Qakbot

Watch Out for the Adversary-in-the-Middle: WhatsApp QR Code Hijacking Targets Hong Kong and Macau Consumers

Posted on by darklabhk

PwC’s Dark Lab investigates the local WhatsApp account hijacking attacks, uncovering multiple campaigns targeting Hong Kong and Macau consumers.

Over the last few months, the community has seen a surge in attacks against individuals’ collaboration and communication applications that offers the use of mobile devices as a means of authentication. By taking over accounts on such platforms through means such as phishing, threat actors can easily gain access to personal or event-sensitive information shared across such platforms or carry out attempts to defraud legitimate business partners or contacts of individuals.

In this two-part series, we showcase two classic Adversary-in-the-Middle (AiTM) campaigns targeting Hong Kong-based victims. This blog piece provides a technical analysis and actionable steps to protect yourself against the ongoing campaign leveraging the Evil QR toolkit to hijack WhatsApp accounts locally.

Stay tuned for part two, as we share our incident response experience with a multi-stage AiTM phishing and business email compromise (BEC) attack weaponizing Evilginx and EvilProxy, leading to our discovery of the wide-scale, opportunistic campaign.

WhatsApp QR Code Hijacking Targets Hong Kong and Macau Consumers

In October 2023, we observed multiple reports of WhatsApp account hijacking cases impacting Hong Kong- and Macau-based victims. Upon successful account takeover, malicious actors have been observed to impersonate the owners of the compromised WhatsApp accounts, contacting the victim’s WhatsApp contacts to request fund transfers under the guise of their trusted relationship. Breaking down the attack, we observe that the Evil QR tool was deployed to facilitate the WhatsApp account takeovers, targeting unsuspecting victim.

Understanding how Evil QR works

Evil QR, first reported in July 2023, is a browser extension that enables attackers to exploit legitimate QR codes to intercept and steal their cookie session, providing access to the victim’s account.[1]

How Evil QR operates[2]:

  • The attacker open the legitimate WhatsApp Web login page (https://web.whatsapp.com/).
  • The attacker enables the Evil QR browser extension, which  extracts the legitimate QR code from WhatsApp Web and proxies it to the Evil QR server, which hosts the attacker’s phishing page.
  • The attacker’s phishing page dynamically displays the latest QR code extracted from the WhatsApp Web login page.
  • When the unsuspecting victim visits the phishing page impersonating WhatsApp Web login and scans the QR code, the attacker successfully obtains access to the victim’s WhatsApp account.
  • Due to proxying, the victim will be unaware of the existence of these sessions, unless they manually check their WhatsApp settings (Settings > Linked Devices).

Figure 1: Attack path for WhatsApp account takeover using Evil QR

Weaponization of Evil QR by malicious actors

Due to the relatively simple setup of the QR code and phishing site using Evil QR, it is a highly lucrative and incentivising means for attackers to obtain access to sensitive information and perform malicious activities, as reflected in the recent surge of attacks against collaboration and communication applications.

We observe search results on Google, which indicate dedicated efforts to promote phishing sites impersonating WhatsApp to defraud unsuspecting victims. Search engine optimisation (SEO) poisoning is a technique commonly deployed by threat actors to improve the ranking of their malicious websites on search engine result pages.[3]

To improve the SEO ranking of their phishing site and deceive unsuspecting visitors of their ‘legitimacy’, threat actors may deploy an array of techniques, such as keyword stuffing, whereby threat actors overload their phishing sites with keywords in a repetitive manner to manipulate search engine rankings to assess their website has relevant content. Another common technique is typosquatting, whereby threat actors capitalise on human error by registering domains with variations of potential spelling errors, that could accidentally be typed (“typo”) by unsuspecting users (e.g. watsap web). Further, attackers commonly abuse sponsored listings and advertisements to direct users to their phishing sites.

Figure 2: Search results for the typo ‘watsapp web’

Referencing the first sponsored search result, ws6.whmejjp[.]com, we observe the domain to be actively impersonating the WhatsApp Web login webpage.

