The distribution of QAKBOT malware is resurrected as soon as once more by operators of the Black Basta ransomware group on September 8, 2022, after a brief leisure break.
Whereas the most recent distribution mechanism and marketing campaign have been recognized by cybersecurity researchers at Pattern Micro and the attackers utilizing Penetration Testing instruments to infiltrate the focused networks.
On this newest marketing campaign, the risk actors are distributing the QAKBOT malware with the assistance of the next malicious payloads:-
- SmokeLoader
- Emotet
- Malicious spam (BB and Obama20x IDs)
- Brute Ratel C4 framework
As a second-stage payload, the attackers deployed the Qakbot malware of their current assaults by exploiting the Brute Ratel C4 framework payload. In the course of the assault, Cobalt Strike was additionally used to maneuver laterally as a part of the assault.
Technical Evaluation
A malicious e-mail ignites the entire marketing campaign and this e-mail accommodates a malicious URL that redirects the victims to a obtain web page. Right here, an archive file containing paperwork and recordsdata will likely be downloaded.
There are two issues that you will see that within the archive:-
- An LNK file within the type of an ISO file
- Two hidden subdirectories
There’s a geographical distribution of C&C servers amongst compromised hosts, which makes the infrastructure tough to detect. There are 28 nations the place all these hosts are discovered inside ISP broadband networks.
Every C&C server is used as soon as by the operators of the QAKBOT malware, as they don’t use a server repeatedly, as an alternative, they at all times maintain altering them for extra complexity. It has even been discovered that a few of them have been saved in multiple QAKBOT configuration.
QAKBOT launches a reconnaissance operation on the community after which it drops the Brute Ratel DLL inside 6 minutes of its introduction.Â
The next issues are recognized throughout the subsequent reconnaissance course of within the setting:-Â
- Privileged customers
- Energetic Listing
- Group insurance policies
- Domains
- Computer systems
- Customers
With the intention to put together the information for exfiltration, the recordsdata are then packaged right into a ZIP file, and it takes only some seconds to perform this knowledge extraction course of.
QAKBOT C&C Server International locations
Right here, we have now compiled an inventory of the nations by which the C&C servers for the QAKBOT are situated:-
- Afghanistan
- Algeria
- Argentina
- Austria
- Brazil
- Bulgaria
- Canada
- Chile
- Colombia
- Egypt
- India
- Indonesia
- Japan
- Mexico
- Mongolia
- Morocco
- Netherlands
- Qatar
- Russia
- South Africa
- Taiwan
- Thailand
- Turkey
- United Arab Emirates
- United Kingdom
- United States
- Vietnam
- Yemen
Aside from this, it has been detected that attackers are additionally utilizing the HTML Smuggling technique to ship a password-protected ZIP file. Malicious code could be injected into HTML attachments or internet pages by this method.
Suggestions
Right here beneath we have now talked about all of the suggestions offered:-
- All the time confirm the e-mail sender.
- Don’t open or obtain any suspicious attachments obtained from an unknown sender.
- Don’t click on or open any suspicious hyperlinks.
- All the time confirm the authenticity of embedded hyperlinks by hovering over them.
- Previous to taking any motion, it is strongly recommended that you simply confirm if the e-mail really comes from the corporate that claims to have despatched it.
Additionally Learn: Obtain Safe Net Filtering – Free E-book
