Number: AL22-013
Date: 10 November 2022
Updated: 16 February 2023
Audience
This Alert is intended for IT professionals and managers of notified organizations.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
Throughout 2022, the Cyber Centre has observed several waves of reporting from Canadian organizations related to Qakbot compromises. Similar activity has been reported in numerous countries. The compromises do not seem to be targeted to a specific sector or geographical location.
Qakbot, also known as Qbot or Pinkslipbot, began as information-stealing malware targeting financial institutions but has since evolved in both its functionality and the industries it targets. The malware is modular in nature and offers a variety of capabilities, including the ability to steal sensitive data and to propagate inside a network. These added capabilities can be downloaded by the malware post-compromise. In recent years, Qakbot has been observed acting as a “stage one” malware responsible for downloading other malicious payloads such as ransomware or Cobalt Strike.
Qakbot is commonly delivered using many phishing methods including via malicious emails, which come from previously unseen email addresses or as replies to existing email conversations Footnote 1 Footnote 2. The reuse of existing email conversations has been particularly effective as the emails appear to come from a trusted source, often from someone with whom the email recipient has recently been in communication. This technique results in a convincing message that an unsuspecting recipient may believe to be legitimate and feels safe to click a link which downloads a malicious ZIP file or to open an attached HTML file with the malicious ZIP file embedded.
Good deception tactics by the threat actor may lead the user to open the ZIP file (often password protected) and then open a series of embedded files leading to the malware itself. In recent months, one of the embedded files has been an ISO file, which is opened as a folder in Windows. This is one method that threat actors use in an attempt to bypass Mark of the Web protections Footnote 3.
Users should be wary of attachments that require special instructions to open, navigation of multiple folder layers or any unpackaging actions required to access the intended document. In these situations, users should consider a follow up verification of the email by contacting the original sender by phone or by creating a new email conversation using the email address from another source (not as a reply to the suspicious email).
Malicious actors will continue to alter their initial methods of infection and as such system administrators are encouraged to implement as many mitigation measures as possible to prevent phishing in general Footnote 4 Footnote 5 Footnote 6.
Following the initial compromise, the Cyber Centre has observed and received reports of deployment of post compromise tools such as Cobalt Strike and Brute Ratel which were used to further compromise affected networks.
Further compromised networks could be leveraged for additional malicious activity, including ransomware.
Tactics, Techniques, and Procedures (TTP)
Commonly observed methods of exploitation are being identified below along with reference to the MITRE ATT&CK framework to provide additional context and mitigation advice Footnote 7:
Resource Development (Mitre T1586.002)
Hijacking existing email threads increases the chances of additional successful compromises.
Initial Access (Mitre T1566.001, T1566.002)
Qakbot is primarily delivered via malicious emails as a zipped attachment, link, or embedded image.
Execution (Mitre T1204.001, T1204.002, T1218.010, T1218.011)
Following a victim opening the LNK file, the Qakbot DLL is executed.
Command and Control (Mitre T1071.001, T1132.001)
Upon installation, Qakbot will beacon to its C2 infrastructure with encoded messages sent via HTTPS GET and POST requests. The IP addresses of the C2 infrastructure are updated in Qakbot as malicious infrastructure is identified and acted upon.
Persistence (Mitre T1547.001, T1053.005)
Qakbot commonly achieves persistence through scheduled tasks and registry run keys.
Defense Evasion (Mitre T1140, T1553.005)
Use of password-protected zipped files and ISO files to avoid detection.
Discovery (Mitre T1016)
One of the Qakbot modules provides several tools for scanning the internal network. For example, Qakbot has been observed performing an ARP scan in order to discover other endpoints on the network. Footnote 1
Similar activity was also described in SANS’ Incident Handler’s Diary Blog titled “TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)”. Footnote 8
Update 1
In early February 2023, the Cyber Centre was made aware of an increase in phishing emails containing malicious OneNote attachments (.one) being used to deliver Qakbot and other malware.
The malicious OneNote attachments contain embedded files and may include an image that appears to be a clickable button. Opening the attachment may lead to a security warning prompt displayed to the user. If the user bypasses the warning and opens the embedded file, the file executes its payload which may be a shortcut (LNK) file, an HTML application (HTA), or a Windows Script File (WSF) Footnote 17Footnote 18 which subsequently leads to the delivery of Qakbot malware.
Threat actors leverage the inherent trust in platforms, like Microsoft OneNote, to bypass some protections by email anti-spam filters and online enterprise gateways.
If your organization does not use Microsoft OneNote, consider filtering incoming attachments with the OneNote file extension to prevent end users from opening any malicious OneNote documents.