Figure 3: Screenshot of ws6.whmejjp[.]com as of 19 October 2023

Pivoting on structurally similar websites, we observe the host IP (2a06:98c1:3121:[:]3) hosting over 10,000 domains with a similar HTML structure. Based on the newly registered domains associated with the host IP, we observed multiple typosquatted domains targeting users of various gaming and communications platforms, such as Twitch, Steam, Valorant, and Telegram. 

Referencing public reports of the ongoing attacks against Hong Kong consumers[4], we pivoted on the waacad[.]cyou domain which continues to display a WhatsApp Web login page.

Figure 4: Screenshot of waacad[.]cyou as of 19 October 2023

Analysing the host IP (103.71.152[.]102) for waacad[.]cyou, we observe it to be serving 14 newly registered domains within the last month starting from 22 September 2023. The domains were observed follow a similar domain naming convention, all displaying an identical WhatsApp Web phishing page.

Figure 5: Newly registered domains hosted by 103.71.152[.]102 [5]

Through further investigation of 103.71.152[.]102, we observed multiple domains created between 27 August and 1 September 2023, which appear to impersonate Sands casino. Based on observations that 103.71.152[.]102 and multiple of its hosted domains have been flagged as malicious for phishing, consistent naming conventions, contents of the WhatsApp Web phishing pages written in Chinese, and the ongoing suspected phishing campaign impersonating Sands, we assess with high confidence that the threat actor is conducted an ongoing, targeted phishing campaign against Hong Kong and Macau citizens.

Potential impact upon successful WhatsApp account takeover

Upon a successful WhatsApp account takeover, the attacker has full access to the user’s conversations and contact list. In the ongoing campaign targeting Hong Kong users, we observe the primary goal to be victim impersonation to request fund transfers from unsuspecting people who would typically trust the victim, including family, loved ones, and friends.

Figure 6: Sample of fraudulent fund transfer request via WhatsApp

Further, attackers may scan the victim’s conversation for sensitive information, such as personally identifiable information (“PII”) and shared passwords, depending on what sensitive information has been disclosed by the individual to other parties. In addition, the attacker could further leverage the account to send phishing links (“smishing”) to the victim’s contacts, to perform additional credential theft activities.

Conclusion

PwC’s Dark Lab observes that Hong Kong and Macau are being actively targeted by multiple opportunistic phishing campaigns. We strongly encourage citizens to exercise caution and awareness when interacting with untrusted sources. Refer to our recommendations below for general best practices and advice on how to detect and respond to a potential WhatsApp account takeover.

We continue to observe the cyber threat landscape evolve, with threat actors increasingly shift towards identity-based attacks not only weaponizing passwords, but sessions to maintain persistent access to compromised accounts. Stay tuned for part two, as we share key learnings from a recent incident response case involving a multi-stage AiTM phishing and business email compromise (BEC) attack.

Join us on November 7 2023 for PwC’s annual Hack A Day Conference: Register Here

Recommendations

How to detect if you are visiting a phishing website impersonating WhatsApp Web:

  • When searching for “WhatsApp Web” or any other website, avoid sponsored links and double check before clicking on a link for any spelling errors which could indicate it is a typosquatted (phishing) domain.
  • When visiting the website, while the website may appear similar to the legitimate domain, look out for the slight differences.

For example, if we compare the legitimate WhatsApp Web domain (web.whatsapp.com) with the malicious domain (waacad[.]cyou), we notice four (4) differentiators:

  1. If you were to check the URL of the phishing page, you would immediately notice it is suspicious and unlikely to be the actual WhatsApp login page.
  2. On the legitimate webpage, the WhatsApp logo and name exists, which is not observed on the malicious page.
  3. The instruction wordings differ.
  4. The legitimate webpage has a ‘Tutorial’ section with advice on ‘how to get started’. It should be noted that whilst this phishing domain does not display this section, other more convincing phishing sites could include this section to further deceive you into trusting their phishing site is legitimate.

How to check and respond if you suspect your WhatsApp account has been compromised:

1. Check and log out any unauthorised devices:

  • In WhatsApp, check if any unauthorised devices are logged in (Settings > Linked Devices).
  • For any suspicious or unknown logins, tap the device to log out. This will remove their access to your account.

