Try in Splunk Security Cloud

Description

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Risk
  • Last Updated: 2022-11-14
  • Author: Teoderick Contreras, Splunk
  • ID: 0c6169b1-f126-4d86-8e4f-f7891007ebc6

Narrative

QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.

Detections

Name Technique Type
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Create Remote Thread In Shell Application Process Injection TTP
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Hunting
Office Application Spawn Regsvr32 process Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 TTP
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Anomaly
System User Discovery With Whoami System Owner/User Discovery Hunting
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Windows App Layer Protocol Qakbot NamedPipe Application Layer Protocol Anomaly
Windows App Layer Protocol Wermgr Connect To NamedPipe Application Layer Protocol Anomaly
Windows Command Shell Fetch Env Variables Process Injection TTP
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Correlation
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Side-Loading In Calc DLL Side-Loading, Hijack Execution Flow TTP
Windows DLL Side-Loading Process Child Of Calc DLL Side-Loading, Hijack Execution Flow Anomaly
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses TTP
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Masquerading Explorer As Child Process DLL Side-Loading, Hijack Execution Flow TTP
Windows Modify Registry Qakbot Binary Data Registry Modify Registry Anomaly
Windows MsiExec HideWindow Rundll32 Execution Msiexec, System Binary Proxy Execution TTP
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting
Windows Process Injection In Non-Service SearchIndexer Process Injection TTP
Windows Process Injection Of Wermgr to Known Browser Dynamic-link Library Injection, Process Injection TTP
Windows Process Injection Remote Thread Process Injection, Portable Executable Injection TTP
Windows Process Injection Wermgr Child Process Process Injection Anomaly
Windows Regsvr32 Renamed Binary Regsvr32, System Binary Proxy Execution TTP
Windows Schtasks Create Run As System Scheduled Task, Scheduled Task/Job TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows System Discovery Using Qwinsta System Owner/User Discovery Hunting
Windows System Discovery Using ldap Nslookup System Owner/User Discovery Anomaly
Windows WMI Impersonate Token Windows Management Instrumentation Anomaly
Windows WMI Process Call Create Windows Management Instrumentation Hunting

Reference

source | version: 2