Try in Splunk Security Cloud
Description
QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk
- Last Updated: 2022-11-14
- Author: Teoderick Contreras, Splunk
- ID: 0c6169b1-f126-4d86-8e4f-f7891007ebc6
Narrative
QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.
Detections
Name |
Technique |
Type |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
Cmdline Tool Not Executed In CMD Shell |
Command and Scripting Interpreter, JavaScript |
TTP |
Create Remote Thread In Shell Application |
Process Injection |
TTP |
Disable Defender Spynet Reporting |
Disable or Modify Tools, Impair Defenses |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
NLTest Domain Trust Discovery |
Domain Trust Discovery |
TTP |
Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
Network Discovery Using Route Windows App |
System Network Configuration Discovery, Internet Connection Discovery |
Hunting |
Office Application Spawn Regsvr32 process |
Phishing, Spearphishing Attachment |
TTP |
Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawn CMD Process |
Phishing, Spearphishing Attachment |
TTP |
Process Creating LNK file in Suspicious Location |
Phishing, Spearphishing Link |
TTP |
Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
Anomaly |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Regsvr32 with Known Silent Switch Cmdline |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Schtasks Run Task On Demand |
Scheduled Task/Job |
TTP |
Services LOLBAS Execution Process Spawn |
Create or Modify System Process, Windows Service |
TTP |
Suspicious Copy on System32 |
Rename System Utilities, Masquerading |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Suspicious Regsvr32 Register Suspicious Path |
System Binary Proxy Execution, Regsvr32 |
TTP |
System Processes Run From Unexpected Locations |
Masquerading, Rename System Utilities |
Anomaly |
System User Discovery With Whoami |
System Owner/User Discovery |
Hunting |
Wermgr Process Spawned CMD Or Powershell Process |
Command and Scripting Interpreter |
TTP |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
Windows App Layer Protocol Qakbot NamedPipe |
Application Layer Protocol |
Anomaly |
Windows App Layer Protocol Wermgr Connect To NamedPipe |
Application Layer Protocol |
Anomaly |
Windows Command Shell Fetch Env Variables |
Process Injection |
TTP |
Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Correlation |
Windows DLL Search Order Hijacking Hunt with Sysmon |
DLL Search Order Hijacking, Hijack Execution Flow |
Hunting |
Windows DLL Side-Loading In Calc |
DLL Side-Loading, Hijack Execution Flow |
TTP |
Windows DLL Side-Loading Process Child Of Calc |
DLL Side-Loading, Hijack Execution Flow |
Anomaly |
Windows Defender Exclusion Registry Entry |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows ISO LNK File Creation |
Spearphishing Attachment, Phishing, Malicious Link, User Execution |
Hunting |
Windows Masquerading Explorer As Child Process |
DLL Side-Loading, Hijack Execution Flow |
TTP |
Windows Modify Registry Qakbot Binary Data Registry |
Modify Registry |
Anomaly |
Windows MsiExec HideWindow Rundll32 Execution |
Msiexec, System Binary Proxy Execution |
TTP |
Windows Phishing Recent ISO Exec Registry |
Spearphishing Attachment, Phishing |
Hunting |
Windows Process Injection In Non-Service SearchIndexer |
Process Injection |
TTP |
Windows Process Injection Of Wermgr to Known Browser |
Dynamic-link Library Injection, Process Injection |
TTP |
Windows Process Injection Remote Thread |
Process Injection, Portable Executable Injection |
TTP |
Windows Process Injection Wermgr Child Process |
Process Injection |
Anomaly |
Windows Regsvr32 Renamed Binary |
Regsvr32, System Binary Proxy Execution |
TTP |
Windows Schtasks Create Run As System |
Scheduled Task, Scheduled Task/Job |
TTP |
Windows Service Created with Suspicious Service Path |
System Services, Service Execution |
TTP |
Windows System Discovery Using Qwinsta |
System Owner/User Discovery |
Hunting |
Windows System Discovery Using ldap Nslookup |
System Owner/User Discovery |
Anomaly |
Windows WMI Impersonate Token |
Windows Management Instrumentation |
Anomaly |
Windows WMI Process Call Create |
Windows Management Instrumentation |
Hunting |
Reference
source | version: 2