Qakbot: A Reliable Malware of Adaptability

Category: Malware Campaign | Industry: Global | Source: Zscaler

The Qakbot banking trojan, present since 2007, has proven to be a prolific malware, evolving its modular design to suit attackers' objectives, whether for credential theft or as a backdoor to facilitate further intrusions. Qakbot's ability to evolve in 2023 is evident in its incorporation of OneNote in its attack chain, having to move Microsoft's disabling of Macros by default. An analysis of Qakbot's intrusions and trends was reported by Zscaler's ThreatLabz team, giving tactical insights into Qakbot's activity through three case studies. Although Qakbot distribution appears to have slowed down since June 2023, it will inevitably pick up. Implementing defensive strategies while Qakbot is on hiatus is vital to keep pace with its ever-changing tactics. As demonstrated from its use of "different abusable file formats, including pdf, html, xhtml (eXtended HTML), wsf (Windows Script File), js (Javascript), ps (Powershell), xll (Excel add-in), hta (HTML Application), xmlhttp, etc., in its attack chain to infect users," shared from Zscaler.

The attack chains used by Qakbot between March-May 2023 have all utilized phishing and spam email to distribute an HTML file for HTML smuggling, a malicious PDF document, or OneNote. These documents posing as invoices or reports fetch the attacker's initial payloads, often a zip archive containing payloads like Microsoft Excel add-ins (XLL), WFS, or HTA files. Alternatively, in an attack chain with OneNote, attackers download an MSI installer disguising the payload as a Microsoft Azure installer. When the initial payload is delivered, Qakbot leverages living-off-the-land binaries (LOLBins) to execute them using various forms of stealth to ultimately download the final stage Qakbot DLL and initiate command and control (C2) communication.

Prior to Qakbot's hibernation, their attack chain adopted a notable evasion tactic that was observed from Zscaler involving the use of conhost. "In this attack chain, Qakbot takes advantage of conhost.exe as a proxy binary to bypass defensive measures. By employing conhost.exe, Qakbot attempts to outwit security counter-measures that restrict the use of typical command-line interpreters. This enables the threat actor to execute commands using various Windows utilities, creating a clever diversion," as explained by Zscaler. A review of Qakbot's C2 infrastructure found that malware activity was highest during March and April, with Germany, the United States, and Brazil being standout targets. The decline of Qakbot's activity is unknown; however, the threat actors will undoubtedly resume activity.