QakBot
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 | ||
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
QakBot has collected usernames and passwords from Firefox and Chrome.[3] |
| Enterprise | T1005 | 从本地系统获取数据 |
QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.[2][3] |
|
| Enterprise | T1090 | .002 | 代理: External Proxy | |
| Enterprise | T1036 | .008 | 伪装: Masquerade File Type |
The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.[5][6] |
| Enterprise | T1112 | 修改注册表 |
QakBot can modify the Registry to store its configuration information in a randomly named subkey under |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
QakBot can remotely create a temporary service on a target host.[7] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1568 | .002 | 动态解析: Domain Generation Algorithms |
QakBot can use domain generation algorithms in C2 communication.[8] |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
QakBot has the ability to use DLL side-loading for execution.[9] |
| Enterprise | T1572 | 协议隧道 |
The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.[3] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
QakBot can deobfuscate and re-assemble code strings for execution.[10][4][3] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
QakBot can maintain persistence by creating an auto-run Registry key.[8][11][1][5] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
QakBot can use PowerShell to download and execute payloads.[5] |
| .003 | 命令与脚本解释器: Windows Command Shell |
QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.[11][4][3][6] |
||
| .005 | 命令与脚本解释器: Visual Basic |
QakBot can use VBS to download and execute malicious files.[8][12][11][1][10][5][6] |
||
| .007 | 命令与脚本解释器: JavaScript |
The QakBot web inject module can inject Java Script into web banking pages visited by the victim.[3][6] |
||
| Enterprise | T1482 | 域信任发现 |
QakBot can run |
|
| Enterprise | T1120 | 外围设备发现 |
QakBot can identify peripheral devices on targeted systems.[8] |
|
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.[5] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.[8][11][3] |
| Enterprise | T1010 | 应用窗口发现 |
QakBot has the ability to enumerate windows on a compromised host.[4] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
QakBot has stored stolen emails and other data into new folders prior to exfiltration.[12] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
QakBot can Base64 encode system information sent to C2.[11][3] |
| Enterprise | T1083 | 文件和目录发现 |
QakBot can identify whether it has been run previously on a host by checking for a specified folder.[4] |
|
| Enterprise | T1110 | 暴力破解 |
QakBot can conduct brute force attacks to capture credentials.[12][11][3] |
|
| Enterprise | T1106 | 本机API |
QakBot can use |
|
| Enterprise | T1069 | .001 | 权限组发现: Local Groups |
QakBot can use |
| Enterprise | T1185 | 浏览器会话劫持 |
QakBot can use advanced web injects to steal web banking credentials.[10][3] |
|
| Enterprise | T1027 | 混淆文件或信息 |
QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.[10] |
|
| .001 | Binary Padding | |||
| .002 | Software Packing | |||
| .005 | Indicator Removal from Tools |
QakBot can make small changes to itself in order to change its checksum and hash value.[11][10] |
||
| .006 | HTML Smuggling |
QakBot has been delivered in ZIP files via HTML smuggling.[6][9] |
||
| .010 | Command Obfuscation | |||
| .011 | Fileless Storage |
QakBot can store its configuration information in a randomly named subkey under |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
QakBot has gained execution through users opening malicious links.[8][12][1][4][3][5][6] |
| .002 | 用户执行: Malicious File |
QakBot has gained execution through users opening malicious attachments.[8][12][11][1][10][4][3][5][9][13] |
||
| Enterprise | T1114 | .001 | 电子邮件收集: Local Email Collection |
QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.[12][1][3] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
QakBot can delete folders and files including overwriting its executable with legitimate programs.[12][11][4][5] |
| Enterprise | T1539 | 窃取Web会话Cookie |
QakBot has the ability to capture web session cookies.[12][3] |
|
| Enterprise | T1218 | .007 | 系统二进制代理执行: Msiexec |
QakBot can use MSIExec to spawn multiple cmd.exe processes.[11] |
| .010 | 系统二进制代理执行: Regsvr32 |
QakBot can use Regsvr32 to execute malicious DLLs.[2][10][4][6][7][9] |
||
| .011 | 系统二进制代理执行: Rundll32 |
QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.[11][2][10][4][6] |
||
| Enterprise | T1082 | 系统信息发现 |
QakBot can collect system information including the OS version and domain on a compromised host.[11][4][5][13] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
QakBot can identify the user name on a compromised system.[3][6] |
|
| Enterprise | T1124 | 系统时间发现 | ||
| Enterprise | T1049 | 系统网络连接发现 |
QakBot can use |
|
| Enterprise | T1016 | 系统网络配置发现 |
QakBot can use |
|
| .001 | Internet Connection Discovery |
QakBot can measure the download speed on a targeted host.[3] |
||
| Enterprise | T1135 | 网络共享发现 |
QakBot can use |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.[8][4] |
| .003 | 虚拟化/沙盒规避: Time Based Evasion |
The QakBot dropper can delay dropping the payload to evade detection.[10][3] |
||
| Enterprise | T1518 | 软件发现 | ||
| .001 | Security Software Discovery |
QakBot can identify the installed antivirus product on a targeted system.[11][4][4][3] |
||
| Enterprise | T1105 | 输入工具传输 |
QakBot has the ability to download additional components and malware.[8][11][1][10][3][5] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
QakBot can capture keystrokes on a compromised host.[12][1][3] |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | 进程注入 |
QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe.[8][12][1][3][6] |
|
| .012 | Process Hollowing |
QakBot can use process hollowing to execute its main payload.[4] |
||
| Enterprise | T1210 | 远程服务漏洞利用 |
QakBot can move laterally using worm-like functionality through exploitation of SMB.[11] |
|
| Enterprise | T1018 | 远程系统发现 |
QakBot can identify remote systems through the |
|
| Enterprise | T1041 | 通过C2信道渗出 |
QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.[3] |
|
| Enterprise | T1091 | 通过可移动媒体复制 |
QakBot has the ability to use removable drives to spread through compromised networks.[8] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
QakBot has spread through emails with malicious attachments.[8][12][1][10][4][3][5][9][13] |
| .002 | 钓鱼: Spearphishing Link |
QakBot has spread through emails with malicious links.[8][12][1][4][3][5][6] |
||
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories | |
| Enterprise | T1095 | 非应用层协议 |
QakBot has the ability use TCP to send or receive C2 packets.[3] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
QakBot has the ability to create scheduled tasks for persistence.[8][12][11][1][2][10][3][5] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing | |
| .005 | 颠覆信任控制: Mark-of-the-Web Bypass |
QakBot has been packaged in ISO files in order to bypass Mark of the Web (MOTW) security measures.[6] |
||
Groups That Use This Software
References
- Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
- Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
- Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
- CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
- Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.