Overview of Recent Qakbot Malware Attacks
Sources confirm a recent increase in Qakbot Malware attacks used for initial access to achieve a foothold in environments. Over the last decade, Qakbot built a name for itself as one of the deadliest trojans in the wild. At first, it originated as a Banking Trojan in 2007. But, Qakbot (also known as QBot, QuackBot, and Pinkslipbot) continues to evolve with new techniques and capabilities.
There are several attack vectors through which QBot infects victims. Phishing emails distribute QBot, and once in a network, it self-propagates and steals sensitive data. It commonly uses remote code execution, which enables threat actors to perform manual attacks to achieve secondary objectives, including scanning the compromised network or injecting ransomware.
In QBot’s latest iteration, sources report that it is leveraging compromised trusted websites of small businesses to bypass email link scanning services to serve the malware after phishing users via email. Then, unsuspecting victims download a zip file containing Windows Script Files (.wsf) or JavaScript (.js) files that load the Qakbot malware. Observations show the loader also doing typical injection into wermgr.exe to call out to command and control. After initial access, a threat actor can access and reach out to other machines using rundll32.exe to callout via cobalt strike beacons on https.
How to Protect Against Qakbot Malware
In order to mitigate the threat of Qakbot Malware, be aware of zip archives that contain JavaScript or Windows Script Files disguised as invoices or other documents. Also, it is critical to block the Indicators of Compromise (IoC) associated with Qakbot within the DNS of your firewall. These Qakbot servers have been listening for the connection of remote port 65400.
The following table lists the IP addresses and DNS to block to mitigate the Qakbot threat:
IP Address | DNS |
---|---|
172.107.98[.]3 | unassigned.psychz[.]net |
23.111.114[.]52 | N/A |
94.103.85[.]86 | v1785516.hosted-by-vdsina[.]ru |
99.228.131[.]116 | cpef02f74c848b8-cm30b7d4b9e4d0.sdns.net.rogers[.]com |
47.205.25[.]170 | N/A |
79.47.207[.]6 | host-79-47-207-6.retail.telecomitalia[.]it |
Other Mitigations for Qakbot Malware Attacks:
- Disabling the Windows Script host (wscript.exe) if not used by the software on the machine
- Blocking outbound communication to remote port 65400 via the firewall
- Geoblocking via the firewall for outbound connections (which may interfere with software)
Cybersecurity Services to Protect Against Malware
M.A. Polce is an IT and cybersecurity company in New York that specializes in providing comprehensive, customizable cybersecurity services. We protect businesses from cyber threats like QBot Malware using a combination of human expertise and advanced technologies. So, if your organization needs assistance managing the security of its IT, contact us today to learn about our managed cybersecurity services.
Sources
Blackpoint Cyber’s Cyber Threat Notice
https://www.digitaljournal.com/tech-science/new-cyberthreat-in-the-horizon-qakbot-malware/article
https://informationsecuritybuzz.com/abb-struck-black-basta-ransomware/
https://www.cyber.nj.gov/alerts-advisories/2023-q1-qbot-trend-analysis
https://www.datto.com/blog/qbot-malware-what-is-it-and-how-does-it-work