Analytics Story: Qakbot

Date: 2022-11-14 ID: 0c6169b1-f126-4d86-8e4f-f7891007ebc6 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).

Why it matters

QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Create Remote Thread In Shell Application Process Injection TTP
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Office Application Spawn Regsvr32 process Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 TTP
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Anomaly
System User Discovery With Whoami System Owner/User Discovery Hunting
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP
Windows App Layer Protocol Qakbot NamedPipe Application Layer Protocol Anomaly
Windows App Layer Protocol Wermgr Connect To NamedPipe Application Layer Protocol Anomaly
Windows Command Shell Fetch Env Variables Process Injection TTP
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses TTP
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Side-Loading In Calc DLL Side-Loading, Hijack Execution Flow TTP
Windows DLL Side-Loading Process Child Of Calc DLL Side-Loading, Hijack Execution Flow Anomaly
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Masquerading Explorer As Child Process DLL Side-Loading, Hijack Execution Flow TTP
Windows Modify Registry Qakbot Binary Data Registry Modify Registry Anomaly
Windows MsiExec HideWindow Rundll32 Execution Msiexec, System Binary Proxy Execution TTP
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting
Windows Process Injection In Non-Service SearchIndexer Process Injection TTP
Windows Process Injection Of Wermgr to Known Browser Dynamic-link Library Injection, Process Injection TTP
Windows Process Injection Remote Thread Process Injection, Portable Executable Injection TTP
Windows Process Injection Wermgr Child Process Process Injection Anomaly
Windows Regsvr32 Renamed Binary Regsvr32, System Binary Proxy Execution TTP
Windows Schtasks Create Run As System Scheduled Task, Scheduled Task/Job TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows System Discovery Using ldap Nslookup System Owner/User Discovery Anomaly
Windows System Discovery Using Qwinsta System Owner/User Discovery Hunting
Windows WMI Impersonate Token Windows Management Instrumentation Anomaly
Windows WMI Process Call Create Windows Management Instrumentation Hunting
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 2