Blogs > Security Research

Resurgence of the QakBot Stealer from Newly Registered Domains

QakBot

Published on:

Authored by:

Tarun Dewan

Tarun Dewan

Tarun Dewan

Rajdeepsinh Dodia

Resurgence of the QakBot Stealer from Newly Registered Domains

The Zscaler ThreatLabZ team is constantly on the lookout for trending and evolving techniques used by malware authors to infiltrate victims' machines, steal information, and carry out other malicious activities. Recently, we observed newly registered domains (NRDs) specifically created to distribute QakBot, a stealer delivered through spam email and bundled with a malicious Microsoft Office attachment.

These malicious Office documents are used for the delivery of payloads and are often involved in targeted attacks. ThreatLabZ has analyzed thousands of malicious documents from different campaigns, and this blog will outline our analysis of the obfuscated macro used to deliver the QakBot stealer.
 

Malicious Office macro analysis:

We noted a campaign using malicious Office documents with the filename Operating Agreement_<integervalue>.doc and we detonated the file in our sandbox to see what would happen if a user did the same. We observed that the user would receive the following notice before enabling the macro.

 

 

The filenames and hashes for these attachments are as follows:

Md5File TypeFile Name
35c410f461d0568449e8e1ce9071c9c8DOCMOperating Agreement_11.doc
fc3ce33366a6a958190e1191381cd88aDOCMOperating Agreement_1.doc
0662a56970ab101c3cc3ffd28f1e8611DOCMOperating Agreement_12.doc
ef5f8a577667c01ca4e888fc92fbc2baDOCMOperating Agreement_4.doc
ff3fb1ca6740a8bcfad9240931f58fd6DOCMOperating Agreement_1.doc
0045b7c3d514c62806f215ad6b2c009dDOCMOperating Agreement_22.doc
78c96b3b71c6dc7c6a9462b85836cc12DOCMOperating Agreement_11.doc
c8a121c6f5c23ee55d2d0d96d8dd6736DOCMOperating Agreement_25.doc
ad00392f05ff38447fbd9cb6adc5e820DOCMOperating Agreement_40.doc
47a48a09467c0627e253da4e0caff9ccDOCMOperating Agreement_33.doc
7f699f567aa1ee82d7d951acd1d1ed95DOCMOperating Agreement_8.doc
9c601faf5047ee6a783ee1d6d2b14327DOCMOperating Agreement_20.doc
bcb055c370178754930305890f763988DOCMOperating Agreement_34.doc
e8e06c8a52f2ac87874b93e777b5abbaDOCMInfo_102.doc
f3de4b872baf17a253da5cf05ea1bff9DOCMJudgment_1434.doc

 

The macro is password-protected, but we were able to extract it after tweaking the code. At first glance, the presence of many userforms in the macro implies that code is placed within it; but it is actually performing actions, including:

  • Copying hardcoded, obfuscated data from the userform and, after decrypting, placing it in the userform again in different “properties” sections, such as captions and tags, and, from there, executing PowerShell to download the payload from the command-and-control (C&C) server.  

Once the macro is enabled, it generates a fake popup window to make the user believe the system is performing a function. This is similar to the activity we examined in the TA505 APT and Emotet campaigns. This window is displayed as malicious activities are being performed by the macro.

File system persistence: 

It drops the .bat files to the following path:

  • C:\Users\Public\tmp.bat
  • Tmp.bat in return makes a directory C:\Users\Public\tmpdir\tmps1.bat

Functionality of tmps1.bat :

C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 2 & C:\Users\Public\tmpdir\[payload].exe

The payload is run by using the choice command when prompted. The choice command was disabled in earlier versions but is available in Windows Vista and later versions.

The choice command allows users to keep batch files and scripts from running while they make a set of choices.

  • /C : Specifies the list of choices to be created. Default list is "YN".
  • Y : Y signifies as YES which is to be displayed on the prompt.
  • /N : Hides the list of choices in the prompt. The message before the prompt is displayed and the choices are still enabled.
  • /D : Specifies the default choice after timeout seconds.
  • /T : The number of seconds to pause before a default choice is made.


Obfuscation and decryption routine:

This macro is highly obfuscated and difficult to analyze because of its added junk code. 

The below snapshot displays copying obfuscated data to the userform.

 

The above-mentioned string appeared as ubc/qnu]djmcv]tsftV];D. 

We reversed the string before moving on to the decryption algorithm.

 

After reversing, it appeared as D;]Vtfst]vcmjd]unq/cbu, which was used later for decryption.
 

Decryption routine: 

We fetched the obfuscated data from a stored variable and then calculated the mid-value of the string (D;]Vtfst]vcmjd]unq/cbu) in a loop. The loop will perform based on string length. After that, the returned value is converted to ASCII and subtracted by 1. The final value will be converted to Chr again.
 

 

Using the same decryption routine, it obfuscates the four URLs mentioned in the file and, at the end, encodes the Base64 code which is, again, passed to the PowerShell script.

 

QakBot analysis:

QakBot is a sophisticated stealer that is distributed by documents downloaded from spam email. It uses different techniques to evade detection and complicate analysis. We checked the timestamp of the unpacked sample and discovered it was from 2010.

