Qakbot Infostealer

Share On Facebook
Share On Twitter
Share On Linkedin

On 3 August, security researcher Brad Duncan reported a malicious spam (malspam) campaign1 that used compressed Visual Basic Script (VBScript) files to deliver Qakbot malware.

Qakbot, also known as Qbot, is an information stealer (infostealer) that can steal a victim’s credentials, banking information, and files. Qakbot includes worm capabilities that allow it to spread itself to other systems on the same network, as well as rootkit capabilities that help to hide its presence and establish persistence on infected clients.

The malspam emails in this Qakbot campaign used a variety of seemingly unrelated lures that all enticed the recipient to click a link labeled “OPEN THE DOCUMENT”. These links led to compromised websites hosting compressed archives that contained malicious VBScript files. This differs from the last Qakbot campaign we reported on, which used Microsoft OneDrive to host compressed archives that contained malicious Microsoft Word documents.2

When the victim extracts and opens the malicious VBScript contained within the ZIP file, it will download and execute the Qakbot payload. The payload URLs in this campaign used a different filename (8888888.png) than the ones Qakbot used between December 2019 and April 2020 (44444.png and 444444.png). Despite their PNG file extensions, these Qakbot payloads are always Windows executable (EXE) files.

When Qakbot is executed, it remains inactive for a variable number of minutes in order to evade sandbox detection. Once active, it opens an instance of explorer.exe and injects the QakBot dynamic link libraries (DLLs) into the process. It then attempts to cover its tracks by overwriting the original contents of the malware with one of several legitimate Windows executables.

Once Qakbot finishes trying to cover its tracks, it creates a registry entry that will automatically launch the malware every time the computer boots up. It also creates recurring tasks to ensure that the malware is still running and has not been removed.

After establishing persistence, Qakbot begins to steal the victim’s information and transmits the stolen data to its command and control (C2) servers. It also attempts to spread itself to other systems via network shares and removable drives.

Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. http://malware-traffic-analysis.net/2020/08/03/index.html
  2. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–68

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×