Is this host protected from Qakbot?

Creates a scheduled task, adds a folder path to Windows Antimalware exlusions path, and creates staging folder to emulate Qakbot's observed behaviors.

This week, we are releasing 2 TTPs:

  • Is this host protected from Qakbot?
  • Is this host protected from NanoCore RAT?

Is this host protected from Qakbot?

Qakbot, also known as QBot, QuackBot, or Pinkslipbot, has been active since 2007. CISA lists Qakbot as one of the top malware strains for 2021. Qakbot originally was a banking Trojan but has evolved its capabilities through time to include reconnaissance, lateral movement, identifying important files, exfiltrating data, and delivering payloads. The primary delivery methods for Qakbot are via email through attachments, hyperlinks, or embedded images.

Recent versions of Qakbot serve as a delivery agent for ransomware because of its "malware installation-as-a-service" features. These features make Qakbot a go-to framework amongst threat actors and ransomware gangs since it allows them to customize their payloads easily. Due to this customization, each Qakbot campaign may look slightly different from the next. Black Basta is a ransomware group that is known to use Qakbot.

At a high level, below are some of Qakbot's core capabilities:

  • Initial Access - malspam campaigns with malicious attachments, hyperlinks, or embedded images that will drop a second stage payload. - Qakbot has recently used HTML attachments that download a password-protected ZIP file with an ISO file inside. The ISO file will contain a .LNK file, a Windows 7 version of `calc.exe`, and two DLLs. One DLL is named `WindowsCodecs.dll`, masquerading as a support file for `calc.exe`.
  • Execution - using rundll32 or regsvr32 to execute or register/unregister DLLs.
  • Privilege Escalation - creating scheduled tasks to run payloads as the `SYSTEM` user.
  • Persistence - modifying registry Run keys.
  • Defense Evasion - modifying Defender registry keys and injecting itself into processes such as `iexplorer.exe`, `explorer.exe`, `msra.exe`, `mobsync.exe`, and `OneDriveSetup.exe`.
  • Discovery - running discovery commands such as `whoami /all`, `ipconfig /all`, and `net view /all`.
  • Lateral Movement - using WMI to create services on other endpoints within the breached network.
  • Credential harvesting - attempting to extract browser data from Internet Explorer and Microsoft Edge using `esentutl.exe`, a built-in Microsoft utility.
  • Data collection and exfiltration - creating a staging folder that collects emails dating back several years in attempts to perform email thread hijacking.

We decided to emulate Qakbot's tactics on privilege escalation, defense evasion, and data collection for this TTP. Microsoft Defender may flag some of these actions as `Win32/Qakbot.DC`.

Testing

Execute `Is this host protected from Qakbot?` in Operator on each host in your environment to test if you are vulnerable.

This TTP will create the staging folder in user’s home directory using the following format `C:\Users\<user>\EmailStorage_<hostname><username><timestamp>`. Next, the TTP will create a scheduled task named `ayttpnzc` which will attempt to run a non-existent DLL. This created task uses the currently logged-in user instead of `SYSTEM` to guarantee sufficient permissions for its creation. This TTP will also attempt to add a non-existent folder location `C:\ProgramData\Microsoft\Oweboiqnb` to a Window's Defender registry key `HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths`. The TTP will then check to identify if these actions were successful. If the folder creation is successful, the TTP will create a blank `collector_log.txt` file and then attempt to delete it. Finally, the TTP will delete the folder, file, scheduled task, and registry entry.

Remediation

CISA lists ‘Immediate Actions You Can Take Now to Protect Against Malware’. One of the actions listed is to provide end-user awareness and training about social engineering and phishing. This is important since the vector for initial access is via phishing.

Is this host protected from NanoCore RAT?

NanoCore is a Remote Access Tool listed for sale on cybercrime forums in 2013. It is used primarily for information theft, credential harvesting, and recording a user's webcam. The primary delivery methods for NanoCore are emails containing a link to an ISO with a malicious ZIP and PDFs hosted in cloud storage. CISA lists NanoCore as one of the top malware strains of 2021.

In 2017 a cracked version of NanoCore was leaked. It remains in active development, though not by the original author, with new capabilities available as plugins or as part of a malware kit. NanoCore continues to be used by numerous criminal groups and state actors.

At a high level, some of NanoCore's capabilities are:

  • Initial Access - malspam campaigns with malicious attachments, hyperlinks, or embedded images that will drop a second stage payload. - NanoCore can spread via an ISO file with a malicious ZIP inside of it. - NanoCore may be hosted as a malicious PDF in various cloud storage providers. - NanoCore has been embedded in Office documents as obfuscated macros.
  • Execution - using cmd or reg to execute the binary and modify reg keys.
  • Persistence - creating scheduled tasks and modifying registry Run keys.
  • Defense Evasion - modifying Defender registry keys.
  • Discovery - collecting network and host information via various plugins.
  • Credential harvesting - attempting to extract data from browsers and email clients.
  • Data collection and exfiltration - attempting to log keystrokes and record webcams.

We decided to emulate NanoCore's persistence and defense evasion tactics for this TTP.

Testing

Execute `Is this host protected from NanoCore RAT?` in Operator on each host in your environment to test if you are vulnerable.

This TTP will download an XML file and save it as `$HOME\AppData\Local\Temp\tmp5D23.tmp`. This file will contain the settings to configure a scheduled task. The TTP will replace two variables in the XML with the value in the `$HOME` environment variable, and the value returned for the `whoami` command. The TTP will then copy `notepad.exe` to `$HOME\AppData\Roaming` and save the binary as `AJjbpQrbaKv.exe` using this binary instead of a malicious NanoCore binary. The TTP will add this folder location to Microsoft Defender's exclusion path via `Add-MpPreference`. Lastly, the TTP will perform a conditional check to verify if any of these actions were successful and then delete all created artifacts.

Remediation

CISA lists providing end-user awareness and training about social engineering and phishing as "Immediate Actions You Can Take Now to Protect Against Malware." User awareness is typically the remediation since the malware uses phishing as initial access. Ensuring your current protections log scheduled task creation and registry key modification can help identify these malicious actions.

Check out the TTP Is this host protected from NanoCore RAT?.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Kris: https://twitter.com/Xanthonus

Octavia: https://twitter.com/VV_X_7

Bart: https://twitter.com/bartimusprimed

Sam: https://twitter.com/heavenraiza

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Is this host protected from Qakbot?

Tactics