This week, we are releasing 2 TTPs:
Qakbot, also known as QBot, QuackBot, or Pinkslipbot, has been active since 2007. CISA lists Qakbot as one of the top malware strains for 2021. Qakbot originally was a banking Trojan but has evolved its capabilities through time to include reconnaissance, lateral movement, identifying important files, exfiltrating data, and delivering payloads. The primary delivery methods for Qakbot are via email through attachments, hyperlinks, or embedded images.
Recent versions of Qakbot serve as a delivery agent for ransomware because of its "malware installation-as-a-service" features. These features make Qakbot a go-to framework amongst threat actors and ransomware gangs since it allows them to customize their payloads easily. Due to this customization, each Qakbot campaign may look slightly different from the next. Black Basta is a ransomware group that is known to use Qakbot.
At a high level, below are some of Qakbot's core capabilities:
We decided to emulate Qakbot's tactics on privilege escalation, defense evasion, and data collection for this TTP. Microsoft Defender may flag some of these actions as `Win32/Qakbot.DC`.
Execute `Is this host protected from Qakbot?` in Operator on each host in your environment to test if you are vulnerable.
This TTP will create the staging folder in user’s home directory using the following format `C:\Users\<user>\EmailStorage_<hostname><username><timestamp>`. Next, the TTP will create a scheduled task named `ayttpnzc` which will attempt to run a non-existent DLL. This created task uses the currently logged-in user instead of `SYSTEM` to guarantee sufficient permissions for its creation. This TTP will also attempt to add a non-existent folder location `C:\ProgramData\Microsoft\Oweboiqnb` to a Window's Defender registry key `HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths`. The TTP will then check to identify if these actions were successful. If the folder creation is successful, the TTP will create a blank `collector_log.txt` file and then attempt to delete it. Finally, the TTP will delete the folder, file, scheduled task, and registry entry.
CISA lists ‘Immediate Actions You Can Take Now to Protect Against Malware’. One of the actions listed is to provide end-user awareness and training about social engineering and phishing. This is important since the vector for initial access is via phishing.
NanoCore is a Remote Access Tool listed for sale on cybercrime forums in 2013. It is used primarily for information theft, credential harvesting, and recording a user's webcam. The primary delivery methods for NanoCore are emails containing a link to an ISO with a malicious ZIP and PDFs hosted in cloud storage. CISA lists NanoCore as one of the top malware strains of 2021.
In 2017 a cracked version of NanoCore was leaked. It remains in active development, though not by the original author, with new capabilities available as plugins or as part of a malware kit. NanoCore continues to be used by numerous criminal groups and state actors.
At a high level, some of NanoCore's capabilities are:
We decided to emulate NanoCore's persistence and defense evasion tactics for this TTP.
Execute `Is this host protected from NanoCore RAT?` in Operator on each host in your environment to test if you are vulnerable.
This TTP will download an XML file and save it as `$HOME\AppData\Local\Temp\tmp5D23.tmp`. This file will contain the settings to configure a scheduled task. The TTP will replace two variables in the XML with the value in the `$HOME` environment variable, and the value returned for the `whoami` command. The TTP will then copy `notepad.exe` to `$HOME\AppData\Roaming` and save the binary as `AJjbpQrbaKv.exe` using this binary instead of a malicious NanoCore binary. The TTP will add this folder location to Microsoft Defender's exclusion path via `Add-MpPreference`. Lastly, the TTP will perform a conditional check to verify if any of these actions were successful and then delete all created artifacts.
CISA lists providing end-user awareness and training about social engineering and phishing as "Immediate Actions You Can Take Now to Protect Against Malware." User awareness is typically the remediation since the malware uses phishing as initial access. Ensuring your current protections log scheduled task creation and registry key modification can help identify these malicious actions.
Check out the TTP Is this host protected from NanoCore RAT?.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg