Analytics Story: Qakbot

Description

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).

Why it matters

QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.

Windows Common Abused Cmd Shell Risk Behavior

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
2  WHERE source IN ("*Windows Cmdline Tool Execution From Non-Shell Process*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Windows Group Discovery Via Net*", "*Windows Create Local Administrator Account Via Net*", "*Windows User Discovery Via Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*")
3  BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
4| `drop_dm_object_name(All_Risk)`
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| where source_count >= 4
8| `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Copy on System32 Rename Legitimate Utilities Anomaly
Windows Process Injection In Non-Service SearchIndexer Process Injection TTP
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Windows Process Injection Of Wermgr to Known Browser Dynamic-link Library Injection TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
System User Discovery With Whoami System Owner/User Discovery Hunting
Disable Defender Spynet Reporting Disable or Modify Tools TTP
Windows WMI Process Call Create Windows Management Instrumentation Hunting
Windows Masquerading Explorer As Child Process DLL TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Windows DLL Side-Loading In Calc DLL TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Regsvr32 with Known Silent Switch Cmdline Regsvr32 Anomaly
Services LOLBAS Execution Process Spawn Windows Service TTP
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Windows MsiExec HideWindow Rundll32 Execution Msiexec TTP
Suspicious Regsvr32 Register Suspicious Path Regsvr32 TTP
Windows WMI Impersonate Token Windows Management Instrumentation Anomaly
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Hunting
Windows Process Injection Wermgr Child Process Process Injection Anomaly
Windows System Discovery Using ldap Nslookup System Owner/User Discovery Anomaly
Schtasks Run Task On Demand Scheduled Task/Job Anomaly
Windows Modify Registry Qakbot Binary Data Registry Modify Registry Anomaly
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Windows Process Execution in Temp Dir Match Legitimate Resource Name or Location, Create or Modify System Process Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Network Discovery Using Route Windows App Internet Connection Discovery Hunting
Windows DLL Side-Loading Process Child Of Calc DLL Anomaly
Create Remote Thread In Shell Application Process Injection TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Windows List ENV Variables Via SET Command From Uncommon Parent Process Injection Anomaly
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Windows Defender Exclusion Registry Entry Disable or Modify Tools TTP
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment Hunting
Windows Service Created with Suspicious Service Name Service Execution Anomaly
Windows Schtasks Create Run As System Scheduled Task TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Windows Service Created with Suspicious Service Path Service Execution TTP
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Process Creating LNK file in Suspicious Location Spearphishing Link Anomaly
Windows System Discovery Using Qwinsta System Owner/User Discovery Hunting
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Windows Process Injection Remote Thread Portable Executable Injection TTP
System Processes Run From Unexpected Locations Rename Legitimate Utilities Anomaly
Recon Using WMI Class PowerShell, Gather Victim Host Information Anomaly
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Windows Regsvr32 Renamed Binary Regsvr32 TTP
Windows App Layer Protocol Wermgr Connect To NamedPipe Application Layer Protocol Anomaly
Windows App Layer Protocol Qakbot NamedPipe Application Layer Protocol Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 8 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References


Source: GitHub | Version: 3