Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads

The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things.

The Qakbot botnet is getting more dangerous, sinking its fangs into email threads and injecting malicious modules to pump up the core botnet’s powers.

On Thursday, Sophos published a deep dive into the botnet, describing how researchers have recently seen it spreading through email thread hijacking – an attack in which malware operators malspam replies to ongoing email threads.

In a recent campaign, Qakbot has also been sucking up system info, Sophos said. “The botnet spreads through email thread hijacking and collects a wide range of profile information from newly infected machines, including all the configured user accounts and permissions, installed software, running services, and more,” according to the writeup, after which the botnet downloads the malicious modules.

Infosec Insiders Newsletter

The Qakbot malware code uses weird encryption to cover up the contents of its communications, but Sophos researchers managed to decrypt the malicious modules and to decode the botnet’s command and control C2) system to figure out nterpret how Qakbot receives its marching orders.

Beyond Annoying

Qakbot, aka QBot, QuackBot and Pinkslipbot, is a banking trojan that was first spotted in the wild 17 years ago, in 2007. Since its toddler days, it’s become one of the most prevalent banking trojans found around the world.

Though its main purpose is info-swiping – e.g., ripping off logins, passwords and more – the malware has picked up myriad other nasty habits: spying on financial operations, spreading and installing ransomware, keystroke logging, a backdoor functionality, and smooth moves to evade detection, including detecting its environment, self-updating, and cyptor/packer updates. It also fights back against being analyzed and debugged, be it by experts or automated tools.

“Qakbot is a modular, multi-purpose botnet spread by email that has become increasingly popular with attackers as a malware delivery network, like Trickbot and Emotet,” said Andrew Brandt, principal threat researcher at Sophos. “Sophos’ deep analysis of Qakbot reveals the capture of detailed victim profile data, the botnet’s ability to process complex sequences of commands, and a series of payloads to extend the functionality of the core botnet engine.”

In a nutshell, Qakbot isn’t your dad’s commodity bot, Brandt said: “The days of thinking of ‘commodity’ bots as merely annoying are long gone.”

Infection Chain and Payloads

Sophos analyzed a campaign in which the Qakbot botnet inserted malicious messages into existing email threads: messages that included a short sentence and a link to download a zip file containing a malicious Excel spreadsheet. The message asked the targeted user to “enable content” to activate the infection chain.

Once the botnet infected a target, it scanned them in order to get a detailed profile that it then passed on up to the C2 server. Then, the botnet downloaded more – at least three – malicious modules.

The payloads, which were injected into browsers, took the form of dynamic link libraries (DLL) that broadened the botnet’s capabilities to include these unsavory tidbits:

  • A module that injects password-stealing code into webpages,
  • A module that performs network scans, collecting data about other machines in proximity to the infected computer, and
  • A module that identified the addresses of a dozen SMTP (Simple Mail Transfer Protocol) email servers and then tried to connect to each one and send spam.

Qak Off, Qakbot

Brandt recommended that security teams need to take Qakbot infections seriously, by investigating every infection and scrubbing networks clean of “every trace” of the multi-talented malware. Botnet infections are, after all, a known precursor for a ransomware attack, Brandt wrote.

It’s not just ransomware that sys admins have to brace for. There’s also the prospect of botnet developers selling or leasing their access to your breached network, Brandt warned. “For example, Sophos has encountered Qakbot samples that deliver Cobalt Strike beacons directly to an infected host,” he said. “Once the Qakbot operators have used the infected computer they can transfer, lease out or sell access to these beacons to paying customers.”

Sophos has tips on avoiding infection:

  • Approach unusual or unexpected emails with caution, even when the messages appear to be replies to existing email threads. “In the Qakbot campaign investigated by Sophos, a potential red flag for recipients was the use of Latin phrases in URLs,” Sophos advised.
  • Security teams should check that the behavioral protections provided by their security technologies prevent Qakbot infections from taking hold. Network devices will also alert administrators if an infected user attempts to connect to a known C2 address or domain.

Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.

Suggested articles