Enterprotect

View Original

Qakbot Leveraging Compromised Websites for Initial Infiltration

Qakbot, a notorious banking Trojan, is now leveraging compromised trusted websites of small businesses to bypass email link scanning services, allowing it to serve malware after successfully phishing users via email. This advisory aims to provide insights into the threat, explain its significance, outline the exposure and risks it poses, and provide recommendations to mitigate the threat.

What is the Threat?

Qakbot, also known as Qbot or Pinkslipbot, is a sophisticated banking Trojan that has been active since 2008. It primarily targets banking credentials, personal information, and financial data. Qakbot is designed to perform various malicious activities, including keylogging, information theft, and downloading additional malware onto infected systems. In recent attacks, Qakbot has been employed as the initial access point, facilitating the infiltration of a network or system.

Why is it Noteworthy?

The current increase in the use of Qakbot for initial access is noteworthy due to several factors. First, Qakbot is now utilizing compromised trusted websites of small businesses as a delivery mechanism, enabling it to bypass email link scanning services that often detect malicious links. This technique enhances the success rate of phishing attempts and increases the chances of infecting unsuspecting users.

Second, the threat actors behind Qakbot are employing a multi-stage infection process. After successfully phishing users via email, they distribute a zip file containing Windows Script Files (.wsf) or JavaScript (.js) files. When executed, these files load the Qakbot Trojan onto the compromised system. Subsequently, Qakbot injects itself into the legitimate Windows Error Reporting process (wermgr.exe) to establish communication with command and control servers.

Furthermore, the threat actors are displaying an inclination towards lateral movement within the compromised environment. Shortly after gaining initial access, they attempt to pivot to other machines using rundll32.exe to invoke Cobalt Strike beacons on secure HTTPS channels. This lateral movement not only expands the reach of the attack but also increases the potential damage inflicted on targeted networks.

What is the Exposure or Risk?

The exposure and risks associated with Qakbot for initial access are significant. By successfully compromising a trusted website of a small business, Qakbot evades email link scanning services, making it difficult to detect and prevent phishing attempts. Once the user falls victim to the phishing email and executes the malicious attachment, Qakbot gains a foothold in the user's system.

Once established, Qakbot can perform various malicious activities, including but not limited to:

  1. Information Theft: Qakbot has the capability to steal sensitive information, such as banking credentials, personal data, and financial information. This can lead to financial loss, identity theft, and unauthorized access to personal accounts.

  2. Credential Harvesting: Qakbot is designed to harvest usernames and passwords stored on infected systems. This poses a significant risk as compromised credentials can be used to gain unauthorized access to other accounts or systems.

  3. Secondary Malware Installation: Qakbot has the ability to download and install additional malware onto infected systems. This can introduce other threats, such as ransomware or remote access trojans (RATs), further compromising the security and integrity of the network.

  4. Lateral Movement: After gaining initial access, Qakbot attempts to move laterally within the compromised environment. This can result in the compromise of additional machines, potentially leading to the exposure of sensitive data, disruption of operations, and financial losses.

What are the Recommendations?

To mitigate the risks associated with the increased use ofQakbot for initial access, Enterprotect recommends implementing the following measures:

  1. User Awareness and Education: Inform your users about the threat of Qakbot and the techniques used to deliver it. Educate them on how to identify phishing emails, suspicious attachments, and the importance of not executing files from untrusted sources. Remind users to be particularly aware of zip archives containing JavaScript or Windows Script Files masquerading as invoices or other documents.

  2. Block IoCs and DNS: To prevent communication with Qakbot's command and control servers, add the identified Indicators of Compromise (IoCs) and corresponding DNS entries to your firewall's blocklist. This will help prevent outbound connections and limit the impact of the malware.

    • IP Address IOCs

      • 172.107.98.3

      • 23.111.114.52 

      • 94.103.85.86 

      • 99.228.131.116 

      • 47.205.25.170 

      • 79.47.207.6 

    • Hostname IOCs

      • unassigned.psychz[.net] 

      • v1785516.hosted-by-vdsina[.ru]  

      • cpef02f74c848b8-cm30b7d4b9e4d0.sdns.net.rogers[.com] 

      • host-79-47-207-6.retail.telecomitalia[.it] 

  3. Implement Network Segmentation: Apply network segmentation strategies to isolate critical systems and limit the lateral movement of Qakbot within the environment. By partitioning the network into separate segments, you can control access and reduce the potential impact of a compromised system.

  4. Disable Windows Script Host (wscript.exe): Unless essential for specific software functionality, disable the Windows Script Host on user machines. Qakbot often leverages scripting capabilities to execute malicious code, and disabling this feature can help prevent its successful execution.

  5. Firewall Rules: Configure your firewall to block outbound communication to remote port 65400, which Qakbot servers have been known to listen on. By blocking this port, you can restrict communication channels used by the malware and minimize its ability to establish connections with external servers.

  6. Geoblocking: Consider implementing geoblocking measures on your firewall to restrict outbound connections to countries or regions associated with high-risk IP addresses. While this approach may interfere with legitimate software or services, it can help reduce exposure to malicious actors operating from specific geographic areas.

It is important to note that these recommendations are general best practices and should be tailored to fit your specific environment and security needs. Regularly update and patch all software and systems, maintain up-to-date antivirus and anti-malware solutions, and implement strong access controls and password management practices to further enhance your security posture.