-
Notifications
You must be signed in to change notification settings - Fork 383
/
Copy pathqakbot.yml
25 lines (25 loc) · 1.78 KB
/
qakbot.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
name: Qakbot
id: 0c6169b1-f126-4d86-8e4f-f7891007ebc6
version: 2
date: '2022-11-14'
author: Teoderick Contreras, Splunk
status: production
description: QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).
narrative: QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551.
The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT)
The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.
references:
- https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf
- https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot
- https://securelist.com/QakBot-technical-analysis/103931/
- https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails
- https://attack.mitre.org/software/S0650/
- https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection