QakBot technical analysis

QakBot infection chain

Main description

QakBot, also known as QBot, QuackBot and Pinkslipbot, is a banking Trojan that has existed for over a decade. It was found in the wild in 2007 and since then it has been continually maintained and developed.

In recent years, QakBot has become one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), though it has also acquired functionality allowing it to spy on financial operations, spread itself, and install ransomware in order to maximize revenue from compromised organizations.

To this day, QakBot continues to grow in terms of functionality, with even more capabilities and new techniques such as logging keystrokes, a backdoor functionality, and techniques to evade detection. It’s worth mentioning that the latter includes virtual environment detection, regular self-updates and cryptor/packer changes. In addition, QakBot tries to protect itself from being analyzed and debugged by experts and automated tools.

Another interesting piece of functionality is the ability to steal emails. These are later used by the attackers to send targeted emails to the victims, with the obtained information being used to lure victims into opening those emails.

QakBot infection chain

QakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails were delivered with Microsoft Office documents (Word, Excel) or password-protected archives with the documents attached. The documents contained macros and victims were prompted to open the attachments with claims that they contained important information (e.g., an invoice). In some cases, the emails contained links to web pages distributing malicious documents.

However, there is another infection vector that involves a malicious QakBot payload being transferred to the victim’s machine via other malware on the compromised machine.

The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It’s known that various threat actors perform reconnaissance (OSINT) of target organizations beforehand to decide which infection vector is most suitable.

QakBot infection chain

The infection chain of recent QakBot releases (2020-2021 variants) is as follows:

  • The user receives a phishing email with a ZIP attachment containing an Office document with embedded macros, the document itself or a link to download malicious document.
  • The user opens the malicious attachment/link and is tricked into clicking “Enable content”.
  • A malicious macro is executed. Some variants perform a ‘GET’ request to a URL requesting a ‘PNG’ However, the file is in fact a binary.
  • The loaded payload (stager) includes another binary containing encrypted resource modules. One of the encrypted resources has the DLL binary (loader) which is decrypted later during runtime.
  • The ‘Stager’ loads the ‘Loader’ into the memory, which decrypts and runs the payload during runtime. The configuration settings are retrieved from another resource.
  • The payload communicates with the C2 server.
  • Additional threats such as ProLock ransomware can now be pushed to the infected machine.

Typical QakBot functions

Typical QakBot malicious activity observed in the wild includes:

  • Collecting information about the compromised host;
  • Creating scheduled tasks (privilege escalation and persistency);
  • Credentials harvesting:
    • Credential dumping (Mimikatz, exe access)*;
    • Password stealing (from browser data and cookies);
    • Targeting web banking links (web injects)*.
  • Password brute forcing;
  • Registry manipulation (persistence);
  • Creating a copy of itself;
  • Process injection to conceal the malicious process.

Communication with C2

The QakBot malware contains a list of 150 IP addresses hardcoded into the loader binary resource. Most of these addresses belong to other infected systems that are used as a proxy to forward traffic to other proxies or the real С2.

Communication with the С2 is a HTTPS POST request with Base64-encoded data. The data is encrypted with the RC4 algorithm. The static string “jHxastDcds)oMc=jvh7wdUhxcsdt2” and a random 16-byte sequence are used for encryption. The data itself is in JSON format.

Original message in JSON format

HTTPS POST request with encrypted JSON

Usually, after infection the bot sends a ‘PING’ message, ‘SYSTEM INFO’ message and ‘ASK for COMMAND’ message, and the C2 replies with ‘ACK’ and ‘COMMAND’ messages. If additional modules were pushed by the C2, the bot sends a ‘STOLEN INFO’ message containing data stolen by the modules.

  • ‘PING’ message – bot request message to C2 with ‘BOT ID’ in order to check if С2 is active:

‘PING’ message

  • ‘ACK’ message – C2 response message with field “16” containing the external IP address of the infected system, the only valuable information:

