Secureworks identifies malicious Qakbot ransomware campaign
U.S. law enforcement announced a multinational operation that disrupted the Qakbot botnet (also known as Qbot) and associated infrastructure. Secureworks' Counter Threat Unit (CTU) researchers have long maintained active monitoring of the botnet and detected the disruption activity on August 25.
During the takedown, law enforcement identified over 700,000 infected computers and seized more than US$8.6 million in illicit profits, Secureworks states. The botnet was lucrative for the GOLD LAGOON threat group, which has operated the Qakbot malware since 2007. The threat actors reportedly received approximately $58 million in ransom payments between October 2021 and April 2023.
Qakbot was one of the top malware threats, used by cyber criminals to deliver other malware such as Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.
For example, in November 2022 CTU researchers investigated multiple incidents where threat actors used the Qakbot malware to deliver Cobalt Strike, which then led to Black Basta ransomware deployment. These incidents are notable due to the speed of the operations: data exfiltration and ransomware deployment occurred within 24 hours of initial access.
The initial access vector for these intrusions was a phishing email, Secureworks states. The threat actors injected the malicious message into an existing legitimate email thread to make it appear legitimate. This technique is commonly associated with the Qakbot malware.
This email contained a link to a password-protected malicious ZIP archive. Using an embedded URL and password-protected archive can defeat security controls that rely on scanning mail attachments or inspecting the content of downloaded files.
Downloaded archive files used the naming convention<uppercase letter><number>.zip (e.g., X6.zip). The archive included an IMG file that contained a JavaScript file and a hidden directory.
When the victim opened the archive and provided the password, the JavaScript file (WW.js) used the native RegSvr32 utility to execute a Qakbot binary in the 'port' hidden directory. The Qakbot payload was stored in a DLL file but used a .tmp file extension.
Qakbot performed a series of automated reconnaissance commands that were presumably used by the threat actors to triage victims of interest.
The threat actors then used Qakbot to deploy Cobalt Strike to multiple hosts within the compromised environment. The Cobalt Strike samples identified by CTU researchers were DNS Beacons that created high volumes of DNS requests with the convention 'lnx.<hex_value>.<hex_value>.dns . samiford . com'. The samiford . com root domain was reused across multiple intrusions.
One of the IP addresses resolved by some of the samiford . com subdomains (144 . 202 . 43 . 124) was previously associated with GOLD ULRICK's Conti ransomware-as-a-service (RaaS) operation.
The threat actors also used an identical SystemBC remote access trojan (RAT) binary across multiple intrusions. This binary was configured to use Tor to obfuscate network traffic.
For data exfiltration, the threat actors used the Rclone command-line tool (MsRcl.exe) to transfer up to hundreds of gigabytes of data in a few hours. The threat actors configured Rclone to use the WebDAV protocol to transfer up to 55 files concurrently, ignoring files larger than 88MB, Secureworks states.
In one incident, the threat actors finished exfiltrating data, rapidly issued a taskkill command to end the Rclone process, and then deployed GOLD REBELLION's Black Basta ransomware. This speed of attack and short dwell time has been consistent across many Secureworks incident response engagements that involve Qakbot.
CTU researchers recommend that organisations consider implementing the following mitigations to prevent this and similar campaigns from succeeding, focusing in particular on preventing malware delivery via phishing emails:
- Flag emails that originate from external sources, and train personnel to identify suspicious links or email attachments.
- Implement a safe and easy mechanism for personnel to report suspected phishing emails.
- Respond quickly to alerts for suspicious emails, ensuring that similar emails sent to other users are identified and quarantined.
- Deploy endpoint detection and response agent software to all workstations and servers to quickly identify infections and isolate affected hosts as soon as possible.
- Apply the principle of least privilege for users, and limit local administrative permissions through solutions such as Local Administrator Password Solution (LAPS).
- Apply credible threat intelligence feeds to perimeter controls such as web proxies, to identify suspicious or malicious domains.
- Where feasible, use Group Policy Objects or AppLocker script rules to prevent personnel from inadvertently executing malicious scripts.