QAKBOT: A decade-old malware still with new tricks

Product / Version includes:

OfficeScanXG , Apex One2019 , Deep Discovery InspectorAll , Worry-Free Business Security Advanced10.0 , Worry-Free Business Security Standard10.0 , ScanMail for Exchange14.0 , Deep Security12.0 , Deep Discovery Email InspectorAll

Last updated: 2021/08/28

Solution ID: KA-0011282

Category: Remove a Malware / Virus

Summary

QAKBOT, also known as QBOT, is a banking Trojan that had been discovered in 2007. Its main purpose is to steal banking credentials and other financial information. It continuously evolves with variants having worm-like capabilities, able to drop additional malware, log user keystrokes, and create a backdoor to compromised machines. It also uses advance or new techniques to evade detection and protect itself from manual analysis.

In the resurgence of QAKBOT, it was found to be dropped by other malware such as EMOTET, or distributed via spam campaign using context-aware spam or emails that were disguised as a reply to a previous email thread. The mail content has a link to download a ZIP file or may include the file as an attachment. The content of the compressed file is a VBS file or a weaponized Office document which will drop and execute the QAKBOT payload. It will proceed to drop its component and a copy of itself to the compromised machine. It creates an autorun registry and scheduled task for its persistence. It also injects itself to an explorer.exe process. If it has successful connection to the C&C server, it will able to send the stolen credentials information, able to extracts email threads from Outlook clients, remote access the compromised machine, and could be used to drop other malware such as PROLOCK ransomware.

Behaviour

Steals banking credentials and other financial information
Uses anti-analysis and anti-debug techniques
Drops copy of itself and components to compromised machine
Creates autorun registry and scheduled task for persistence
Deliver other malware payload such as PROLOCK ransomware

Capabilities

Information Theft
Backdoor commands

Impact

Violation of user privacy - gathers user credentials, logs keystroke and steals user information
Compromise system security - with backdoor capabilities that can execute malicious commands
Regional Impact (September 2020)

REGION EUROPE JAPAN AMERICAS APAC N-ASIA AMEA
CUSTOMER CASE COUNT 186 5 33 2 3 1
REGION EMEA JAPAN NABU LAR APAC
SPN VSAPI FEEDBACK 224,502 128 617 15 1,573

REGION	EUROPE	JAPAN	AMERICAS	APAC	N-ASIA	AMEA
CUSTOMER CASE COUNT	186	5	33	2	3	1
REGION	EMEA	JAPAN	NABU	LAR	APAC
SPN VSAPI FEEDBACK	224,502	128	617	15	1,573

Additional Threat Reference Information

Sample Spam

Below are samples of context-aware spam or emails that are disguised as delivery emails, which are replies to existing email threads.

cid:image011.jpg@01D698CE.958C8EB0

cid:image012.jpg@01D698CE.958C8EB0

Sample Attachment

This has a hidden sheet with a MACRO script hidden by changing font color to the background.

cid:image013.jpg@01D698CE.958C8EB0

cid:image014.jpg@01D698CE.958C8EB0

Infection Chain

cid:image001.png@01D69AF0.D9370AE0

MITRE ATT&CK Matrix

BEHAVIOR	TACTIC	TECHNIQUE
Mail arrives with an attachment or a link of a ZIP file that contains a VBS or an Office document file	Initial Access	T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing Link
Victim is lured into opening the VBS file or an Office document with Macro	Execution	T1204.002 User Execution: Malicious File
Script will download and execute the payload	Execution	T1059.005 Command and Scripting Interpreter: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell
Downloaded VBS file or Office document has obfuscated script to prevent manual analysis. It also has anti-analysis and anti-debug features. It injects itself into an explorer.exe process.	Defense Evasion	T1027 Obfuscated Files or Information T1497 Virtualization/Sandbox Evasion T1480 Execution Guardrails T1055 Process Injection
Create autorun registry and scheduled task	Persistence	T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1053.005 Scheduled Task/Job: Scheduled Task
Steals banking credentials or other financial information and able to extracts email threads from Outlook clients	Discovery Collection Credential Access	T1082 System Information Discovery T1114.001 Email Collection: Local Email Collection T1539 Steal Web Session Cookie T1555.003 Credentials from Password Stores: Credentials from Web Browsers T1110 Brute Force
Connects to a C&C server	Command and Control	T1071.001 Application Layer Protocol: Web Protocols T1105 Ingress Tool Transfer
-	Exfiltration	T1048 Exfiltration Over Alternative Protocol

Available Solutions

Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
Email Protection	Yes	AS Pattern 5698	September 30, 2020	-
URL Protection	Yes	In the Cloud	-	-
Advanced Threat Scan Engine (ATSE)	Yes	16.259.00	October 1, 2020	-
Predictive Learning (TrendX)	Yes	In the Cloud	-	Troj.Win32.TRX.XXPE50FFF036
File detection (VSAPI)	Yes	ENT OPR 16.257.00	October 1, 2020	Backdoor.Win32.QAKBOT.SMF1 Backdoor.Win32.QAKBOT.SMTHA Backdoor.Win32.QAKBOT.THIOIBO Backdoor.Win32.QAKBOT.TIGOCEM Trojan.VBS.QAKBOT.YAKFX Trojan.W97M.QAKBOT.AH Trojan.X97M.QAKBOT.AB Trojan.XF.QAKBOT.AA TrojanSpy.Win32.QAKBOT.TIGOCEK
Network Pattern	Yes	NCIP 1.14323.00	October 9, 2020	QAKBOT - Malicious Certificate - SSL - Variant 3
Behavioral Monitoring (AEGIS)	Yes	2.177.00	September 29, 2020	4560T

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

QAKBOT: A decade-old malware still with new tricks

QAKBOT: A decade-old malware still with new tricks

Product / Version includes:

Summary