‘ACK’ message

  • ‘SYSTEM INFO’ message – bot request message to C2 with information collected about the infected system. In addition to general system information such as OS version and bitness, user name, computer name, domain, screen resolution, system time, system uptime and bot uptime, it also contains the results of the following utilities and WMI queries:
    • whoami /all
    • arp -a
    • ipconfig /all
    • net view /all
    • cmd /c set
    • nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.{DOMAIN}
    • nltest /domain_trusts /all_trusts
    • net share
    • route print
    • netstat -nao
    • net localgroup
    • qwinsta
    • WMI Query ROOTCIMV2:Win32_BIOS
    • WMI Query ROOTCIMV2:Win32_DiskDrive
    • WMI Query ROOTCIMV2:Win32_PhysicalMemory
    • WMI Query ROOTCIMV2:Win32_Product
    • WMI Query ROOTCIMV2:Win32_PnPEntity

‘SYSTEM INFO’ message

  • ‘ASK for COMMAND’ message – bot command request message to C2. After the ‘SYSTEM INFO’ message is sent, the bot starts asking the C2 for a command to execute. One of the main fields is “14” – the SALT. This field is unique and changes in every request. It is used to protect against hijacking or takeover of a bot. After receiving this request, the С2 uses the SALT in the signing procedure and places the signature in the response, so the bot can check the signed data. Only a valid and signed command will be executed.

‘ASK for COMMAND’ message

  • ‘COMMAND’ message – C2 response message with command to execute. The current version of the bot supports 24 commands, most of them related to download, execution, drop of additional modules and module configuration files with different options, or setup/update configuration values.
    This type of message contains the signed value of the SALT (obtained from the bot’s request field “14”), COMMAND ID and MODULE ID. The other values of the message are not signed.In previous versions, the bot received modules and commands immediately after infection and sending a ‘SYSTEM INFO’ message. Now, the C2 responds with an empty command for about an hour. Only after that will the C2 send commands and modules in the response. We believe that this time delay is used to make it difficult to receive and analyze new commands and modules in an isolated controlled environment.

‘COMMAND’ C2 response with empty command

If the C2 pushes some modules, the Base64-encoded binary is placed into field “20” of the message.

‘COMMAND’ C2 response with additional module to load

  • ‘STOLEN INFO’ message – bot message to C2 with stolen information like passwords, accounts, emails, etc. Stolen information is RC4 encrypted and Base64 encoded. The key for the RC4 encryption is generated in a different way and based on the infected system ID (aka Bot ID) values, and not based on a static string as in the case of traffic encryption.

‘STOLEN INFO’ message

Once communication with the C2 server has been established, QakBot is known to download and use additional modules in order to perform its malicious operations.

The additional modules differ from sample to sample and may include: ‘Cookie grabber’, ‘Email Collector’, ‘Credentials grabber’, and ‘Proxy module’ among others.

These modules may be written by the threat actors themselves or may be borrowed from third-party repositories and adapted. It can vary from sample to sample. For example, there are older samples that may use Mimikatz for credentials dumping.

Below are some of the modules that we found during our research.

Additional modules

  • Cookie Grabber – collects cookies from popular browsers (Edge, Firefox, Chrome, Internet Explorer).

  • Hidden VNC – allows threat actors to connect to the infected machine and interact with it without the real user knowing.

  • Email Collector – tries to find Microsoft Outlook on the infected machine, then iterates over the software folders and recursively collects emails. Finally, the module exfiltrates the collected emails to the remote server.

The threat actors distributed a debug version of the email collector module at some point

  • Hooking module – hooks a hardcoded set of WinAPI and (if they exist) Mozilla DLL Hooking is used to perform web injects, sniff traffic and keyboard data and even prevent DNS resolution of certain domains. Hooking works in the following way: QakBot injects a hooking module into the appropriate process, the module finds functions from the hardcoded set and modifies the functions so they jump to custom code.

The module contains a ciphered list of DLLs and functions that the bot will hook

  • Passgrabber module – collects logins and passwords from various sources: Firefox and Chrome files, Microsoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects passwords using its own algorithms.

Procedure that collects passwords from different sources

  • Proxy module – tries to determine which ports are available to listen to using the UPnP port forwarding and tier 2 С2 query. Comparing current and old proxy loader versions revealed some interesting things: the threat actors decided to remove the cURL dependency from the binary and perform all HTTP communications using their own code. Besides removing cURL, they also removed OpenSSL dependencies and embedded all functions into a single executable – there are no more proxy loaders or proxy modules, it’s a single file now.

UPnP port forwarding query construction

After trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module also starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy protocol composed of: QakBot proxy command (1 byte), version (1 byte), session id (4 bytes), total packet length (dword), data (total packet length-10). Incoming and outgoing packets are stored in the buffers and may be received/transmitted one by one or in multiple packets in a single TCP data segment (streamed).

