Much like the enigmatic Mystique from X-Men or the elusive T-1000 from Terminator, QakBot possesses a chameleon-like quality, seamlessly adapting its form to confound defenses. QakBot, also recognized as Qbot, Quackbot, Pinkslipbot, and TA570, has etched its name among other cyber threats, leaving a trail of thousands of malware infections globally. Dive in as we explore QakBot’s genesis, its evolution from a banking trojan to a multi-purpose botnet and the specific tactics used in large-scale cyber-attacks. But fear not, for in this cyber odyssey, AttackIQ Flex takes center stage with two tailored packages to defend against the shape-shifting specter of QakBot.

QakBot’s Evolution

QakBot made its debut in the cyber realm in 2007 as a banking trojan, focusing on the theft of banking credentials. In its early days, it primarily targeted users in the Financial Sector, employing phishing campaigns with malicious attachments or download links to infiltrate victim networks. Over the years, QakBot transitioned from a simple banking trojan to a multifaceted threat, incorporating advanced features such as polymorphic code, evasion techniques, and self-updating capabilities.

Tactics & Techniques Used

One of the notable features of QakBot’s evolution is its ability to operate as a versatile and persistent threat. It utilizes sophisticated obfuscation techniques to avoid detection by traditional antivirus solutions, making it challenging for security professionals to identify and mitigate its impact effectively.

The success of QakBot lies in its clever utilization of various tactics. Email campaigns, malicious attachments, and compromised websites are among the common vectors used by QakBot to infiltrate systems. The malware often leverages social engineering tactics, posing as legitimate entities or utilizing convincing phishing emails to trick users into executing malicious payloads. Once inside a system, QakBot can spread laterally, infecting connected devices and establishing a foothold in corporate networks. Its modular architecture enables it to download additional payloads, making it a versatile tool for cybercriminals seeking to deploy a range of malicious activities beyond banking fraud.

AttackIQ Flex Packages

Recognizing the dynamic nature of QakBot’s attacks, AttackIQ Flex has released two specialized packages designed to test and validate your security posture against this shape-shifting adversary.

1. QakBot

Infection Chain with Living-off-the-Land (LotL) Techniques Package tests an organization’s defenses against QakBot’s sophisticated October 2021 campaign, simulating the malware’s cunning initiation through a malicious email-delivered Excel document and its subsequent execution of Living-off-the-Land techniques. This comprehensive emulation assesses the efficacy of security measures in detecting and mitigating QakBot’s multifaceted tactics, including code injection, credential theft, and network reconnaissance.

Scenarios included in this Package:

  • Collect Browser Data via Esentutl using Powershell Script
  • Dump LSASS Process to Minidump File
  • Check Internet Connectivity using “nslookup” by Resolving “www.attackiq.com” through “8.8.8.8” DNS server
  • Download 2021-10 QBot Malicious Office Delivery Document to Memory
  • Add Directory “oweboiqnb” to Microsoft Defender Exclusion List using PowerShell
  • Execute DLL Through RunDLL32
  • QakBot 2021-10 Initial Connection Web POST Request
  • System Network Connections Discovery
  • Data Staged Script
  • Save 2021-10 QBot Malicious Office Delivery Document to File System
  • Download 2022-03 QakBot Sample to Memory
  • Email Collection Script
  • System Owner/User Discovery Script
  • Save 2022-03 QakBot Sample to File System
  • Code Injection
  • System Network Configuration Discovery

2. QakBot

ISO Image Deployment Leads to Brute Ratel, Cobalt Strike, and SharpHound Package tests an organization’s resilience against QakBot’s intricate attack scenario, simulating the resurgence of QakBot distribution on September 8, 2022. The emulation intricately examines the mounting and execution of an ISO image, leading to the deployment of Brute Ratel, Cobalt Strike, and SharpHound, thereby evaluating the security posture’s effectiveness in detecting and mitigating advanced threats involving lateral movement, Active Directory reconnaissance, and ransomware deployment.

Scenarios included in this Package:

  • BloodHound Ingestor Execution
  • Save 2022-09 QakBot DLL Sample to File System
  • Exfiltrate PDF File Containing 1000 Credit Card Numbers via HTTP to Test Server
  • QakBot 2022-05 Initial Web POST Request
  • Mount ISO image and Execute payload
  • Save 2022-09 Cobalt Strike Beacon Sample to File System
  • Brute Ratel 2022-10 Initial Web POST Request
  • Execute DLL Through RegSvr32
  • Persistence Through Registry Run and RunOnce Keys
  • Permission Groups Discovery Script
  • System Network Configuration Discovery
  • System Owner/User Discovery Script
  • Network Share Discovery Script
  • Code Injection
  • Enumerate Trusted Domains via nltest
  • Save 2022-09 Brute Ratel Sample to File System
  • Domain Administrator Accounts Discovery Via Net Command Script
  • Account Discovery using “net.exe” command
  • QakBot 2022-05 Initial Web GET Request
  • Check Internet Connectivity using “nslookup” by Resolving “www.attackiq.com” through “8.8.8.8” DNS server
  • Download 2022-09 QakBot DLL Sample to Memory
  • Remote System Discovery Script
  • System Network Connections Discovery
  • Execute DLL Through RunDLL32

Conclusion

As QakBot continues to shape-shift, staying ahead of its tactics is crucial. AttackIQ Flex provides sets of realistic attacks with its specialized packages, ensuring organizations can withstand the dynamic nature of QakBot’s multifaceted attacks. In this cyber odyssey, knowledge and proactive testing are vital to fortifying your defenses by showing you where the enemies could be, QakBot or otherwise.