QBot/QakBot – From email to ransomware

The heavily distributed botnet delivers a wide variety of payloads - and scans your network for weaknesses

Qakbot’s modularity and flexibility could pose a challenge for security analysts and defenders because concurrent Qakbot campaigns could look strikingly different on each affected device, significantly impacting how these defenders respond to such attacks. Therefore, a deeper understanding of Qakbot is paramount in building a comprehensive and coordinated defense strategy against it.

The emails can be jarring, but the technique used by Qakbot (aka Qbot) seems to be especially convincing: The email-borne malware has a tendency to spread itself around by inserting malicious replies into the middle of existing email conversations, using the compromised accounts of other infection victims. These interjections in the form of a reply-all message include a short sentence, and a link to download a zip file containing a malicious office document, one that brings down the malware when someone opens it.

How does the newest version of QAKBOT operate with VBA macros?

When a victim opens the malicious file in their spam email, an auto_open macro will try to create a new sheet and set the font color to white. Macros typically execute as soon as the victim opens the document and selects the “Enable Content” button.

The macro then assigns the values to cells in “Sheet 5” and evaluates and concatenates the command to download the QAKBOT DLL from a remote host. The process chain has also altered slightly with regsvr32.exe using -silent instead of -s parameter. The DLL download URL is still used now() to form the DLL name. The macro then deletes the “Sheet5” when the document is closed.

Email delivery

Qakbot is delivered via one of three email methods: malicious links, malicious attachments, or, more recently, embedded images.
The messages in these email campaigns typically consist of one- or two-sentence lures (for example, “please see attached” or “click here to view a file”). Such brevity provides sufficient information and a call to action for the target users but little for content security solutions to detect.

Malicious links

The email campaigns delivering Qakbot typically include the URLs that download the malware on target devices in the message body. Some of these URLs were missing the HTTP or HTTPS protocol, rendering them unclickable in most email clients. Therefore, to download the malware, target recipients had to manually enter the link into a browser.

Malicious attachments

Some Qakbot-related emails sent by attackers may include a ZIP file attachment. Within the ZIP is a spreadsheet containing Excel 4.0 macros. The attachment name is meant to appear as an official corporate document to trick a target recipient into opening it.

Embedded images

In its third and most recent evolution, Qakbot arrives via an email message that only contains an embedded image in its body, a stark contrast to its previous delivery methods that used file attachments or direct hyperlinks.

Security recommendations

The constant resurgence of new, more sophisticated variants of known malware, as well as the emergence of entirely unknown threats, demands solutions with advanced detection and response capabilities. Users can protect themselves from new QAKBOT samples and other threats that spread through emails by following some of these best practices:

  • Avoid downloading attachments or selecting embedded links from emails before verifying the sender and the content.
  • Hover the pointer above embedded links to show the link’s target.
  • Check the identity of the sender. Unfamiliar email addresses, mismatched email and sender names, and spoofed company emails are some of the signs that the sender has malicious intent.
  • If the email claims to come from a legitimate company, check if they sent it before taking any action.

Users can also protect systems through managed detection and response (MDR), which utilizes advanced artificial intelligence to correlate and prioritize threats, determining if they are part of a larger attack. It can detect threats before they are executed, thus preventing further compromise.