Qakbot goes phishing in Hong Kong
Since the beginning of 2021, DarkLab analysts have observed multiple clients and third-party organisations in Hong Kong targeted with malicious phishing emails aimed at delivering the Qakbot malware, also referred to as Quakbot or Qbot. While the Qakbot payload is well researched in open source, we want to shed light on the observed attack chain to raise awareness of this threat and help mitigate future phishing attempts against organisations in Hong Kong and APAC.
Since the takedown of Emotet, one of the largest spam botnets and initial access broker, cybercriminals behind Qakbot have increased their operational tempo and are actively targeting Hong Kong. We therefore expect Qakbot to remain a threat for the region in the coming months, particularly due to Qakbot links to known ransomware families.
Infection chain
Qakbot started as a banking trojan in 2009 but has since 2019 been seen exfiltrating sensitive financial data and email threads from victims, as well as delivering the ProLock ransomware.
The phishing emails we observed were sent from likely compromised third party companies. These previous victims were based around the globe, from South America to Asia, highlighting the global scope of Qakbot’s operations.
The email’s subject and text suggest the threat actors have hijacked email threads to add a layer of credibility to their phishing lures. In one case, a phishing email to a large company in the real estate sector referred to an existing high-profile event that the target organises each year, likely suggesting the phishing attempt was somewhat targeted rather than completely opportunistic.
Fig 1 – phishing email to a property developer delivering QakBot malware
Other phishing emails, like one sent to a retail organisation (see below), threat actors attempted to spoof the sender to make it look like it was coming from an organisation based in Hong Kong.
Fig 2 – phishing email to a retailer delivering QakBot malware
The emails have a compressed archive attached, containing a macro-enabled Excel document.
Fig 3 – overview of Qakbot infection chain
The latter displays a generic DocuSign template and requires user interaction to activate the malicious macros hidden in the workbook.
Fig 3 – phishing lure used to deliver QakBot malware
We analysed one such lure document [filename: Document_1204144908-12232020-Copy.xlsm ; MD5: 77a6bf34403b2a4e6e2eaa4435d22b50] which executes macros that serve as a dropper. The dropper contacts one of five command and control (C2) URLs in an attempt to download the same file called, in this case, 55555555555.jpg, a DLL file containing the second stage of the malware. Other droppers analysed also showed similar behavior despite the different stager servers and DLL names dropped.
We also found numerous documents similar to the one we analysed, reinforcing how this was indeed part of a larger phishing campaign.
Fig 4 – Example of similar phishing documents on Virus Total
The macro eventually starts the malicious DLL [MD5: 66adf2e8e5561bf7cf3f3cb50d9256bf] run via rundll32.exe, a technique used by threat actors to proxy execute malicious code while avoiding detection by security systems.
Fig 5 – Qakbot execution of malicious DLL via legitimate process
This specific campaign is linked to one of Qakbot’s botnets called abc117, while security researchers have linked other botnets, like abc123, to spam campaigns in other parts of the world. Malware operators often use different botnets to ensure resilience from law enforcement action and their ability to deliver malware to a wider range of targets.
Conclusion
Despite the successful law enforcement action against one of the largest spam botnets, Emotet, in January, our findings suggest that other botnets are ready to step into the vacant spot left by it.
Operations like Qakbot show how phishing will remain a significant threat for companies in Hong Kong, as threat actors use similar malware to obtain an initial foothold in companies’ networks and to deploy further malware, like human-operated ransomware.
Strong email security processes and users’ awareness remain paramount to avoid initial infection from similar phishing campaigns that can lead to very impactful ransomware incidents. Threat feeds can also help detect often-changing attack infrastructure of botnets like Qakbot by providing up-to-date indicators of compromise for ingestion of security detection systems. In particular, we found that URLhaus’ database contains a useful source of malware URLs for Qakbot that can aid network defenders.