2. Perform additional checks to identify any potential activities performed by the malicious actor during their access to your account:

  • Check archived messages to see if any conversations were archived by the malicious actor.
  • Check if any messages have been sent or deleted in the chat without your knowledge.
  • Check if any voice recordings or files were shared to your contacts.

3. Inform any of your contacts if they have been contacted by the malicious actor.

Whether your contact unknowingly sent money or not, it is important to notify them that they were communicating with the malicious actor and not you so they can remain aware and exercise caution when receiving unusual or suspicious messages from you or other contacts.

General Best Practices

Visiting websites:

  • Check links before clicking to validate their legitimacy (e.g. spelling errors) and always remain wary of the legitimacy of webpages and their branding.
  • Access websites via the global webpage as opposed to the URL shortened link if in doubt.
  • If you accidentally visit a phishing site,
    • Do not click on any links and double check your device to see if any files were downloaded.
    • If any files were downloaded, do not open it. Delete the file immediately and clear your recycling bin.
  • If you believe you may have fallen victim to a phishing attack,
    • Monitor your email’s “sent” folder to identify any unauthorised emails that have been issued from your account. If any, alert the receiver as well as your wider contact list that you may have fallen victim to a phishing attack, so they can be on alert that incoming messages from your account may not be legitimate.
    • Perform a password reset, enable multi-factor authentication (MFA), and report the suspected phishing activity immediately to your credit card issuers (and organisation if accessed the site through your work device) to monitor and restrict potentially suspicious activity.

Communication platforms:

  • If you have received a suspicious or unusual message from your contact requesting funds or sensitive information, exercise caution to determine if the request is legitimate. Potential signs that your contact has been compromised could include:
    • Unusual nature of the request – e.g. your contact asking you to urgently send money
    • Deviating from their normal typing or speaking pattern – if their message does not sound like them – it might not be them!
    • Often times, malicious actors use artificial intelligence (“AI”) to generate messages, which may sound robotic or unnatural in nature. For voice messages, malicious actors may alter the AI-generated message (e.g. speeding it up or adding background noise) to attempt to make the voice message seem less robotic.
    • Do not disclose sensitive information via WhatsApp or other communication channels. Whilst these channels may be encrypted, we continue to observe malicious actors attempting to perform account takeovers, granting them with full access to compromised users’ accounts.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques from the campaign:

  • T1583.001 – Acquire Infrastructure: Domains
  • T1583.008 – Malvertising
  • T1586 – Compromise Accounts
  • T1608.006 – Stage Capabilities: SEO Poisoning
  • T1566 – Phishing
  • T1189 – Drive-by Compromise

Indicators of Compromise (IoCs)

We include the observed IoCs:

IOCType
clooe[.]cyouWhatsApp phishing site
kkgee[.]icuWhatsApp phishing site
waacad[.]cyouWhatsApp phishing site
www[.]waacad[.]cyouWhatsApp phishing site
clooeapp[.]cyouWhatsApp phishing site
kkgegroup[.]icuWhatsApp phishing site
bbhes[.]cyouWhatsApp phishing site
gooe8[.]cyouWhatsApp phishing site
xxeez[.]icuWhatsApp phishing site
gooer[.]icuWhatsApp phishing site
waacad[.]icuWhatsApp phishing site
weeae[.]icuWhatsApp phishing site
weeaet[.]cyouWhatsApp phishing site
wyyadinc[.]icuWhatsApp phishing site
bbyaysc[.]cyouWhatsApp phishing site
5565m[.]vipPotential Sands phishing site – not flagged malicious
5565k[.]vipPotential Sands phishing site – not flagged malicious
5565v[.]vipPotential Sands phishing site – not flagged malicious
5565f[.]vipPotential Sands phishing site – not flagged malicious
5565t[.]vipPotential Sands phishing site – not flagged malicious
5565z[.]vipPotential Sands phishing site – not flagged malicious
5565c[.]vipPotential Sands phishing site – not flagged malicious
5565r[.]vipPotential Sands phishing site – not flagged malicious
5565i[.]vipPotential Sands phishing site – not flagged malicious
5565a[.]vipPotential Sands phishing site – not flagged malicious
5565p[.]vipPotential Sands phishing site – not flagged malicious
5565w[.]vipPotential Sands phishing site – not flagged malicious
5565g[.]vipPotential Sands phishing site – not flagged malicious
5565u[.]vipPotential Sands phishing site – not flagged malicious
5565e[.]vipPotential Sands phishing site – not flagged malicious
5565l[.]vipPotential Sands phishing site – not flagged malicious
5565d[.]vipPotential Sands phishing site – not flagged malicious
5565s[.]vipPotential Sands phishing site – not flagged malicious
5565j[.]vipPotential Sands phishing site – not flagged malicious
5565q[.]vipPotential Sands phishing site – not flagged malicious
5565x[.]vipPotential Sands phishing site – not flagged malicious
5565h[.]vipPotential Sands phishing site – not flagged malicious
5565o[.]vipPotential Sands phishing site – not flagged malicious
ws6.whmejj[.]comWhatsApp phishing site
dxweb.whasatcp[.]lifeWhatsApp phishing site
uaa.whxmcwd.topWhatsApp phishing site
103.71.152[.]102IP Address

