Qakbot Strikes Back: Understanding the Threat

New QakBot Campaign

Qakbot, also known as QBot, is a banking trojan and botnet that has been active since 2008. However, last year, the servers associated with Qakbot were taken down in a multinational law enforcement operation called Operation Duck Hunt. Recently, Binary Defense threat researchers analyzed the reemergence of the QakBot botnet. The new QakBot DLL has undergone some minor changes, and it now uses a new persistence mechanism that utilizes the srtasks.exe Windows process to survive after host restoration.

Qakbot is usually distributed through phishing campaigns with various themes, including reply-chain email attacks. These campaigns typically involve malicious documents as attachments or links to download malicious files that install the Qakbot malware on a user’s device. Over the years, themes such as malicious macros, OneNote files with embedded malicious files, and malicious ISO attachments with executables and Windows shortcuts have been associated with QakBot campaigns.

Recent Chatter

After the August 2023 multinational law enforcement takedown of QakBot server/botnet infrastructure, researchers at Microsoft identified a new phishing campaign tied to QakBot with the theme of masquerading as an IRS employee.¹

This IRS-themed phishing campaign is common in the first few months of the year, as many people are filing tax returns and might anticipate some form of communication from the IRS. Although the campaign targeted a small number of users in the hospitality industry, there could be a rise in QakBot infections disguised as other prevalent phishing themes due to the botnet’s resurgence.

QakBot – Then and Now

QakBot has been a prolific botnet variant since at least 2008. Originally developed as a banking trojan, the trojan has evolved to have a wide variety of capabilities, including reconnaissance, collecting and exfiltrating data, and delivering other payloads such as ransomware on victim devices. The botnet has targeted critical infrastructure such as financial and emergency services, as well as other global infrastructures, as an initial access method to gather information or to potentially deploy additional payloads.

In late 2023, QakBot’s servers were taken down in a multinational law enforcement operation called Operation Duck Hunt. This operation obtained access to the QakBot servers and terminated the botnet. The takedown involved redirecting the botnet traffic through FBI-controlled servers to download a specific file in order to uninstall the QakBot malware from systems. This led to the identification of over 700,000 computers as being a part of the overall QakBot botnet.³

Recent Campaign

QakBot, like most prolific malware families, evolves frequently to adapt to recent trends. Over the years, the botnet has evolved its initial access methods from email phishing lures to include HTML smuggling tactics and malicious OneNote campaigns. QakBot employs the use of extensive anti-analysis techniques on the system in order to evade analysis and detection from users of potential security researchers. Analysis of the code within recent QakBot samples revealed use of the below functions:

IsDebuggerPresent
GetCurrentProcessId
GetCurrentProcess
TerminateProcess
GetCurrentThreadId

The functions mentioned are mainly used as discovery tactics within the source code of a malicious program to survey the infected computer. These tactics are employed for various reasons, such as determining if the specific host is a suitable target or to check if the program is running in an analysis environment. Further investigation into the recent QakBot variant revealed that the payload consisted of minor changes to the new QakBot DLL, and it contains various bugs, indicating that the new version is still under development.

The recent QakBot variant disguises itself as an Adobe Reader installation window to avoid detection on the infected device. When the Adobe Installer screen launches, an additional .tmp file is created in the C:\Windows\Installer directory. When the .tmp file is created, the infected msiexec.exe process then launches srtasks.exe using the following command:

srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:<Number>

A randomized number is appended to the end of the WaitForRestorePoint parameter, likely to select which restore point QakBot wishes to configure on the system depending on how many restore points are associated with the device.

Srtasks.exe

SrTasks.exe is a legitimate Windows process that handles the creation of restore points for a system.⁴ Users and Administrators can create specific or recurring restore points on a system as a form of a backup method for various reasons, such as unintentional system resets or potential malware on the system. If a restore point is created, the current state of the system is saved and can be brought back at any point.

QakBot likely utilizes the srtasks.exe process to establish persistence after a factory reset. In the variant analyzed by Binary Defense researchers, the restore point was created under the “Install” type with the description of “Adobe Installation” in Russian. This tactic of utilizing srtasks.exe is unique to this QBot campaign, as previous campaigns entailed utilizing scheduled task creation through schtasks.exe. Future campaigns will likely see the increased use of srtasks.exe to maintain persistence on the machine after a reset. However, this tactic is dependent on a user’s or company’s use of restore points before the initial infection.

Qakbot was also observed to launch an additional msiexec.exe process in tandem with the original process. This is likely to evade detection on the machine by masquerading as a legitimate instance of msiexec.exe. This process was observed to drop a packed .dll file titled “KROST.dll” within the user’s AppData\Roaming folder. The second msiexec.exe launches the .tmp file associated with the above restore point activity. This .tmp process then proceeds to launch rundll32.exe using the following command:

"MSI8C0A.tmp" /HideWindow rundll32 C:\Users\<User>\AppData\Roaming\KROST.dll,hvsi

This command launches a hidden rundll32 window in order to execute the malicious .dll file that was dropped. This is to prevent detection of a secondary payload executing on the host machine. After this, Qakbot will silently run in the background on the infected host.

The recent reemergence of QakBot can indicate more prevalence of the malware variant as an initial access method, such as to gather information from the environment or to deliver a second-stage payload. As this variant is still emerging and contains various bugs, additional functionality may differ in the upcoming months.

Appendix A: Detections

Microsoft Sentinel/Defender for Endpoint

DeviceProcessEvents  

| where InitiatingProcessFileName has ("srtasks.exe") and InitiatingProcessParentFileName has ("msiexec.exe") and InitiatingProcessCommandLine  has_all ("ExecuteScopeRestorePoint", "/WaitForRestorePoint")  

//Note: While this detection identifies a new behavior of Qakbot, it is also subject to high false positives without a well-tuned baseline. It may be more useful when combined with other behaviors, such as:  

DeviceProcessEvents   

| where TimeGenerated > ago(30d)  

| where FileName =~ "srtasks.exe" and ProcessCommandLine  has_all ("ExecuteScopeRestorePoint", @"/WaitForRestorePoint") and InitiatingProcessFileName =~ "msiexec.exe" and InitiatingProcessCommandLine =~ "msiexec.exe /V"  

| join (DeviceProcessEvents|where TimeGenerated > ago(30d)| where FileName has ".tmp" and ProcessCommandLine has "rundll32" and InitiatingProcessCommandLine =~ "msiexec.exe /V" ) on DeviceName,InitiatingProcessId  

DeviceRegistryEvents  

|where ActionType =="RegSetValue"  

|where RegistryKey has (@"System\CurrentControlSet\Services\VSS\Diag\SPP") and RegistryValueName has_any ("SppGetSnapshots (Enter)" , "SppGetSnapShots (Leave)" , "SppEnumGroups (Enter)")  

DeviceProcessEvents   

|where InitiatingProcessFileName endswith ".tmp" and ProcessCommandLine has (".dll") and FileName has ("rundll32.exe")   

DeviceFileEvents  

|where FolderPath has (@"AppData\Roaming") and FileName has ("KROST.dll")  

DeviceProcessEvents   

|where FileName endswith ".tmp" and ProcessCommandLine has_all ("rundll32" , @"/HideWindow")