C2 servers hardcoded in Qakbot DLL analysed
Note that not all the below IPs are likely to be still actively used for malicious purposes, please apply caution when using them for blocking.
| 67.6.54.180:443 | 197.49.109.229:995 | 149.28.101.90:8443 |
| 187.250.170.34:995 | 75.67.192.125:443 | 45.77.115.208:8443 |
| 67.141.11.98:443 | 187.202.130.179:443 | 216.215.77.18:2078 |
| 109.154.79.222:2222 | 67.82.244.199:2222 | 45.32.211.207:8443 |
| 2.88.184.160:443 | 41.228.211.35:443 | 207.246.77.75:2222 |
| 85.52.72.32:2222 | 197.82.221.199:443 | 207.246.77.75:995 |
| 86.98.21.234:443 | 90.53.100.20:2222 | 98.16.204.189:995 |
| 73.166.10.38:50003 | 37.210.132.106:995 | 80.106.85.24:2222 |
| 90.61.30.155:2222 | 191.84.1.58:443 | 86.126.220.203:443 |
| 71.182.142.63:443 | 73.166.10.38:61202 | 71.14.110.199:443 |
| 178.223.22.192:995 | 86.98.223.81:22 | 83.110.241.182:443 |
| 184.189.122.72:443 | 80.11.5.65:2222 | 76.111.128.194:443 |
| 181.39.236.199:443 | 187.7.236.197:995 | 32.212.117.188:443 |
| 72.240.200.181:2222 | 81.214.126.173:2222 | 72.36.59.46:2222 |
| 154.238.45.174:995 | 90.201.21.58:443 | 68.186.192.69:443 |
| 47.22.148.6:443 | 89.137.211.239:995 | 105.226.38.36:443 |
| 2.51.251.47:995 | 24.234.204.230:995 | 109.106.69.138:2222 |
| 199.19.117.131:443 | 189.222.83.156:443 | 108.46.145.30:443 |
| 200.76.215.87:443 | 181.134.233.216:443 | 181.129.155.10:443 |
| 37.104.39.32:995 | 95.77.144.238:443 | 37.210.255.225:995 |
| 14.137.64.132:995 | 100.43.250.74:995 | 74.195.52.3:443 |
| 70.126.76.75:443 | 69.47.239.10:443 | 73.166.10.38:443 |
| 5.194.151.240:2222 | 151.52.8.91:443 | 190.24.187.90:443 |
| 83.202.68.220:2222 | 197.237.62.207:443 | 95.77.223.148:443 |
| 189.251.67.57:995 | 89.136.112.74:443 | 47.196.49.123:443 |
| 197.161.154.132:443 | 190.85.91.154:443 | 24.229.150.54:995 |
| 120.150.218.241:995 | 2.50.167.241:443 | 189.172.242.124:443 |
| 75.136.40.155:443 | 193.248.154.174:2222 | 140.82.49.12:443 |
| 151.205.102.42:443 | 207.246.77.75:8443 | 212.197.145.59:995 |
| 41.39.134.183:443 | 24.139.72.117:443 | 47.208.8.187:443 |
| 187.213.80.185:995 | 149.28.99.97:2222 | 2.88.48.122:995 |
| 82.12.157.95:995 | 45.63.107.192:2222 | 68.15.109.125:443 |
| 77.136.21.144:995 | 144.202.38.185:443 | 2.90.219.195:443 |
| 47.40.78.73:443 | 207.246.77.75:443 | 151.60.45.241:443 |
| 173.18.126.193:2222 | 149.28.98.196:443 | 217.165.3.30:443 |
| 51.9.198.164:2222 | 149.28.98.196:995 | 190.72.211.89:2222 |
| 94.26.114.54:443 | 149.28.101.90:2222 | 84.247.55.190:8443 |
| 197.45.110.165:995 | 149.28.101.90:995 | 74.222.204.82:995 |
| 184.90.50.79:995 | 144.202.38.185:995 | 98.240.24.57:443 |
| 77.30.61.241:995 | 85.204.189.105:443 | 92.59.35.196:2083 |
| 47.134.138.15:443 | 96.19.117.140:443 | 174.20.167.39:995 |
| 196.151.252.84:443 | 106.250.150.98:443 | 45.63.107.192:443 |
| 23.236.12.55:443 | 98.190.24.81:443 | 96.61.23.88:995 |
| 81.88.254.62:443 | 37.116.152.122:2078 | 108.190.151.108:2222 |
| 105.198.236.99:443 | 172.87.157.235:3389 | 45.77.115.208:995 |
| 78.97.248.88:443 | 216.201.162.158:443 | 144.202.38.185:2222 |
| 188.25.61.41:443 | 95.76.27.6:443 | 24.185.65.68:443 |
| 45.77.115.208:443 | 174.87.65.179:443 | 149.28.98.196:2222 |
| 45.77.115.208:2222 | 50.244.112.106:443 | 24.122.0.90:443 |
| 45.32.211.207:995 | 189.157.252.151:443 | 175.141.131.195:443 |
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.