was analyzed, and it was fixed by Microsoft with the updates from the last Patch Tuesday of 2022. This JS malformed signature was previously observed in the wild associated with activities performed by the Black Basta ransomware group.

When run, the JS file spawns a legitimate process AtBroker.exe, and attaches to it in order to gain persistence and run as stealthy as possible.

A registry entry is being created under HKCU\SOFTWARE\Microsoft\ given a random string value, containing multiple keys with random hex value.

BlogPicTen

Upon decrypting the registry values, further information about the campaign id and variant (obama223) are observed:

BlogPicEleven

Final words

To prevent those attacks, users should be educated to be extra cautious when receiving e-mails, especially those with attachments. In particular, for this method of delivering malicious payload concealed in an ISO, a handy workaround would be to edit Windows GPO settings by going into Administrative Templates\\System\\Device Installation\\Device Installation Restrictions and enable “Prevent installation of devices that match any of these device IDs” and add the corresponding Device IDs for Microsoft DVD-ROM (assuming no other software is used and configured to handle ISO mount).

BlogPicTwelve

It should be noted that this is just a workaround and shouldn’t be used as a sole prevention against those attacks, especially because at the time this article was written, newer samples observed in the wild are using another way of delivering the malicious payload and replaced ISO with VHD – the native file format for Microsoft’s hypervisor engine.

We can observe that QBot developers work hard to evade detection mechanisms and are up-to-date with the latest vulnerabilities and aren’t afraid to use them to deliver malicious payloads to get financial benefits. Their TTPs are constantly changing and adapting to solutions released by security experts. It’s a constant cat and mouse game, but the ones affected are the users and the companies targeted by those attacks.

RazvanPhotoFinal     by Razvan Cristea
     Threat hunter. Geek. Cyber Security Analyst at Gradient Cyber