 

 

Before executing the main code, the malware checks for the presence of antivirus software. It also checks for virtual environments and other monitoring tools by checking the running processes on the victim's computer. It takes a snapshot of the processes using CreateToolhelp32Snapshot and enumerates through all the processes using the Process32First and Process32Next API. Below is the list of processes:

 

  • ccSvcHst.exe
  • avgcsrvx.exe
  • avgsvcx.exe
  • avgcsrva.exe
  • MsMpEng..exe
  • mcshield.exe
  • avp.exe
  • egui.exe
  • ekrn.exe
  • bdagent.exe
  • vsserv.exe
  • AvastSvc.exe
  • coreServiceShell.exe
  • PccNTMon.exe
  • NTRTScan.exe
  • SAVAdminService.exe
  • SavService.exe
  • fshoster32.exe
  • WRSA.exe
  • vkise.ex
  • isesrv.exe
  • cmdagent.exe
  • MBAMService.exe
  • ByteFence.exe
  • mbamgui.exe
  • fmon.exe
  • Vmnat.exe
     

Further, the malware copies itself into the %AppData%\Roaming\Microsoft\{Random}\ directory and executes it. It executes the below command to ping itself and replace the original binary with a copy of the legitimate Windows Calculator application: calc.exe.

“C:\Windows\System32\cmd.exe'  /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\<main_payload.exe>”
 

Persistence mechanism:

QakBot establishes persistence by creating a RUN key at the auto startup location and executing the malware at every login. It also creates scheduled tasks to execute the payload once at 5:33 a.m. and delete the scheduled task after execution.

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\{Random}

C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn {Random}/tr '\'% AppData%\Roaming\Microsoft\{Random}\{Random.exe}\' /I {Random}' /SC ONCE /Z /ST 05:33 /ET 05:45

Additionally, it creates the explorer.exe process in suspended mode and injects the unacknowledged DLL into it. After executing, it creates a .wpl file that is in JavaScript and creates a scheduled task to execute JavaScript at 12:00 p.m. on Tuesday and Wednesday of every week as shown in the below screenshot.

 

 

Functionality:

The JavaScript downloads the updated QakBot form ebook[.]w3wvg.com/datacollectionservice.php3 and executes it. The downloading payload is encrypted and the script decrypts it before dropping it into the system and stealing the following information from the victim’s machine:

  • IP address
  • Hostname
  • Username
  • OS Version
  • Banking credentials

It uses WebInject to alter communication between the victim’s machine and banking websites and steals the credentials.

Apart from this, we have analyzed the POST network activity in QakBot and it is using HTTPS or SSL/TLS traffic to 96.227.122.123 with no associated domain.

 

Conclusion

QakBot malware is not new—we know it has been active for at least 13 years. But it is ever-evolving and uses different mechanisms and methods to infect machines and to evade detection. The Zscaler ThreatLabZ team is continuously monitoring these types of cyberattacks to keep our customers safe. 


Sandbox detection:

 

In addition to sandbox detections, the Zscaler Cloud Security Platform detects indicators at various levels:

VBA.Downloader.Qakbot
https://threatlibrary.zscaler.com/threats/7c716d69-474b-4d81-b67f-54d8db2b1412/

Win32.Banker.Qakbot
https://threatlibrary.zscaler.com/threats/dc8c9559-b57c-4358-8707-4100137ed1db

 

Indicators of Compromise:

Archive source URL:

URLMd5
8bmskg.sn.files.1drv.com5516505b431014e7e1239559a3d69d08
g1wf8w.dm.files.1drv.comffd16da51c2faf80d4787e9f707585e9
public.sn.files.1drv.comd2ce5e5f9b0e62f825fbe52f3671b6f9
g1xquw.dm.files.1drv.comb0abe47be307b67cdc0b53715a9d54b8
g1wf8w.dm.files.1drv.combf4699a1c0653150ebfa36532b2ce67e
di2szw.ch.files.1drv.comf2ad83b93ca5099a71e334e06ccee60b
8bmskg.sn.files.1drv.com71fac0d7b0af2be4cd9d1a79faab96d0
di1jlq.ch.files.1drv.com2b43ab02f13b6ccea9c0d5fe37739113
rh6zdw.by.files.1drv.come6bea2f73828b56e14b2107f5f22defa
pr6zdw.by.files.1drv.com9caaa51ec65ab3018b4c512fae441347
gofjig.dm.files.1drv.comaf9a57237aa3b24ec88fe2658538ac1f
ztmjyq.sn.files.1drv.com71e6e0049337764cb2bfd7f1d3a01f34
qb6zdw.by.files.1drv.com65ffdf05ecaf70b412c7953e487afb70
grieche.apptec24.com93274854c7ed4ee6f5c9fe7384cd2106
9.kamstore.com.ua44a7f5101b54df759a895cc3996703fe


Newly registered domains to serve the QakBot payload:

  • econspiracy[.]se/evolving/888888.png
  • blog.buatvideomu[.[.]com/wp-content/uploads/2020/04/last/444444.png
  • intermed19[.]com/wp-content/themes/calliope/previous/444444.png.
  • greenmagicbd[.]com/wp-content/themes/calliope/previous/444444.png
  • y-sani[.]com/docs_bcx/55555.png
  • tianmaouae[.]com/docs_9qu/55555.png
  • dctechdelhi[.]com/wp-content/plugins/advanced-ads-genesis/previous/444444
  • themmacoach[.]com/wp-content/uploads/2020/04/docs_cv0/55555.png
     

QakBot Md5:

ee360e519957018391a31808e4f4448e

QakBot C&C :

ebook[.]w3wvg.com/datacollectionservice.php3

masson[.]prodigyprinting.com/datacollectionservice.php3







 



Suggested Blogs