This week, we are releasing 2 TTPs:
Qakbot, also known as QBot, QuackBot, or Pinkslipbot, has been active since 2007. CISA lists Qakbot as one of the top malware strains for 2021. Qakbot originally was a banking Trojan but has evolved its capabilities through time to include reconnaissance, lateral movement, identifying important files, exfiltrating data, and delivering payloads. The primary delivery methods for Qakbot are via email through attachments, hyperlinks, or embedded images.
Recent versions of Qakbot serve as a delivery agent for ransomware because of its "malware installation-as-a-service" features. These features make Qakbot a go-to framework amongst threat actors and ransomware gangs since it allows them to customize their payloads easily. Due to this customization, each Qakbot campaign may look slightly different from the next. Black Basta is a ransomware group that is known to use Qakbot.
At a high level, below are some of Qakbot's core capabilities:
calc.exe
, and two DLLs. One DLL is named WindowsCodecs.dll
, masquerading as a support file for calc.exe
.SYSTEM
user.iexplorer.exe
, explorer.exe
, msra.exe
, mobsync.exe
, and OneDriveSetup.exe
.whoami /all
, ipconfig /all
, and net view /all
.esentutl.exe
, a built-in Microsoft utility.We decided to emulate Qakbot's tactics on privilege escalation, defense evasion, and data collection for this TTP. Microsoft Defender may flag some of these actions as Win32/Qakbot.DC
.
Execute Is this host protected from Qakbot?
in Operator on each host in your environment to test if you are vulnerable.
This TTP will create the staging folder in user’s home directory using the following format C:\Users\<user>\EmailStorage<hostname><username><timestamp>
. Next, the TTP will create a scheduled task named ayttpnzc
which will attempt to run a non-existent DLL. This created task uses the currently logged-in user instead of SYSTEM
to guarantee sufficient permissions for its creation. This TTP will also attempt to add a non-existent folder location C:\ProgramData\Microsoft\Oweboiqnb
to a Window's Defender registry key HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
. The TTP will then check to identify if these actions were successful. If the folder creation is successful, the TTP will create a blank collectorlog.txt
file and then attempt to delete it. Finally, the TTP will delete the folder, file, scheduled task, and registry entry.
CISA lists ‘Immediate Actions You Can Take Now to Protect Against Malware’. One of the actions listed is to provide end-user awareness and training about social engineering and phishing. This is important since the vector for initial access is via phishing.
NanoCore is a Remote Access Tool listed for sale on cybercrime forums in 2013. It is used primarily for information theft, credential harvesting, and recording a user's webcam. The primary delivery methods for NanoCore are emails containing a link to an ISO with a malicious ZIP and PDFs hosted in cloud storage. CISA lists NanoCore as one of the top malware strains of 2021.
In 2017 a cracked version of NanoCore was leaked. It remains in active development, though not by the original author, with new capabilities available as plugins or as part of a malware kit. NanoCore continues to be used by numerous criminal groups and state actors.
At a high level, some of NanoCore's capabilities are:
We decided to emulate NanoCore's persistence and defense evasion tactics for this TTP.
Execute Is this host protected from NanoCore RAT?
in Operator on each host in your environment to test if you are vulnerable.
This TTP will download an XML file and save it as $HOME\AppData\Local\Temp\tmp5D23.tmp
. This file will contain the settings to configure a scheduled task. The TTP will replace two variables in the XML with the value in the $HOME
environment variable, and the value returned for the whoami
command. The TTP will then copy notepad.exe
to $HOME\AppData\Roaming
and save the binary as AJjbpQrbaKv.exe
using this binary instead of a malicious NanoCore binary. The TTP will add this folder location to Microsoft Defender's exclusion path via Add-MpPreference
. Lastly, the TTP will perform a conditional check to verify if any of these actions were successful and then delete all created artifacts.
CISA lists providing end-user awareness and training about social engineering and phishing as "Immediate Actions You Can Take Now to Protect Against Malware." User awareness is typically the remediation since the malware uses phishing as initial access. Ensuring your current protections log scheduled task creation and registry key modification can help identify these malicious actions.
Check out the TTP Is this host protected from NanoCore RAT?.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Kris: https://twitter.com/Xanthonus
Octavia: https://twitter.com/VVX7