Qakbot, a top trojan for stealing bank credentials, has in the past year started delivering ransomware and this new business model is making it harder for network defenders to detect what is and isn't a Qakbot attack.
Qakbot, is an especially versatile piece of malware, and has been around for over a decade and survived despite multi-year efforts by Microsoft and other security firms to stamp it out. Qakbot in 2017 adopted WannaCry's lateral movement techniques, such as infecting all network shares and drives, brute forcing Active Directory accounts and using the SMB file-sharing protocol to create copies of itself.
Kaspersky's recent analysis of Qakbot concluded that it won't disappear anytime soon. Its detection statistics for Qakbot indicated it had infected 65% more PCs between January to July 2021 compared to the same period in the previous year. So, it is a growing threat.
Microsoft highlights that Qakbot is modular, allowing it to appear as separate attacks on each device on a network, making it difficult for defenders and security tools to detect, prevent and remove. It's also difficult for defenders to detect because Qakbot is used to distribute multiple variants of ransomware.
"Due to Qakbot's high likelihood of transitioning to human-operated attack behaviors including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely," the Microsoft 365 Defender Threat Intelligence Team say in its report.
Given these difficulties pinpointing a common Qakbot campaign, the Microsoft team has profiled the malware's techniques and behaviors to help security analysts root out this versatile malware.
The primary delivery mechanism is emailed attachments, links, or embedded images. However, it's also known to use Visual Basic for Applications (VBA) macros as well as legacy Excel 4.0 macros to infect machines. TrendMicro analyzed a large Qakbot campaign in July that used this technique.
Other groups like Trickbot recently started using Excel 4.0 macros to call Win32 APIs and run shell commands. As a result, Microsoft disabled these macro types by default, but Qakbot uses text in an Excel document to trick targets into manually enabling the macro.
Qakbot employs process injection to hide malicious processes, creating scheduled tasks to persist on a machine, and manipulating the Windows registry.
Once running on an infected device, it uses multiple techniques for lateral movement, employs the Cobalt Strike penetration-testing framework, or deploys ransomware.
The FBI last year warned that Qakbot trojans were delivering ProLock, a "human-operated ransomware" variant. It was a worrying development because computers infected with Qakbot on a network must be isolated because they're a bridge for a ransomware attack.
Microsoft notes MSRA.exe and Mobsync.exe have been used by Qakbot for this process injection in order to run several network 'discovery' commands and then steal Windows credentials and browser data.
Qakbot's Cobalt Strike module lends itself to other criminal gangs who can drop their own payloads, such as ransomware. Per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021).
"Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads," Microsoft notes.
"Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor."
Microsoft's recommended mitigations to minimize Qakbot's impact include enabling Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning Windows Antimalware Scan Interface (AMSI) on.
AMSI is supported by Microsoft Defender antivirus and several third-party antivirus vendors. AMSI support for Excel 4.0 macros arrived in March, so it's still a relatively new feature.