Qakbot, a popular trojan for stealing bank credentials, has recently started delivering ransomware, making it more difficult for network defenders to identify what is and isn't a Qakbot attack.
Qakbot is a particularly versatile piece of malware that has been active for over a decade and has survived despite Microsoft and other security firms' multi-year attempts to eliminate it. In 2017, Qakbot adopted WannaCry's lateral movement techniques, such as infecting all network shares and drives, brute-forcing Active Directory accounts, and creating copies of itself using the SMB file-sharing protocol.
According to Kaspersky's new investigation of Qakbot, it is unlikely to go away very soon. As per its detection statistics for Qakbot, it infected 65 per cent more PCs between January and July 2021 than it did the previous year. As a result, it is becoming increasingly dangerous.
Qakbot is modular, as per Microsoft, allowing it to masquerade as unique attacks on each device on a network, making it tough to identify, prevent, and remove by defenders and security tools.
The Microsoft 365 Defender Threat Intelligence Team stated in its report, "Due to Qakbot's high likelihood of transitioning to human-operated attack behaviours including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely."
Given the difficulty in identifying a common Qakbot campaign, the Microsoft team has profiled the malware's approaches and behaviours to aid security analysts in detecting it.
Emailed attachments, links, or embedded images are the most common distribution methods. It is also known to attack machines using Visual Basic for Applications (VBA) macros and legacy Excel 4.0 macros. In July, TrendMicro examined a significant Qakbot campaign that employed this tactic.
Qakbot hides harmful processes using process injection, creates scheduled activities that stay on the machine, and manipulates the Windows registry.
Once installed on an infected system, it uses a variety of lateral movement techniques, as well as the Cobalt Strike penetration-testing framework and ransomware.
Last year, the FBI warned that Qakbot trojans were spreading ProLock, a type of "human-operated ransomware." It was a concerning discovery since machines infected with Qakbot on a network must be separated because they act as a ransomware attack's bridge.
Microsoft noted that Qakbot has used MSRA.exe and Mobsync.exe for process injection to conduct various network 'discovery' commands and steal Windows credentials and browser data.
Other criminal groups can use Qakbot's Cobalt Strike module to deploy their own payloads, such as ransomware. As per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021).
"Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads," Microsoft noted.
"Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor."
Activating Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning on Windows Antimalware Scan Interface (AMSI) is among Microsoft's recommended mitigations to reduce Qakbot's impact.
Microsoft Defender antivirus and other third-party antivirus vendors support AMSI. AMSI support for Excel 4.0 macros was added in March, so it's still a new feature.