The usual proxy module execution flow is as follows:

  • Communicate with the C2, try to forward ports with UPnP and determine available ports and report them to the C2. The usual C2 communication protocol used here is HTTP POST RC4-ciphered JSON data.
  • Download the OpenSSL library. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file.
  • Set up external PROXY-C2 connection that was received with command 37 (update config)/module 274 (proxy) by the stager.
  • Communicating with the external PROXY-C2:

  • Send initial proxy module request. The initial request contains the bot ID, external IP address of the infected machine, reverse DNS lookup of the external IP address, internet speed (measured earlier) and seconds since the proxy module started.
  • Establish a connection (proxy commands sequence 1->10->11) with the PROXY-C2.
  • Initialize sessions, perform socks5 authorization with login/password (received from PROXY-C2 with command 10).
  • Begin SOCKS5-like communication wrapped into the QakBot proxy module protocol.
  • QakBot proxy commands are as follows:

    Command
    Description

    1
    Hello (bot->C2)

    10
    Set up auth credentials (C2->bot)

    11
    Confirm credentials setup (bot->C2)

    2
    Create new proxy session (C2->bot)

    3
    SOCKS5 AUTH (bot->C2)

    4
    SOCKS5 requests processing (works for both sides)

    5
    Close session (works for both sides)

    6
    Update session state/session state updated notification (works for both sides)

    7
    Update session state/session state updated notification (works for both sides)

    8
    PING (C2->bot)

    9
    PONG (bot->C2)

    19
    Save current time in registry (C2->bot)

    Parsed packets from C2

    Tracking single proxy

    • Web inject – the configuration file for the hooking module
      Once communication with the C2 is established, one of the additional modules that is downloaded is the web-inject module. It intercepts the victim’s traffic by injecting the module into the browser’s process and hooking the network API. The hooking module gets the execution flow from intercepted APIs, and as soon as the victim accesses certain web pages related to banking and finance, additional JavaScript is injected into the source page.

    Fragment of JavaScript injected into the source page of the Wells Fargo login page

    QakBot statistics

    We analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% compared to the previous year and reached 17,316.

    Number of users affected by QakBot attacks from January to July in 2020 and 2021 (download)

    We observed the largest campaigns in Q1 2021 when 12,704 users encountered QakBot, with 8,068 Kaspersky users being targeted in January and 4,007 in February.

    Conclusions

    QakBot is a known Trojan-Banker whose techniques may vary from binary to binary (older and newer versions). It has been active for over a decade and doesn’t look like going away anytime soon. The malware is continuously receiving updates and the threat actors keep adding new capabilities and updating its modules in order to steal information and maximize revenue.

    We know that threat actors change how they perform their malicious activities based on security vendor activities, using sophisticated techniques to stay under the radar. Although QakBot uses different techniques to avoid detection, for example, process enumeration in order to find running anti-malware solutions, our products are able to detect the threat using behavior analysis. The verdicts usually assigned to this malware:

    Backdoor.Win32.QBot
    Backdoor.Win64.QBot
    Trojan.JS.QBot
    Trojan.MSOffice.QBot
    Trojan.MSOffice.QbotLoader
    Trojan.Win32.QBot
    Trojan-Banker.Win32.QBot
    Trojan-Banker.Win32.QakBot
    Trojan-Banker.Win64.QBot
    Trojan-Downloader.JS.QBot
    Trojan-PSW.Win32.QBot
    Trojan-Proxy.Win32.QBot

    Indicators of compromise (C2 server addresses)