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Secure Your Holidays: The Case of Qakbot and Black Basta

Posted on by darklabhk

On the eve of Christmas, a suspected Black Basta affiliate conducted a ‘quick and dirty’ attack on a global client, lending insight into the opportunistic targeting of victims during holiday downtime periods.

The Significance of Dates

The holidays are a time for rest and rejuvenation for most. But for attackers, the holidays present a timely opportunity to exploit weakened security postures for a higher likelihood of successful intrusion. Attackers have been consistently observed to exploit the predictable patterns of organisations’ limited cyber preparedness during holiday seasons, largely driven by the shortage of personnel and lack appropriate response preparation measures, to achieve a ‘quick and dirty’ infiltration. Beyond opportunistic exploitation of weakened defences during the holidays, attackers are observed to conduct targeted attacks on dates of significance (e.g., political, religious, historical, legal dates of importance) as a means of taking a stance on a divisive topic or sending a clear message. In certain incidents, the date of intrusion attempts can provide a valuable indicator into the motivations and intentions of the threat actor behind the attack.

PwC’s Dark Lab have continuously observed the trend of increased incidents surrounding major holidays and dates of significance (e.g., Christmas, Chinese New Year, etc.), including our recent incident featuring the Qakbot banking trojan and attributed to the Black Basta ransomware-as-a-service (RaaS) group.

Initial Access: Conversation Hijacked

The incident was initiated by a phishing email disguised as a customer request to deliver the Qakbot banking trojan malware. Notably, the threat actor leveraged an old email thread dating back to January 2020 to the victim’s shared mailbox, as a means of leveraging an existing conversation with established trust to exhibit legitimacy.

We purposely do not disclose the email in this blog as the original mail sender is legitimate and was likely compromised. It was discovered via open source intelligence (OSINT) that the legitimate sender emails leveraged by the affiliate were potentially harvested during the 2021 ProxyLogon-related compromises that targeted vulnerable Microsoft Exchange Servers to perform thread hijacking, whereby attackers harvest legitimate emails to launch targeted phishing campaigns against previously uncompromised organisations. [1] The following key indicators were observed, validating our hypothesis that thread hijacking was conducted;

(1) Phishing emails were likely sent from a spoofed sender address, as evidenced by the SoftFail Sender Policy Framework (SPF) record indicating that the IP address may or may not be authorised to send from the domains. An SPF record facilitates spoofed email prevention and anti-spam control and acts as a filter to assess the authenticity of an email. A SPF soft fail occurs when an unauthorised sender email is received and quarantined in the victim’s spam folder, flagging the email as potentially suspicious. [2]
(2) The spear phishing link directed to the domain osiwa[.]org, which has been flagged by the community twice in 2023 to be malicious and associated with Qakbot. [3] As at the time of the incident, the phishing link displayed a HTTP status code 404, though we observed osiwa[.]org was scanned up to eight times between 1 December 2022 and 2 March 2023, potentially indicating that a number of other organisations had received a similar malicious link directing them to download the Qakbot malware.
(3) The affiliate performed partial scrubbing of the email header information during construction of their malicious email to remove content that does not align with their malicious content.
(4) Prior to the malicious email in Q4 2022, the last email in the thread was observed from 2020, indicating that the email was likely harvested as a result of the 2021 ProxyLogon mass exploitation for the purpose of thread hijacking.

