Qakbot Trojan (alias QBot or Pinkslipbot)

It has been reported that a new trojanized malware, named “Qakbot(a)” is being distributed across the globe. Qakbot is a malware that can steal sensitive information, and valuable data, and cause financial loss.

Usually, Spam or phishing emails containing malicious URL links marked the initiation of QakBot infections.

Infection Mechanism:

Through Qakbot, by exploiting a DLL hijacking vulnerability in the Windows 10 WordPad program, cybercriminals can compromise systems while avoiding detection by security software.

As observed Qakbot is spreading through malicious emails that contain a link to download a file. When the user clicks the link, a ZIP archive is fetched from a remote host at random. The archive contains two files: document.exe (which is the executable file for Windows 10 WordPad) and edputil.dll (which is used for DLL hijacking purpose).

Upon launching document.exe, it automatically seeks to load a legitimate DLL file known as edputil.dll. However, there is no specific folder check when the executable attempts to load edputil.dll. Instead, it loads any DLL with the same name found in the same directory as the document.exe executable.

The vulnerability enables threat actors to engage in DLL hijacking by crafting a malicious version of edputil.dll and placing it in the same folder as document.exe. Consequently, the malicious DLL is loaded in place of the legitimate one. This facilitates QBot's inconspicuous background operation, where it quietly pilfers emails for use in subsequent phishing attacks and, ultimately, downloads additional payloads such as Cobalt Strike.

Indicator of Compromise:

SHA1:

• 75b2593da627472b1c990f244e24d4e971c939e7 (aficionado.tmp)
• 3a852c006085d0ce8a18063e17f525e950bb914c (cob_54.dll)

Associated Domains:

• jesofidiwi[dot]com (Cobalt Strike C2)
• dimingol[dot]com (Cobalt Strike-related domain used for DNS exfiltration)
• tevokaxol[dot]com (Cobalt Strike C2)

Associated IPs:

• 108.177.235[.]29
• 144.202.42[.]216

For more detailed list of IoC, kindly refer the below URL:

• https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies

Removal tools:

CSK Free Bot Removal Tool (FBRT) utility may be used to detect and remove specific malware/viruses from your affected Windows digital devices.

• https://www.csk.gov.in/security-tools.html

Countermeasures:

• Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only. Users must be aware while clicking on links during web search
• Update software and operating systems with the latest patches. Outdated applications and operating systems are the targets of most attacks.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
• Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.
• Prohibit external FTP connections and blacklist downloads of known offensive security tools.
• All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates / patches available in any unofficial channel.
• Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
• Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
• Users are advised to disable their RDP if not in use, if required, it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
• Consider encrypting the confidential data as the ransomware generally targets common file types.
• Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
• Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.

References:

• https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices
• https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies