Qakbot Malware is Still a Major Threat After 15 Years

Qakbot malware is one of the oldest malware threats that is still in use, having first been detected in 2007. Qakbot malware – aka QBot, QuakBot, and Pinkslipbot – has seen extensive development over the years and still poses a major threat to businesses worldwide. QakBot malware started life as a banking Trojan that was used to steal sensitive financial information. Qakbot malware can now also steal sensitive data from browsers and emails and as with many other modular banking Trojans, it also serves as a malware loader and is used to deliver secondary malware payloads.

As was the case back in 2007, Qakbot malware is most commonly delivered via phishing emails, using links to malicious websites where the malware is downloaded or malicious email attachments. Once initial access is gained to a victim’s network, privileges are escalated, and the malware operator uses Microsoft tools for lateral movement – termed living-of-the-land. This method means additional tools do not need to be downloaded, which could be detected, and the attackers can hide their activity amongst legitimate use of the tools by IT teams.

Qakbot malware is known to use exploits for known vulnerabilities. Qakbot malware was recently observed attempting to exploit the Follina remote code execution vulnerability (CVE-2022-30190) in the Microsoft Support Diagnostic Tool (MSDT), which affects Windows 11 and prior versions and most versions of Office. The malware has also used an exploit for Zerologon, to name just a couple.

In addition to being able to read and exfiltrate email data, QakBot malware – like Emotet – can hijack message threats and self-propagate. An existing email thread is found, and a malicious link is inserted into the conversation. Since the email sent includes the text of the previous conversation between two individuals, there is a reasonable chance of the malicious website being visited and the file being downloaded and opened. One way of getting around spam filters is for the URL to be included but not be made clickable, which means it needs to be manually copied into the browser.

Qakbot malware is strongly associated with ransomware attacks. Once the operators of the malware have achieved their aims, they sell access to infected devices to other threat groups as a secondary revenue stream. For example, QakBot malware has been observed delivering Cobalt Strike beacons to victims’ devices, and access to those beacons is then sold to ransomware gangs. The malware has been used by various ransomware gangs, including ProLock, Black Basta, MegaCortex, Egregor, and REvil.

A 2022 analysis of the malware, published by DFIR, highlights the speed at which attacks occur. DBIR shared information about an attack in October in which the entire network was compromised in minutes. In this case, it is unclear how initial access was gained but it is likely that the malware was delivered via a phishing email with an infected Excel spreadsheet, which launched the Qakbot malware DLL loader. A scheduled task was created to elevate privileges to system level and Qakbot was then injected into many processes, including Microsoft Remote Assistance (mrsa.exe).

Within 30 minutes of initial access, browser data and emails had been stolen from the host and within 50 minutes the malware had spread to another workstation and the process had been repeated. In a very short space of time, all workstations had been infected. Qakbot malware will also steal Windows credentials by dumping the memory of the Local Security Authority Server Service (LSSAS) Typically, credentials are stolen within 50 minutes of initial access being gained.

Detecting the malware once it has been installed can be a challenge. The key to protecting against infections is to improve email defenses, as this is the most common attack vector. That means implementing an email security solution that is not reliant on signature-based detection and includes behavior-based detection methods such as sandboxing and outbound scanning to identify compromised mailboxes. These features are present in SpamTitan Email Security products. A web filter is also recommended. WebTitan can detect and block command and control communications and provides additional protection against malicious links in emails, providing time-of-click protection to prevent users from visiting malicious websites linked in emails.

Instagram Phishing Campaign Uses Fake 2-Factor Authentication Messages as Lure

A highly convincing Instagram phishing campaign has been identified that uses warnings about attempted fraudulent logins to trick users into visiting a phishing webpage where they are required to confirm their identity by signing in to their account.

The messages include the Instagram logo with a warning that someone attempted to login to the user’s Instagram account. The message is a virtual carbon copy of the genuine 2-factor authentication messages that are sent to users to confirm their identity when a suspicious login attempt is detected.

The messages include a 6-digit code that must be entered when logging into the account, together with an embedded “sign in” hyperlink. The user is told to login to confirm their identity and secure their account.

The messages are well written, although there are some punctuation errors which suggest that the email may not be what it seems. These could easily be overlooked by someone worried that their account has been hacked.

Not only is the message almost identical to Instagram’s 2FA warning, the website to which the user is directed is also a perfect clone of the genuine Instagram login page. The webpage has a valid SSL certificate and starts with HTTPS and displays the green padlock to confirm that the connection between the browser and the web page is secure.

The only sign that the web page is not genuine is the domain name. The scammers have chosen a free .CF – Central African Republic – domain name, which is a clear indication that the web page is a fake. However, the presence of HTTPS and a green padlock could fool many people into providing their login credentials in the mistaken belief they are on a secure website.

Many people mistakenly believe that the presence of HTTPS at the start of a website and a green padlock means the website is genuine and secure. However, the green padlock only means the connection between the browser and the website is secure and any sensitive information provided to the website will be protected against unauthorized access in a man-in-the-middle attack. It does not mean the content on the webpage is genuine.

HTTPS websites are often used for phishing as many people look for the green padlock to confirm that the website is secure. Unfortunately, SSL certificates are often provided for free by hosting companies and checks on site content are not conducted.

This is an important issue for businesses to cover in security awareness training. Employees should be taught the true meaning of the green padlock and told to always check the domain name carefully before disclosing any sensitive information.

Businesses can further improve their defenses against phishing with a web filtering solution such as WebTitan.  With WebTitan in place, businesses can carefully control the types of website that their employees can visit on their work computers.  WebTitan also prevents users from accessing any website known to be used for phishing, malware distribution, or other malicious purposes. WebTitan also performs checks in real-time to assess the legitimacy of a website. If the checks are failed, the user is presented with a block screen and will not be able to access the site.

For further information on how a web filter can improve your organization’s security posture and better protect the business from phishing attacks, contact the TitanHQ team today.