Introduction Although the botnet infrastructure behind Qakbot was active as we entered this year, we hadn't seen any active campaigns spreading Qakbot. Qakbot had been quiet since a few days before Christmas. We saw no new malicious spam (malspam), and we saw no new Excel spreadsheets that we typically find during active campaigns. It had been relatively quiet for Qakbot until Tuesday 2021-01-19, when we started seeing malicious spam (malspam) pushing Qakbot again. @BushidoToken tweeted about it here. Today's diary examines a Qakbot infection from Tuesday 2021-01-19.
The malspam No changes here. Qakbot malspam typically spoofs stolen email chains from previously-infected Windows hosts, and it feeds the data to currently-infected Windows hosts that send new malspam pushing updated files for Qakbot. See the image below for an example from Tuesday 2021-01-19.
Infection traffic See the images below for my analysis of network traffic from the Qakbot infection.
Forensics on infected Windows host See the images below for my forensic investigation on the infected Windows host.
Indicators of Compromise (IOCs) SHA256 hash: 8ebba35fa60f107aa4e19fa39ae831feab4ffb1718bdca016670d3898b2fe4fc
SHA256 hash: f9560829534803161c87666795f0feab028ff484fac5170b515390b50e8050fd
HTTP request caused by Excel macro to retrieve DLL for Qakbot:
HTTPS traffic from the infected host:
Web traffic connectivity checks from the infected host (HTTPS traffic):
TCP traffic from the infected host:
Connectivity checks to mail servers from the infected host:
Certificate issuer data for HTTPS traffic to 95.76.27[.]6 over TCP port 443:
Certificate issuer data for HTTPS traffic to 185.14.30[.]127 over TCP port 443:
Final words A pcap of the infection traffic along with malware (Excel file and DLL) from an infected host can be found here. --- |
Brad 394 Posts ISC Handler Jan 20th 2021 |
Thread locked Subscribe |
Jan 20th 2021 1 month ago |
Sign Up for Free or Log In to start participating in the conversation!