S0650 QakBot
QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.4312
| Item | Value |
|---|---|
| ID | S0650 |
| Associated Names | Pinkslipbot, QuackBot, QBot |
| Type | MALWARE |
| Version | 1.1 |
| Created | 27 September 2021 |
| Last Modified | 01 May 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Pinkslipbot | 12 |
| QuackBot | 1 |
| QBot | 4312 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.571 |
| enterprise | T1010 | Application Window Discovery | QakBot has the ability to enumerate windows on a compromised host.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | QakBot can maintain persistence by creating an auto-run Registry key.5749 |
| enterprise | T1185 | Browser Session Hijacking | QakBot can use advanced web injects to steal web banking credentials.81 |
| enterprise | T1110 | Brute Force | QakBot can conduct brute force attacks to capture credentials.671 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | QakBot can use PowerShell to download and execute payloads.9 |
| enterprise | T1059.003 | Windows Command Shell | QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.72111 |
| enterprise | T1059.005 | Visual Basic | QakBot can use VBS to download and execute malicious files.5 |
| 6748911 | |||
| enterprise | T1059.007 | JavaScript | The QakBot web inject module can inject Java Script into web banking pages visited by the victim.111 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | QakBot can remotely create a temporary service on a target host.12 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | QakBot has collected usernames and passwords from Firefox and Chrome.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | QakBot can Base64 encode system information sent to C2.71 |
| enterprise | T1005 | Data from Local System | QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.31 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | QakBot has stored stolen emails and other data into new folders prior to exfiltration.6 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | QakBot can deobfuscate and re-assemble code strings for execution.821 |
| enterprise | T1482 | Domain Trust Discovery | QakBot can run nltest /domain_trusts /all_trusts for domain trust discovery.1 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | QakBot can use domain generation algorithms in C2 communication.5 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.6 |
| 641 | |||
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | QakBot can RC4 encrypt strings in C2 communication.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.1 |
| enterprise | T1210 | Exploitation of Remote Services | QakBot can move laterally using worm-like functionality through exploitation of SMB.7 |
| enterprise | T1083 | File and Directory Discovery | QakBot can identify whether it has been run previously on a host by checking for a specified folder.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | QakBot has placed its payload in hidden subdirectories.11 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | QakBot has the ability to use DLL side-loading for execution.10 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.9 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | QakBot can delete folders and files including overwriting its executable with legitimate programs.6729 |
| enterprise | T1105 | Ingress Tool Transfer | QakBot has the ability to download additional components and malware.574819 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | QakBot can capture keystrokes on a compromised host.641 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.008 | Masquerade File Type | The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.911 |
| enterprise | T1112 | Modify Registry | QakBot can modify the Registry to store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.39 |
| enterprise | T1106 | Native API | QakBot can use GetProcAddress to help delete malicious strings from memory.2 |
| enterprise | T1135 | Network Share Discovery | QakBot can use net share to identify network shares for use in lateral movement.51 |
| enterprise | T1095 | Non-Application Layer Protocol | QakBot has the ability use TCP to send or receive C2 packets.1 |
| enterprise | T1027 | Obfuscated Files or Information | QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.8 |
| enterprise | T1027.001 | Binary Padding | QakBot can use large file sizes to evade detection.59 |
| enterprise | T1027.002 | Software Packing | QakBot can encrypt and pack malicious payloads.8 |
| enterprise | T1027.005 | Indicator Removal from Tools | QakBot can make small changes to itself in order to change its checksum and hash value.78 |
| enterprise | T1027.006 | HTML Smuggling | QakBot has been delivered in ZIP files via HTML smuggling.1110 |
| enterprise | T1027.010 | Command Obfuscation | QakBot can use obfuscated and encoded scripts.811 |
| enterprise | T1027.011 | Fileless Storage | QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.39 |
| enterprise | T1120 | Peripheral Device Discovery | QakBot can identify peripheral devices on targeted systems.5 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | QakBot can use net localgroup to enable discovery of local groups.111 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | QakBot has spread through emails with malicious attachments.564821910 |
| enterprise | T1566.002 | Spearphishing Link | QakBot has spread through emails with malicious links.56421911 |
| enterprise | T1057 | Process Discovery | QakBot has the ability to check running processes.2 |
| enterprise | T1055 | Process Injection | QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe.564111 |
| enterprise | T1055.012 | Process Hollowing | QakBot can use process hollowing to execute its main payload.2 |
| enterprise | T1572 | Protocol Tunneling | The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.002 | External Proxy | QakBot has a module that can proxy C2 communications.1 |
| enterprise | T1018 | Remote System Discovery | QakBot can identify remote systems through the net view command.7111 |
| enterprise | T1091 | Replication Through Removable Media | QakBot has the ability to use removable drives to spread through compromised networks.5 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | QakBot has the ability to create scheduled tasks for persistence.56743819 |
| enterprise | T1518 | Software Discovery | QakBot can enumerate a list of installed programs.9 |
| enterprise | T1518.001 | Security Software Discovery | QakBot can identify the installed antivirus product on a targeted system.7221 |
| enterprise | T1539 | Steal Web Session Cookie | QakBot has the ability to capture web session cookies.61 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | QakBot can use signed loaders to evade detection.210 |
| enterprise | T1553.005 | Mark-of-the-Web Bypass | QakBot has been packaged in ISO files in order to bypass Mark of the Web (MOTW) security measures.11 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | QakBot can use MSIExec to spawn multiple cmd.exe processes.7 |
| enterprise | T1218.010 | Regsvr32 | QakBot can use Regsvr32 to execute malicious DLLs.382111210 |
| enterprise | T1218.011 | Rundll32 | QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.738211 |
| enterprise | T1082 | System Information Discovery | QakBot can collect system information including the OS version and domain on a compromised host.729 |
| enterprise | T1016 | System Network Configuration Discovery | QakBot can use net config workstation, arp -a, nslookup, and ipconfig /all to gather network configuration information.71911 |
| enterprise | T1016.001 | Internet Connection Discovery | QakBot can measure the download speed on a targeted host.1 |
| enterprise | T1049 | System Network Connections Discovery | QakBot can use netstat to enumerate current network connections.111 |
| enterprise | T1033 | System Owner/User Discovery | QakBot can identify the user name on a compromised system.111 |
| enterprise | T1124 | System Time Discovery | QakBot can identify the system time on a targeted host.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | QakBot has gained execution through users opening malicious links.56421911 |
| enterprise | T1204.002 | Malicious File | QakBot has gained execution through users opening malicious attachments.5674821910 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.52 |
| enterprise | T1497.003 | Time Based Evasion | The QakBot dropper can delay dropping the payload to evade detection.81 |
| enterprise | T1047 | Windows Management Instrumentation | QakBot can execute WMI queries to gather information.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0127 | TA551 | 2 |
References
-
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩
-
Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. ↩↩↩↩↩↩
-
Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. ↩↩