Aside from a brief dip in July and August, Qbot dominated our monthly threat rankings throughout the year, flaunting some new delivery methods along the way.Pairs with this song
There was no rest for our number one threat last year. While Qbot’s operators appeared to take vacations in both 2021 and 2022, they reemerged with a vengeance in the fall. After all, money don’t grow on trees.
Also known as “Qakbot,” the Qbot banking trojan has been active since at least 2007. Initially focused on stealing user data and banking credentials, Qbot’s functionality has expanded to incorporate features such as follow-on payload delivery, command and control (C2) infrastructure, and anti-analysis capabilities.
Qbot is typically delivered via an email-based distribution model, and in 2022 Qbot affiliates experimented with a variety of file types to deliver malicious payloads during their campaigns, likely in response to additional security controls implemented by Microsoft throughout the year. Examples of different delivery approaches include:
- Continuing from 2021, early 2022 brought Qbot in the form of malicious ZIP attachments containing a macro-laden XLS dropper.
- In April, researchers saw Qbot delivered via malicious MSI packages.
- In mid-May, multiple Red Canary customers received phishing emails with malicious ZIP files containing LNK files. The LNK files ran PowerShell commands to download and execute a Qbot DLL payload.
- In mid-2022 researchers observed Qbot operators rapidly altering the specifics of their payloads, sometimes changing file types or payloads day to day.
- In the later half of the year, adversaries used HTML smuggling to deliver malicious code via an HTML file attached to an email, which then downloaded a password-protected ZIP archive containing an ISO file. Qbot is also known to deliver ZIP archives with IMG, VHD, and VHDX disk images. Using a disk image file allows Qbot to bypass the Mark-of-the-Web (MOTW) feature because extracted or mounted files do not reliably inherit MOTW.
Over the years, various groups have integrated Qbot into their operations. The Proofpoint-named groups TA577 and TA570 (which Red Canary assesses to be similar to Microsoft DEV-0450) are some of the most active Qbot malware affiliates. TA577 is also informally known as the “letters” affiliate based on the use of campaign IDs including letters such as AA or BB. TA570 is sometimes referred to as “presidents” because of the use of U.S. presidents’ names in its malware configuration, for example, a campaign identifier like
obama225. While Red Canary can not validate with high confidence that a specific group is present in an environment without obtaining a copy of the malware containing the campaign identifier, we did observe threats with similar naming schemes in our customers’ environments throughout 2022.
Qbot is usually deployed as just one stage of an adversary’s playbook, with follow-on activity tied to the objectives of the affiliate group deploying it. While Red Canary does not observe a lot of post-Qbot activity, we know various ransomware affiliates have used it as an initial access vector in years prior, and 2022 was no different. This year Black Basta ransomware operators began leveraging Qbot to deploy command and control payloads such as Brute Ratel and Cobalt Strike.
Historically, Qbot cycles between periods of intense activity followed by quiet, near-dormancy. A sharp increase in Qbot activity paired with changes to the malware—likely in an attempt to make it more challenging for defenders to detect—can signal the start of a new Qbot campaign. From 2021 to 2022, Red Canary observed several of these cycles.
The best way to remedy the risk of any threat is to prevent your users from having the opportunity to become a victim. Qbot remains an adaptive threat that is reliant on email for distribution, so if you want to stop Qbot, start in the inbox. Implementing an email gateway filtering solution is one way of minimizing Qbot infections within your environment.
To inhibit users from infecting themselves via mountable virtual drives, consider disabling disk image (ISO, IMG, VHD, VHDX) mounting functionality via registry hive modifications, which also has the benefit of inhibiting additional threats.
Phishing emails related to Qbot may contain a variety of attachment types. One tactic used is for the attachments to download a ZIP archive containing a disk image such as an ISO, IMG, or VHD. Contained within these virtual disks is a script file that is subsequently executed, followed by activity that is consistent with successful Qbot execution.
Focusing on the activity from this early-to-intermediary stage TTP, we’ve provided a detection opportunity that focuses on Windows Scripting Hosts (
cscript.exe) that are invoking the execution of common scripting formats that Red Canary has observed being used by Qbot—such as
.wsf—that are from a logical mounted drive using the drive letters D: through Z: and that have a child process.
parent_process == 'explorer.exe' && process == ('wscript' || 'cscript') && command_includes ('[d-z]:\\[^\\]+\.(?:js|vbs|wsf)') && has_child_process
While the above detection opportunity may be most helpful for defenders who are attempting to identify Qbot and other threats that use this TTP for initial access, below we list some opportunities to identify active Qbot infections as well.
In an attempt to evade defenses, Qbot injects into processes as a proxy to initiate command and control and write follow-on payloads to disk. In August 2022, Elastic released a report that illuminated when and why Qbot chose some of these injection targets, including
OneDriveSetup.exe, which we observed earlier in the year.
Replicating this approach, we can apply this same logic to additional processes—like
atbroker.exe for example—as they are identified and reported on by researchers.
process == ('OneDriveSetup' || 'wermgr’ || 'atbroker`) && command == (“”)* && has_netconn
"" in detector pseudocode denotes a blank command line.
Many of the mid to late-stage TTPs used by Qbot are known to change and appear to be configurable, dependent on the distribution affiliate or campaign ID observed at the time. Research from Threatray suggested that different affiliates may drop separate versions of Qbot. Acknowledging the differing activity that may be observed between unique affiliates, we leave you with one final mid-stage detection opportunity, focusing on
rundll32.exe being used to proxy the execution of code in non-standard file formats.
process == ('rundll32') && command_does_not_include ('.dll' || '.cpl' || '.ax' || '.ocx' || '.inf')
Atomic test #2 for T1553.005: Subvert Trust Controls: Mark-of-the-Web Bypass mounts an ISO image and runs an executable from the ISO. As noted above, using a disk image file allows Qbot to bypass the MOTW feature because extracted or mounted files do not reliably inherit MOTW.
Further, many of the tests for T1218.011: Rundll32 execute
rundll32.exe without a command line containing the file formats mentioned in the final detection opportunity of the previous section.