Robber Duck

Qakbot goes phishing in Hong Kong

Since the beginning of 2021, DarkLab analysts have observed multiple clients and third-party organisations in Hong Kong targeted with malicious phishing emails aimed at delivering the Qakbot malware, also referred to as Quakbot or Qbot. While the Qakbot payload is well researched in open source, we want to shed light on the observed attack chain to raise awareness of this threat and help mitigate future phishing attempts against organisations in Hong Kong and APAC.

Since the takedown of Emotet, one of the largest spam botnets and initial access broker, cybercriminals behind Qakbot have increased their operational tempo and are actively targeting  Hong Kong. We therefore expect Qakbot to remain a threat for the region in the coming months, particularly due to Qakbot links to known ransomware families.

Infection chain

Qakbot started as a banking trojan in 2009 but has since 2019 been seen exfiltrating sensitive financial data and email threads from victims, as well as delivering the ProLock ransomware.

The phishing emails we observed were sent from likely compromised third party companies. These previous victims were based around the globe, from South America to Asia, highlighting the global scope of Qakbot’s operations.

The email’s subject and text suggest the threat actors have hijacked email threads to add a layer of credibility to their phishing lures. In one case, a phishing email to a large company in the real estate sector referred to an existing high-profile event that the target organises each year, likely suggesting the phishing attempt was somewhat targeted rather than completely opportunistic.

Fig 1 – phishing email to a property developer delivering QakBot malware

Other phishing emails, like one sent to a retail organisation (see below), threat actors attempted to spoof the sender to make it look like it was coming from an organisation based in Hong Kong.

Fig 2 – phishing email to a retailer delivering QakBot malware

The emails have a compressed archive attached, containing a macro-enabled Excel document.

Fig 3 – overview of Qakbot infection chain

The latter displays a generic DocuSign template and requires user interaction to activate the malicious macros hidden in the workbook.

Fig 3 – phishing lure used to deliver QakBot malware

We analysed one such lure document [filename: Document_1204144908-12232020-Copy.xlsm ; MD5: 77a6bf34403b2a4e6e2eaa4435d22b50] which executes macros that serve as a dropper. The dropper contacts one of five command and control (C2) URLs in an attempt to download the same file called, in this case, 55555555555.jpg, a DLL file containing the second stage of the malware. Other droppers analysed also showed similar behavior despite the different stager servers and DLL names dropped.

We also found numerous documents similar to the one we analysed, reinforcing how this was indeed part of a larger phishing campaign.

Fig 4 – Example of similar phishing documents on Virus Total

The macro eventually starts the malicious DLL [MD5: 66adf2e8e5561bf7cf3f3cb50d9256bf] run via rundll32.exe, a technique used by threat actors to proxy execute malicious code while avoiding detection by security systems.

Fig 5 – Qakbot execution of malicious DLL via legitimate process

This specific campaign is linked to one of Qakbot’s botnets called abc117, while security researchers have linked other botnets, like abc123, to spam campaigns in other parts of the world. Malware operators often use different botnets to ensure resilience from law enforcement action and their ability to deliver malware to a wider range of targets.

Conclusion

Despite the successful law enforcement action against one of the largest spam botnets, Emotet, in January, our findings suggest that other botnets are ready to step into the vacant spot left by it.

Operations like Qakbot show how phishing will remain a significant threat for companies in Hong Kong, as threat actors use similar malware to obtain an initial foothold in companies’ networks and to deploy further malware, like human-operated ransomware.

Strong email security processes and users’ awareness remain paramount to avoid initial infection from similar phishing campaigns that can lead to very impactful ransomware incidents. Threat feeds can also help detect often-changing attack infrastructure of botnets like Qakbot by providing up-to-date indicators of compromise for ingestion of security detection systems. In particular, we found that URLhaus’ database contains a useful source of malware URLs for Qakbot that can aid network defenders.

C2 servers hardcoded in Qakbot DLL analysed

Note that not all the below IPs are likely to be still actively used for malicious purposes, please apply caution when using them for blocking.

67.6.54.180:443197.49.109.229:995149.28.101.90:8443
187.250.170.34:99575.67.192.125:44345.77.115.208:8443
67.141.11.98:443187.202.130.179:443216.215.77.18:2078
109.154.79.222:222267.82.244.199:222245.32.211.207:8443
2.88.184.160:44341.228.211.35:443207.246.77.75:2222
85.52.72.32:2222197.82.221.199:443207.246.77.75:995
86.98.21.234:44390.53.100.20:222298.16.204.189:995
73.166.10.38:5000337.210.132.106:99580.106.85.24:2222
90.61.30.155:2222191.84.1.58:44386.126.220.203:443
71.182.142.63:44373.166.10.38:6120271.14.110.199:443
178.223.22.192:99586.98.223.81:2283.110.241.182:443
184.189.122.72:44380.11.5.65:222276.111.128.194:443
181.39.236.199:443187.7.236.197:99532.212.117.188:443
72.240.200.181:222281.214.126.173:222272.36.59.46:2222
154.238.45.174:99590.201.21.58:44368.186.192.69:443
47.22.148.6:44389.137.211.239:995105.226.38.36:443
2.51.251.47:99524.234.204.230:995109.106.69.138:2222
199.19.117.131:443189.222.83.156:443108.46.145.30:443
200.76.215.87:443181.134.233.216:443181.129.155.10:443
37.104.39.32:99595.77.144.238:44337.210.255.225:995
14.137.64.132:995100.43.250.74:99574.195.52.3:443
70.126.76.75:44369.47.239.10:44373.166.10.38:443
5.194.151.240:2222151.52.8.91:443190.24.187.90:443
83.202.68.220:2222197.237.62.207:44395.77.223.148:443
189.251.67.57:99589.136.112.74:44347.196.49.123:443
197.161.154.132:443190.85.91.154:44324.229.150.54:995
120.150.218.241:9952.50.167.241:443189.172.242.124:443
75.136.40.155:443193.248.154.174:2222140.82.49.12:443
151.205.102.42:443207.246.77.75:8443212.197.145.59:995
41.39.134.183:44324.139.72.117:44347.208.8.187:443
187.213.80.185:995149.28.99.97:22222.88.48.122:995
82.12.157.95:99545.63.107.192:222268.15.109.125:443
77.136.21.144:995144.202.38.185:4432.90.219.195:443
47.40.78.73:443207.246.77.75:443151.60.45.241:443
173.18.126.193:2222149.28.98.196:443217.165.3.30:443
51.9.198.164:2222149.28.98.196:995190.72.211.89:2222
94.26.114.54:443149.28.101.90:222284.247.55.190:8443
197.45.110.165:995149.28.101.90:99574.222.204.82:995
184.90.50.79:995144.202.38.185:99598.240.24.57:443
77.30.61.241:99585.204.189.105:44392.59.35.196:2083
47.134.138.15:44396.19.117.140:443174.20.167.39:995
196.151.252.84:443106.250.150.98:44345.63.107.192:443
23.236.12.55:44398.190.24.81:44396.61.23.88:995
81.88.254.62:44337.116.152.122:2078108.190.151.108:2222
105.198.236.99:443172.87.157.235:338945.77.115.208:995
78.97.248.88:443216.201.162.158:443144.202.38.185:2222
188.25.61.41:44395.76.27.6:44324.185.65.68:443
45.77.115.208:443174.87.65.179:443149.28.98.196:2222
45.77.115.208:222250.244.112.106:44324.122.0.90:443
45.32.211.207:995189.157.252.151:443175.141.131.195:443