S0650 QakBot
QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.1234
| Item | Value |
|---|---|
| ID | S0650 |
| Associated Names | Pinkslipbot, QuackBot, QBot |
| Type | MALWARE |
| Version | 1.0 |
| Created | 27 September 2021 |
| Last Modified | 15 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Pinkslipbot | 34 |
| QuackBot | 3 |
| QBot | 1234 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.563 |
| enterprise | T1010 | Application Window Discovery | QakBot has the ability to enumerate windows on a compromised host.4 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | QakBot can maintain persistence by creating an auto-run Registry key.5617 |
| enterprise | T1185 | Browser Session Hijacking | QakBot can use advanced web injects to steal web banking credentials.93 |
| enterprise | T1110 | Brute Force | QakBot can conduct brute force attacks to capture credentials.863 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | QakBot can use PowerShell to download and execute payloads.7 |
| enterprise | T1059.003 | Windows Command Shell | QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.643 |
| enterprise | T1059.005 | Visual Basic | QakBot can use VBS to download and execute malicious files.5 |
| 86197 | |||
| enterprise | T1059.007 | JavaScript | The QakBot web inject module can inject Java Script into web banking pages visited by the victim.3 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | QakBot has collected usernames and passwords from Firefox and Chrome.3 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | QakBot can Base64 encode system information sent to C2.63 |
| enterprise | T1005 | Data from Local System | QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.23 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | QakBot has stored stolen emails and other data into new folders prior to exfiltration.8 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | QakBot can deobfuscate and re-assemble code strings for execution.943 |
| enterprise | T1482 | Domain Trust Discovery | QakBot can run nltest /domain_trusts /all_trusts for domain trust discovery.3 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | QakBot can use domain generation algorithms in C2 communication.5 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.8 |
| 813 | |||
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | QakBot can RC4 encrypt strings in C2 communication.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.3 |
| enterprise | T1210 | Exploitation of Remote Services | QakBot can move laterally using worm-like functionality through exploitation of SMB.6 |
| enterprise | T1083 | File and Directory Discovery | QakBot can identify whether it has been run previously on a host by checking for a specified folder.4 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.7 |
| enterprise | T1070 | Indicator Removal on Host | - |
| enterprise | T1070.004 | File Deletion | QakBot can delete folders and files including overwriting its executable with legitimate programs.8647 |
| enterprise | T1105 | Ingress Tool Transfer | QakBot has the ability to download additional components and malware.561937 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | QakBot can capture keystrokes on a compromised host.813 |
| enterprise | T1036 | Masquerading | The QakBot payload has been disguised as a PNG file.7 |
| enterprise | T1112 | Modify Registry | QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.27 |
| enterprise | T1106 | Native API | QakBot can use GetProcAddress to help delete malicious strings from memory.4 |
| enterprise | T1135 | Network Share Discovery | QakBot can use net share to identify network shares for use in lateral movement.53 |
| enterprise | T1095 | Non-Application Layer Protocol | QakBot has the ability use TCP to send or receive C2 packets.3 |
| enterprise | T1027 | Obfuscated Files or Information | QakBot can use obfuscated and encoded scripts; it has also hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.9 |
| enterprise | T1027.001 | Binary Padding | QakBot can use large file sizes to evade detection.57 |
| enterprise | T1027.002 | Software Packing | QakBot can encrypt and pack malicious payloads.9 |
| enterprise | T1027.005 | Indicator Removal from Tools | QakBot can make small changes to itself in order to change its checksum and hash value.69 |
| enterprise | T1120 | Peripheral Device Discovery | QakBot can identify peripheral devices on targeted systems.5 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | QakBot can use net localgroup to enable discovery of local groups.3 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | QakBot has spread through emails with malicious attachments.5819437 |
| enterprise | T1566.002 | Spearphishing Link | QakBot has spread through emails with malicious links.581437 |
| enterprise | T1057 | Process Discovery | QakBot has the ability to check running processes.4 |
| enterprise | T1055 | Process Injection | QakBot can inject itself into processes including explore.exe, Iexplore.exe, and Mobsync.exe.5813 |
| enterprise | T1055.012 | Process Hollowing | QakBot can use process hollowing to execute its main payload.4 |
| enterprise | T1572 | Protocol Tunneling | The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.3 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.002 | External Proxy | QakBot has a module that can proxy C2 communications.3 |
| enterprise | T1018 | Remote System Discovery | QakBot can identify remote systems through the net view command.63 |
| enterprise | T1091 | Replication Through Removable Media | QakBot has the ability to use removable drives to spread through compromised networks.5 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | QakBot has the ability to create scheduled tasks for persistence.58612937 |
| enterprise | T1518 | Software Discovery | QakBot can enumerate a list of installed programs.7 |
| enterprise | T1518.001 | Security Software Discovery | QakBot can identify the installed antivirus product on a targeted system.6443 |
| enterprise | T1539 | Steal Web Session Cookie | QakBot has the ability to capture web session cookies.83 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | QakBot can use signed loaders to evade detection.4 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | QakBot can use MSIExec to spawn multiple cmd.exe processes.6 |
| enterprise | T1218.010 | Regsvr32 | QakBot can use Regsvr32 to execute malicious DLLs.294 |
| enterprise | T1218.011 | Rundll32 | QakBot can use Rundll32.exe to enable C2 communication.6294 |
| enterprise | T1082 | System Information Discovery | QakBot can collect system information including the OS version and domain on a compromised host.647 |
| enterprise | T1016 | System Network Configuration Discovery | QakBot can use net config workstation, arp -a, and ipconfig /all to gather network configuration information.637 |
| enterprise | T1016.001 | Internet Connection Discovery | QakBot can measure the download speed on a targeted host.3 |
| enterprise | T1049 | System Network Connections Discovery | QakBot can use netstat to enumerate current network connections.3 |
| enterprise | T1033 | System Owner/User Discovery | QakBot can identify the user name on a compromised system.3 |
| enterprise | T1124 | System Time Discovery | QakBot can identify the system time on a targeted host.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | QakBot has gained execution through users opening malicious links.581437 |
| enterprise | T1204.002 | Malicious File | QakBot has gained execution through users opening malicious attachments.58619437 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.54 |
| enterprise | T1497.003 | Time Based Evasion | The QakBot dropper can delay dropping the payload to evade detection.93 |
| enterprise | T1047 | Windows Management Instrumentation | QakBot can execute WMI queries to gather information.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0127 | TA551 | 4 |
References
-
Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. ↩↩↩↩↩↩↩
-
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