Our analysis into the known-bad IP addresses reveal that six (6) of them – 24.69.84[.]237, 50.67.17[.]92, 70.51.136[.]204, 149.74.159[.]67, 38.166.221[.]92, and 173.76.49[.]61 have been flagged by the community as associated with Qakbot campaigns in the past.

In addition, a seventh IP address observed in the incident – 108.62.118[.]131 – has been reported to direct to a Cobalt Strike C2 Server. This IP has further been flagged on social media in multiple occasions to resolve to various malicious URLs registered via Namecheap. [4],[5] This, along with the fact that the ASN 30633 was LEASEWEB, are suspicious indicators suggesting it was a throwaway infrastructure potentially being deployed for malicious use.

Upon clicking on the phishing link, the malicious ZIP file was downloaded, and the victim unsuspectingly opened the file, initiating the execution phase. Post-infiltration, the victim’s endpoint detection alerted a potentially suspicious connection associated with FIN7’s (also known as Carbanak) C2 infrastructure. This observation enabled PwC’s Dark Lab analysts to discover that custom toolkits exclusively utilized by the Black Basta ransomware group have overlapping technical characteristics with FIN7, with further evidence to suggest that the custom tools leveraged by Black Basta may have potentially been developed by FIN7’s malware developers. [6] Further, given that Black Basta is widely recognized to leverage Qakbot for initial access in their campaigns, we posit with high confidence that the attack was conducted by a Black Basta affiliate.

Figure: Screenshot of our VirusTotal pivoting that attributed six IP addresses that were observed in your environment to be associated with Qakbot banking trojan.

Ransomware-as-a-Service Group Behind the Attack: Black Basta

Black Basta is a Russian-speaking ransomware group that operates as a Ransomware-as-a-Service (RaaS) affiliate network. First observed in early 2022, Black Basta is an evolution of the Conti ransomware, offering both Windows and Linux ransomware variants and known to perform double extortion – data encryption and listing stolen data on their leak site unless ransom demands are met. [7] To date, the group have been observed to compromise at least 193 victims across geographies and industries, as listed on their data leak site. Observations of Black Basta’s targeting history indicates no specific targeting against industries, reinforcing the group’s opportunistic nature financially driven motives.

Escalating Privileges

Post-infiltration via Qakbot, the suspected Black Basta affiliate established a call back connection to their C2 server and subsequently performed credential dumping to successfully obtain administrator access on the victim’s Domain Controller server.

Establishing Persistence and Lateral Movement

The affiliate proceeded to implant multiple backdoors to and leveraged domain administrator privileges to perform remote desktop protocol (RDP) via a PowerShell payload execution to establish persistence, gain remote control of the compromised hosts and laterally move across environments. Notably, we observed that the affiliate was capable of performing a cross-domain attack, compromising victims across geographical regions.

Defense Evasion

To evade detection, the threat actor disabled the Wazuh agent, an open-source security monitoring solution commonly leveraged by enterprise users as their Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) logging platform.

Impact

Once defences were impaired, the affiliate proceeded to deploy the Black Basta ransomware on compromised environments by abusing rundll32.exe to stealthily execute the ransomware via proxy execution. In one instance, the actor was observed to utilise Secure File Transfer Protocol (SFTP) to exfiltrate data from the compromised server to a cloud-hosted server on Digital Ocean (142.93.198[.]225), though no compromised victim data was observed to be listed on Black Basta’s leak site.

As with all RaaS leak sites, we are unable to ascertain if the threat actor lists all their victims on their leak site. Though, per our experience, this is unlikely for a variety of reasons. Per our analysis of the Black Basta leak site, we noted that zero and partial (e.g. 30%) of complete publishing of data is possible. While there is no way to effectively prove the disclosed percentage of leakage, this suggests that Black Basta may choose to leak data in phases as part of their double extortion technique.

