Severity

Medium

Analysis Summary

Researchers observed increased usage of a specific Qakbot variant across campaigns occurring this year. The variant’s initial infection vector is emails appearing to be replies to relevant business-related messages in which the the recipient is requested to click on a link in order to download an attachment. This link points to a malicious file hosted on a compromised website. Specifically, a ZIP archive containing a VBS file is downloaded. The VBS file is responsible for downloading an executable file, which is the final Qakbot payload. After anti-analysis and anti-VM checks are performed, persistence is established via a Registry Run key and a scheduled task. Additionally, it creates copies of itself on the filesystem and injects itself into multiple processes to remain memory resident. For C2 communication, it leverages both domain generation algorithms (DGA) and hardcoded C2 addresses. The researcher notes that, like with older Qakbot samples, code exists suggesting additional routines that can be loaded through another component, such as a PowerShell routine to download other payloads.

Impact

• Information theft
• Exposure of sensitive data

Indicators of Compromise

SHA-256

• 166442aca7750b45d10cdbdb372dd336a730a3033933a2a0b142d91462017fd2
• b8b7b5df48840b90393a702c994c6fb47b7e40cfe3552533693149d9537eaef5

URL

• hxxps[:]//besthack[.]co/differ/50160153/50160153[.]zip
• hxxps[:]//besthack[.]co/differ/886927[.]zip

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment. 
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/ attachments sent by unknown senders