    75.67.192[.]125:443
    24.179.77[.]236:443
    70.163.161[.]79:443

    72.240.200[.]181:2222
    184.185.103[.]157:443
    78.63.226[.]32:443

    83.196.56[.]65:2222
    95.77.223[.]148:443
    76.168.147[.]166:993

    105.198.236[.]99:443
    73.151.236[.]31:443
    64.121.114[.]87:443

    213.122.113[.]120:443
    97.69.160[.]4:2222
    77.27.207[.]217:995

    105.198.236[.]101:443
    75.188.35[.]168:443
    31.4.242[.]233:995

    144.139.47[.]206:443
    173.21.10[.]71:2222
    125.62.192[.]220:443

    83.110.109[.]155:2222
    76.25.142[.]196:443
    195.12.154[.]8:443

    186.144.33[.]73:443
    67.165.206[.]193:993
    96.21.251[.]127:2222

    149.28.98[.]196:2222
    222.153.122[.]173:995
    71.199.192[.]62:443

    45.77.117[.]108:2222
    45.46.53[.]140:2222
    70.168.130[.]172:995

    45.32.211[.]207:995
    71.74.12[.]34:443
    82.12.157[.]95:995

    149.28.98[.]196:995
    50.29.166[.]232:995
    209.210.187[.]52:995

    149.28.99[.]97:443
    109.12.111[.]14:443
    209.210.187[.]52:443

    207.246.77[.]75:8443
    68.186.192[.]69:443
    67.6.12[.]4:443

    149.28.99[.]97:2222
    188.27.179[.]172:443
    189.222.59[.]177:443

    149.28.101[.]90:443
    98.192.185[.]86:443
    174.104.22[.]30:443

    149.28.99[.]97:995
    189.210.115[.]207:443
    142.117.191[.]18:2222

    149.28.101[.]90:8443
    68.204.7[.]158:443
    189.146.183[.]105:443

    92.59.35[.]196:2222
    75.137.47[.]174:443
    213.60.147[.]140:443

    45.63.107[.]192:995
    24.229.150[.]54:995
    196.221.207[.]137:995

    45.63.107[.]192:443
    86.220.60[.]247:2222
    108.46.145[.]30:443

    45.32.211[.]207:8443
    193.248.221[.]184:2222
    187.250.238[.]164:995

    197.45.110[.]165:995
    151.205.102[.]42:443
    2.7.116[.]188:2222

    45.32.211[.]207:2222
    71.41.184[.]10:3389
    195.43.173[.]70:443

    96.253.46[.]210:443
    24.55.112[.]61:443
    106.250.150[.]98:443

    172.78.59[.]180:443
    24.139.72[.]117:443
    45.67.231[.]247:443

    90.65.234[.]26:2222
    72.252.201[.]69:443
    83.110.103[.]152:443

    47.22.148[.]6:443
    175.143.92[.]16:443
    83.110.9[.]71:2222

    149.28.101[.]90:995
    100.2.20[.]137:443
    78.97.207[.]104:443

    207.246.77[.]75:2222
    46.149.81[.]250:443
    59.90.246[.]200:443

    144.202.38[.]185:995
    207.246.116[.]237:8443
    80.227.5[.]69:443

    45.77.115[.]208:995
    207.246.116[.]237:995
    125.63.101[.]62:443

    149.28.101[.]90:2222
    207.246.116[.]237:443
    86.236.77[.]68:2222

    45.32.211[.]207:443
    207.246.116[.]237:2222
    109.106.69[.]138:2222

    149.28.98[.]196:443
    45.63.107[.]192:2222
    84.72.35[.]226:443

    45.77.117[.]108:443
    71.163.222[.]223:443
    217.133.54[.]140:32100

    144.202.38[.]185:2222
    98.252.118[.]134:443
    197.161.154[.]132:443

    45.77.115[.]208:8443
    96.37.113[.]36:993
    89.137.211[.]239:995

    45.77.115[.]208:443
    27.223.92[.]142:995
    74.222.204[.]82:995

    207.246.77[.]75:995
    24.152.219[.]253:995
    122.148.156[.]131:995

    45.77.117[.]108:8443
    24.95.61[.]62:443
    156.223.110[.]23:443

    45.77.117[.]108:995
    96.61.23[.]88:995
    144.139.166[.]18:443

    45.77.115[.]208:2222
    92.96.3[.]180:2078
    202.185.166[.]181:443

    144.202.38[.]185:443
    71.187.170[.]235:443
    76.94.200[.]148:995

    207.246.77[.]75:443
    50.244.112[.]106:443
    71.63.120[.]101:443

    140.82.49[.]12:443
    24.122.166[.]173:443
    196.151.252[.]84:443

    81.214.126[.]173:2222
    73.25.124[.]140:2222
    202.188.138[.]162:443

    216.201.162[.]158:443
    47.196.213[.]73:443
    74.68.144[.]202:443

    136.232.34[.]70:443
    186.154.175[.]13:443
    69.58.147[.]82:2078

    * Can be performed as an external command (extended module).

    Source:: Securelist