Meanwhile, anecdotal analysis of the published victims listed on the leak site indicates that previous victims that publicly announced the breach had a lead time of between one to three weeks prior to being listed on Black Basta’s leak site. While we do not have evidence to suggest that certain victims may not be listed, we assess the likelihood of Black Basta leaking data of undisclosed victims beyond the three-week period to be relatively lower, though not impossible given our previous experience with RaaS groups and cybercriminals.

Conclusion

Based on the findings of our investigation, PwC’s Dark Lab posits with high confidence that an affiliate of the Black Basta ransomware cybercriminal group were likely behind the incident. The incident was observed to take place within a short timeframe, with malicious actor(s) infiltrating the victim’s environment and subsequently escalating privileges on day one of the attack, followed by lateral movement, ransomware execution, and data exfiltration on day two. Given the timeliness of the incident, we posit the attacker intentionally targeted the victim during the holiday period under the assumption that the victim had limited capacity to detect and respond to their attack.

Recommendations

As RaaS groups continuously persist and evolve their attack vectors, it is vital that organisations implement robust, layered defence strategies based on the concept of zero trust.

  • Develop and maintain a contingency plan for holiday periods with expected limitations of manpower and capacity, ensuring allocated on-call members are regularly briefed on the incident response measures in case of attack
  • Implement a zero-trust security architecture to limit the likelihood of successful intrusion and/or containment of potentially impending attacks
  • Enhance email security controls (e.g., anti-phishing controls, sandbox analysis, etc.) on email security gateways and network devices (including external firewalls, web proxies)
  • Educate your employees, particularly those in roles that regularly interact with unknown senders (e.g., sales, customer service, human resources, finance, etc.) of the potential indicators to identify and report potential email thread hijacking attempts (e.g., spoofed senders, old email threads, partially scrubbed email addresses, malformed replies, repetitive use of the same harvested legitimate email, etc.).
  • Maintain “tertiary” offline backups (i.e., tertiary backup) that are encrypted and immutable (i.e., cannot be altered or deleted). This should be atop of your existing secondary data backups that should adopt security best practices, in particular network segmentation with your production and/or primary site
  • Perform a review of access management with respect to identity and network access (e.g., removal of legacy and unused accounts, housekeeping of privileges for all accounts, and enforce network segmentation to tighten access to key servers)
  • Enforce network segmentation, including identity segmentation in line with zero trust policies to restrict access based on identities, to reduce your attack surface and contain the potential impact of a ransomware attack

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

  • T1588.001 Obtain Capabilities: Malware
  • T1586 Compromise Accounts: Email Accounts
  • T1566.002 Phishing: Spear Phishing Link
  • T1199 Trusted Relationship
  • T1059.001 Command and Scripting Interpreter: PowerShell
  • T1204 User Execution
  • T1078.002 Valid Accounts: Domain Accounts
  • T1562.001 Impair Defenses: Disable or Modify Tools
  • T1021.002 Remote Services: SMB/Windows Admin Shares
  • T1428 Exploitation of Remote Services
  • T1003.006 OS Credential Dumping: DCSync
  • T1572 Protocol Tunneling
  • T1071 Application Layer Protocol: Cobalt Strike Beacon
  • T1041 Exfiltration Over C2 Channel
  • T1486 Data Encrypted for Impact

Indicators of Compromise (IoCs)

We include the observed IoCs in our encounter with Qakbot and Black Basta.

IndicatorFile Type
37bf163c9a37e27cdbb8c5db31457063Malicious Compiled Script (DLL)
142.93.198[.]225​IP Address – Resolving to Digital Ocean
50.67.17[.]92​Known-Bad IP – Associated with Qakbot Campaigns
149.74.159[.]67​Known-Bad IP – Associated with Qakbot Campaigns
24.69.84[.]237​Known-Bad IP – Associated with Qakbot Campaigns
70.51.136[.]204​Known-Bad IP – Associated with Qakbot Campaigns
38.166.221[.]92​Known-Bad IP – Associated with Qakbot Campaigns
108.62.118[.]131​Known-Bad IP​ – Cobalt Strike C2 Server
173.76.49[.]61​Known-Bad IP – Associated with Qakbot Campaigns
23.106.223[.]214​C2 IP

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.