QakBot
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| QuackBot | (Citation: Kaspersky QakBot September 2021) |
| Pinkslipbot | (Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021) |
| QBot | (Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.(Citation: Trend Micro Qakbot May 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Kaspersky QakBot September 2021) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
QakBot can maintain persistence by creating an auto-run Registry key.(Citation: Trend Micro Qakbot May 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Group IB Ransomware September 2020) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
QakBot can use PowerShell to download and execute payloads.(Citation: Group IB Ransomware September 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
QakBot can use VBS to download and execute malicious files.(Citation: Trend Micro Qakbot May 2020) (Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022) |
||
| .007 | Command and Scripting Interpreter: JavaScript |
The QakBot web inject module can inject Java Script into web banking pages visited by the victim.(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
QakBot can remotely create a temporary service on a target host.(Citation: NCC Group Black Basta June 2022) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
QakBot has collected usernames and passwords from Firefox and Chrome.(Citation: Kaspersky QakBot September 2021) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
QakBot can Base64 encode system information sent to C2.(Citation: Crowdstrike Qakbot October 2020)(Citation: Kaspersky QakBot September 2021) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
QakBot has stored stolen emails and other data into new folders prior to exfiltration.(Citation: Kroll Qakbot June 2020) |
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
QakBot can use domain generation algorithms in C2 communication.(Citation: Trend Micro Qakbot May 2020) |
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
QakBot can RC4 encrypt strings in C2 communication.(Citation: Kaspersky QakBot September 2021) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
QakBot has placed its payload in hidden subdirectories.(Citation: Trend Micro Black Basta October 2022) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
QakBot has the ability to use DLL side-loading for execution.(Citation: Deep Instinct Black Basta August 2022) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.(Citation: Group IB Ransomware September 2020) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
QakBot can delete folders and files including overwriting its executable with legitimate programs.(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: Group IB Ransomware September 2020) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
QakBot can capture keystrokes on a compromised host.(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021) |
| Enterprise | T1036 | .008 | Masquerading: Masquerade File Type |
The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
QakBot can use large file sizes to evade detection.(Citation: Trend Micro Qakbot May 2020)(Citation: Group IB Ransomware September 2020) |
| .002 | Obfuscated Files or Information: Software Packing |
QakBot can encrypt and pack malicious payloads.(Citation: Cyberint Qakbot May 2021) |
||
| .005 | Obfuscated Files or Information: Indicator Removal from Tools |
QakBot can make small changes to itself in order to change its checksum and hash value.(Citation: Crowdstrike Qakbot October 2020)(Citation: Cyberint Qakbot May 2021) |
||
| .006 | Obfuscated Files or Information: HTML Smuggling |
QakBot has been delivered in ZIP files via HTML smuggling.(Citation: Trend Micro Black Basta October 2022)(Citation: Deep Instinct Black Basta August 2022) |
||
| .010 | Obfuscated Files or Information: Command Obfuscation |
QakBot can use obfuscated and encoded scripts.(Citation: Cyberint Qakbot May 2021)(Citation: Trend Micro Black Basta October 2022) |
||
| .011 | Obfuscated Files or Information: Fileless Storage |
QakBot can store its configuration information in a randomly named subkey under |
||
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
QakBot can use |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
QakBot has spread through emails with malicious attachments.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Deep Instinct Black Basta August 2022)(Citation: Microsoft Ransomware as a Service) |
| .002 | Phishing: Spearphishing Link |
QakBot has spread through emails with malicious links.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022) |
||
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
QakBot can use process hollowing to execute its main payload.(Citation: ATT QakBot April 2021) |
| Enterprise | T1090 | .002 | Proxy: External Proxy |
QakBot has a module that can proxy C2 communications.(Citation: Kaspersky QakBot September 2021) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
QakBot has the ability to create scheduled tasks for persistence.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
QakBot can identify the installed antivirus product on a targeted system.(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
QakBot can use signed loaders to evade detection.(Citation: ATT QakBot April 2021)(Citation: Deep Instinct Black Basta August 2022) |
| .005 | Subvert Trust Controls: Mark-of-the-Web Bypass |
QakBot has been packaged in ISO files in order to bypass Mark of the Web (MOTW) security measures.(Citation: Trend Micro Black Basta October 2022) |
||
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
QakBot can use MSIExec to spawn multiple cmd.exe processes.(Citation: Crowdstrike Qakbot October 2020) |
| .010 | System Binary Proxy Execution: Regsvr32 |
QakBot can use Regsvr32 to execute malicious DLLs.(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Trend Micro Black Basta October 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Deep Instinct Black Basta August 2022) |
||
| .011 | System Binary Proxy Execution: Rundll32 |
QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.(Citation: Crowdstrike Qakbot October 2020)(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Trend Micro Black Basta October 2022) |
||
| Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
QakBot can measure the download speed on a targeted host.(Citation: Kaspersky QakBot September 2021) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
QakBot has gained execution through users opening malicious links.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022) |
| .002 | User Execution: Malicious File |
QakBot has gained execution through users opening malicious attachments.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Deep Instinct Black Basta August 2022)(Citation: Microsoft Ransomware as a Service) |
||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.(Citation: Trend Micro Qakbot May 2020)(Citation: ATT QakBot April 2021) |
| .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
The QakBot dropper can delay dropping the payload to evade detection.(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021) |
||
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0127 | TA551 |
(Citation: ATT QakBot April 2021) |
| G1037 | TA577 |
(Citation: Latrodectus APR 2024) |
References
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
- Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
- Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
- Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
- Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.