Update 2
On February 16, 2023, the Cyber Centre released an update of the YARA rule below to widen detection capabilities.
Mitigation
Yara:
The following YARA rule is not intended to be used on production systems or to inform blocking rules without first being validated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of false positives. These rules are intended to serve as a starting point for hunting efforts to identify activity; however, they may need adjustment overtime if the malware family changes.
Yara code begins
rule onenote_downloader {
meta:
id = "5agXf6mY0R9rvwzpeYjzns"
fingerprint = "17dd9c81bd00db3907a8d444f2f6dddb0cae0b2ba15ec68a3d721ac0cf1ea022"
version = "6.0"
first_imported = "2023-02-06"
last_modified = "2023-02-15"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "CCCS"
author = "reveng@CCCS"
description = "Malicious one note file that is being used to download and/or execute payload."
category = "MALWARE"
malware_type = "DOWNLOADER"
mitre_att = "TA0002"
actor_type = "CRIMEWARE"
reference = "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware"
reference = "https://blog.didierstevens.com/2023/01/22/analyzing-malicious-onenote-documents/"
hash = "636f8f5fa6d17d092007a750a38cbe4d171e608eab5b8264dbfa35209529cb9a"
hash = "f674b1c858ea26730ab113c83a87f71a38cb367e8ef20223f5a1f668b29b7938"
strings:
$onenote_guid = { e4 52 5c 7b 8c d8 a7 4d ae b1 53 78 d0 29 96 d3 }
$fo = {e716e3bd65261145a4c48d4d0b7a9eac}
$str0 = "powershell" ascii
$str2 = "FromBase64String" ascii
$str3 = "WScript.Shell" ascii
$str4 = "WshShell" ascii
$str6 = "%70%6F%77%65%72%73%68%65%6C%6C"
$fname0 = ".hta" wide
$fname1 = ".cmd" wide
$fname2 = "Z:\\build\\one" wide
$fname3 = ".hta" wide
$fname4 = ".bat" wide
$fname5 = ".vbs" wide
$fname6 = ".scr" wide
$fname7 = ".iso" wide
$fname8 = ".img" wide
$fname9 = ".exe" wide
$fname10 = ".ps1" wide
$fname11 = ".wsf" wide
$fname12 = ".jse" wide
$fname13 = "Z:\\builder\\" wide
condition:
$onenote_guid and (
/* check if we have the strings within a single file block */
for any i in (1..#fo):(
for 1 of ($str*):(
$ in (@fo[i] + 0x24 ..
@fo[i] + 0x24 + uint16(@fo[i] + 16)
)
)
)
or
/* or the file names referenced twice */
for any of ($fname*):(
#>=2
)
)
}
Yara code ends
Recommended actions
The Cyber Centre recommends that organizations:
- Expand employee awareness and training opportunities for phishing and spam, including the ability to recognize malicious emails and procedures on what to do if one is received. Footnote 4 Footnote 5 Footnote 6
- Employees should consider additional verification when a received email seems unusual or has extra layers of actions. Verification should not be a reply to the suspicious email received.
- Ensure systems are regularly patched and that antivirus software is always up to date.
- Employ the principle of least privilege for user accounts. This can limit the impact of malware in the event that it is inadvertently executed on a machine.
- Ensure that macros are disabled by default for untrusted documents.Footnote 10
- Review the complete list of MITRE ATT&CK techniques employed by malicious actors leveraging Qakbot and the associated mitigations to assist in reducing the threat surface. Footnote 7
- The Cyber Centre has several publications on security best practices to protect your organization. These include the Cyber Centre’s “Top 10 IT Security Actions”, “Ransomware Guidance” and “Protect Your Organization from Malware”. Footnote 9 Footnote 4 Footnote 5 Footnote 6 Footnote 10 Footnote 11
- Ensure that proactive measures have been taken to plan and prepare for ransomware. Footnote 12 Footnote 13
- CISA has several publications of interest related to Qakbot Footnote 14 Footnote 15
In addition, organizations may also consider disabling auto-mounting of disk image files, such as ISO files, to prevent use of detection bypass techniques. This could be achieved through modification of Registry values, which would require serious consideration of possible issues to standard operating procedure if disk image files are regularly used.
The Cyber Centre wishes to highlight that mitigation efforts resulting from the compromise of systems by competent threat actors may require more than simply mitigating individual issues, systems and servers. In cases such as these, based on the perceived sophistication of the threat actor involved, organizations should consider additional mitigative efforts besides simply the removal or updating of the product. The Cyber Centre recommends affected customers review the Cyber Centre joint cybersecurity advisory on technical approaches to uncovering and remediating malicious activity Footnote 16.
Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88 or 1-833-292-3788).