Reviewing Qakbot loader sequences: Part 1
After the recent takedown of Qakbot infrastructure announced in a press release by the Department of Justice, it seems an appropriate time to look back on the operations of the group that distributed it and see what we can learn from the perspectives of adversary tradecraft and detection opportunities.
While they were known for the ever-shifting variations in their delivery and execution procedures, their techniques are shared with many other malware distributors. It is also hard to believe that the actors involved would accept the infrastructure loss as final and move on with their lives. We can expect to see them come back, likely after learning from the experience and developing some new tricks, but it would be hard to believe they would completely abandon their old favorites.
Like most teams involved in detection engineering, threat hunting, or intelligence in the past two years, we owe a great deal of gratitude to the Twitter accounts of @pr0xylife and @Cryptolaemus1 for freely disseminating quality Qakbot IOCs just as consistently as the threat actors behind them dish them out. A particular piece of useful data these accounts include in their posts is an execution chain from email payload to execution of the DLL that launches Qakbot.
These aren’t the most salacious details of delivery procedures in their Twitter posts, but they do collectively provide an interesting analysis opportunity. When developing detections for the ConnectWise SIEM™ based around active threats, we tend to focus on catching threats at the earliest possible point. It is much more useful to alert our partners about the initial access activity of a ransomware group rather than giving them the regretful call that lets them know about the ransomed files they are probably already aware of. With this approach in mind, we have reviewed this data for insights, trends, and opportunities for detection or threat hunting around the Qakbot loading process.
The big picture
Through the lens of MITRE ATT&CK® tactics, we can consider the loading chain for Qakbot as initial access followed by a mixture of execution and defense evasion to try and get to a final process injection. This isn’t unique to Qakbot—it would describe most loader sequences. At the technique level, we can understand that their overall path is to use phishing to get users to trust and execute a payload that uses native scripting interpreters and system binaries to execute Qakbot. This exposes a process from phishing payload to process injection that leans on obfuscation and living off the land to reach their goal.
Figure 1: Paths between MITRE ATT&CK techniques used by Qakbot.
This provides more actionable information for wider coverage, especially considering the high variability of potential avenues groups such as these have when implementing these techniques. A broad look at techniques can be useful but also a tedious and unwise use of time. Focusing on aspects of each method that are less likely to be adopted by the threats targeting an organization may not be fruitful if it means not applying coverage to more viable areas. We can look at the same information another level deeper and get a more focused look by graphing the movements between sub-techniques, as seen in Figure 2.
Figure 2: Paths between MITRE ATT&CK sub-techniques used by Qakbot.
While we frequently use the MITRE ATT&CK framework to communicate and categorize detections, we mostly find ourselves digging for the specific procedures behind the techniques. The graph in Figure 3, which depicts initial access and execution paths used by the intrusion set delivering Qakbot, was created to aid in prioritizing and developing broader detections. It is color-coded based on the initial phishing payload and weighted based on the frequency of use.
These detections attempt to capture Qakbot loading activity, regardless of how specific procedures change around any particular technique. Throughout this blog series, I will be breaking this graph down into smaller parts to explore in more detail the procedures used at each step, opportunities to generally detect the techniques, and speculate on possible avenues other groups could adopt or that we might see on this group’s return.
Figure 3: Paths from initial phishing email to dll execution used by Qakbot. Colored by initial phishing payload and weighted by frequency of usage.
In this first installment of the series, we’ll be looking at the general trends that can be gleaned from the execution chain data and what that may tell us about adversary tradecraft. Most of this will be pulled from the above graph, incident observations, and Figure 4, a companion chart we put together of what initial phishing payloads have been used over time.
Figure 4: Qakbot initial phishing payload file types used over time.
Throughout the majority of 2022, these actors mainly stuck to the same delivery path—sending phishing emails with URLs, leading the user to download a zip file containing some sort of Microsoft Excel file that then used macros to execute the DLL. At the time, macros in Microsoft Office documents were the bread and butter of a considerable number of phishing-based threat actors. However, that February, Microsoft announced it would automatically block macros in downloaded documents starting from April through June of 2022. The Qakbot loader actors appeared to understand this would cause problems for them, and around May, they started playing around with different options. They tried out swapping out LNK files for Excel files, started introducing HTML smuggling into their repertoire, and slowly introduced different disc image formats into the chain.
Then, they took their break in August. Shortly after returning in September, it looked like they had settled into a new groove of either using a direct URL or HTML smuggling to deliver a ZIP archive with an ISO in it that contained an LNK file to execute the commands that launch the DLL.
Variations on this theme continued throughout the rest of the year until December, when it appeared HTML smuggling was being swapped out with malicious PDF documents. Then, the new year brought another break for this Qakbot crew. One month later, their return brought the introduction of using OneNote documents as phishing payloads. This technique had been in use by other threat actors delivering malware like Formbook as far back as the previous December. Qakbot continued pushing OneNote documents through late February before mostly abandoning it—apart from a few one-offs in favor of a more frequently shifting set of techniques.
An obvious takeaway from this is that threat actors will shift their techniques in response to pressures affecting the effectiveness of their current processes. The security cat and mouse game is no secret. But what we see in Qakbot is a case study in what manner an actor will make that shift.
Before the move away from Office macros, they did not just sit on the same distribution method day after day. One aspect of their method was that they used multiple, more obscure Excel file types. After moving away from macros, the varieties of procedures that can be observed steadily increased over time—sometimes revisiting old favorites, sometimes mixing several different ones together.
Strengthened security controls across a product commonly used by threat actors, while necessary, may increase the difficulty of detecting future incidents from that threat actor. Where there were at one point only variations around a single technique, taking that away increased the different techniques leveraged and made future activity less predictable.
The alterations in their delivery strategy do give defenders some hints as to where to look for the next possible moves. When we look at what else was happening contemporary to the group’s changes, we see that they appear to be paying attention to what other groups may be doing to find new delivery techniques. The usage of LNK files in phishing emails was not new around May 2022 when Qakbot first started using them—reports were coming out the month prior about Emotet using them.
When the Follina zero-day was discovered in late May 2022, about a week later, Qakbot took a quick detour to try it out before it was patched. Similarly, the timing of reports on OneNote usage was followed by this group’s adoption of it until Microsoft announced improved protections in March. This may suggest that to get ahead of what they may do next, it may be necessary to pay attention to trends being reported on about similar groups and researchers, such as JPCERT’s recent report on malicious Microsoft Word files embedded into PDFs.
With Qakbot hamstrung by federal operations, there is now speculation over whether defenders will be able to evict this group from their heads to make space for other threats. Regardless, a retrospective look can help prepare us in either case. Qakbot delivery procedures over its operation were broad enough to touch common ground with the execution paths of many other similar malware campaigns, which gives us insights into threat actor behaviors given the different pressures applied to them over time. On the other hand, if they try to revive operations, then a thorough understanding of their playbook will ensure they can’t rest on previous techniques. Either way, keep an eye out for the next installments in this series, where we will be exploring more in-depth the detection opportunities available at different critical points of their execution chain.