Qakbot

QakBot, also known as QBot, QuakBot, and Pinkslipbot, is a long-running financially motivated cybercriminal malware operation centered on a modular information stealer and banking trojan. The content describes it as active since 2007/2008 and notes that it evolved from banking malware into an initial access broker associated with ransomware enablement. QakBot steals financial data, banking credentials, and browser information, installs a backdoor, and infections can progress to post-exploitation activity including Cobalt Strike, fileless .NET Mimikatz, and double-extortion ransomware activity including Black Basta- and CONTI-associated intrusions. The content states that QakBot campaigns commonly used spam or hijacked email threads for initial access, including malicious HTML attachments, password-protected ZIP archives, malicious URLs, ISO images, and malicious LNK files. QakBot operators used HTML smuggling for initial access throughout 2022 and 2023, including hidden ZIP delivery inside HTML files. Post-execution, QakBot abused LOLBins including CMD, WScript, CURL, Regsvr32, and Rundll32. Observed chains included LNK > CMD and CURL > PING > Regsvr32, LNK > CALC > Regsvr32 using DLL hijacking, and LNK > CURL and WSCRIPT > CMD > PING and Regsvr32. The malware performed process injection using process hollowing into legitimate Windows processes and selected targets from a hardcoded list partly based on detected antivirus products. Observed target processes included wermgr.exe, explorer.exe, mobsync.exe, msra.exe, OneDriveSetup.exe, iexplore.exe, and dxdiag.exe. Additional content notes suspicious remote thread execution and DLL side-loading behavior associated with QakBot, including calc.exe side-loading of WindowsCodecs.dll and remote thread creation in processes such as Taskmgr.exe, calc.exe, and notepad.exe. The content describes anti-analysis and persistence behavior including antivirus checks, termination when C:\INTERNAL__empty is present to detect the Windows Defender sandbox, registry-stored configuration under HKCU\Software\Microsoft[RandomDir], persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run and scheduled tasks for high-privileged users, and dropped DLL copies under %APPDATA%\Microsoft[RandomDir]. It also notes later removal of persistence artifacts as an anti-forensics measure. QakBot conducted host and network discovery using commands such as net view, arp -a, ipconfig /all, net share, route print, netstat -nao, net localgroup, whoami /all, and nslookup. The content specifically notes QakBot abuse of nslookup LDAP queries to gather domain controller information. It also abused esentutl.exe to access Internet Explorer and Microsoft Edge web cache data and could receive additional browser credential and cookie stealing modules from C2. Communications were described as HTTPS POST requests to hardcoded command-and-control servers. The content states that QakBot continued operating after the FBI's August 2023 Operation Duck Hunt takedown. It describes post-takedown campaign tchk08, first observed on 2024-02-06, delivering QakBot via an MSI installer masquerading as Adobe Acrobat. That chain used DLL sideloading via a legitimate Microsoft-signed OfficeClickToRun.exe and a trojanized antimalware_provider64.dll masquerading as a Bitdefender AMSI provider. The report cited multi-layer encrypted configuration storage, an Atlassian Bamboo CI/CD PDB path, Russian locale MSI metadata, and a tiered C2 architecture with Tier 2 servers and more than 100 compromised residential proxy nodes. The content assesses attribution to Russia or Eastern Europe with medium confidence based on locale metadata, hosting choices, build artifacts, and historical attribution, while also stating the operators' motivation is financial.