Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1

Adversaries constantly develop new tactics that enhance their capabilities to deploy malware across networked environments and monetize infected systems. This blog is Part 1 of a three-part series detailing research and observations by the CrowdStrike® Falcon Complete™ managed services team regarding one such malware variant, QakBot (aka QBot), and its behavior in recent campaigns.

 

In this blog we provide an overview of a recent QakBot campaign observed in the wild. Part 2 will feature an in-depth analysis of the evolution of QakBot tactics, techniques and procedures (TTPs) through June 2020. We will culminate the series in Part 3 by outlining the Falcon Complete team's strategy for the remote remediation of a QakBot-infected host.

 

Threat Background and Context

QakBot is an eCrime banking trojan that has the potential to severely impact an organization’s ability to operate. QakBot can spread laterally throughout a network utilizing a worm-like functionality through brute-forcing network shares and Active Directory user group accounts, or via server message block (SMB) exploitation.

 

QakBot also employs a robust set of anti-analysis features to evade detection and frustrate analysis. Despite these evasion techniques, CrowdStrike Falcon®® detects and prevents this malware from completing its execution chain. QakBot has been observed for nearly a decade, and historically, it included traditional features of banking trojans and information stealers. However, it has since evolved and expanded its capabilities.

 

QakBot also shows no signs of slowing down — in fact, Falcon Complete observed a notable resurgence in its delivery volume, beginning in April 2020, with regular updates through the summer months. Recent campaigns have been delivered primarily via email, with attached ZIP archives containing a Visual Basic Script (VBS) downloader. In contrast, there have also been several tactical outliers, such as Microsoft Word DOC-based deliveries along with campaigns that included secondary malware payloads like Zloader. The following section covers static and dynamic analysis of the QakBot DOC-based delivery campaign. This analysis includes an overview of techniques used by the threat actor to obfuscate, hinder and attempt to prevent analysis of malicious documents delivered by QakBot to ensure a successful infection of the victim.
black, red and white timeline illustration Figure 1. Timeline of QakBot Campaigns (click image to enlarge)

QakBot Introduces DOC-based Delivery

As QakBot surged in early April 2020, the operators leveraged a new tactic for delivery: a Microsoft Word document delivered via malspam that was weaponized with macros containing a malicious VB script. While operators shifted delivery tactics several times throughout the summer, the overall TTPs related to QakBot’s execution chain remained largely the same, and analysis of this DOC file provides useful insights into the capabilities of QakBot’s authors.

Static Analysis of Downloader DOC

Document Features

In early April, the team observed a document that was detected and blocked within a client environment.

 

  • Filename: AGRMT_06052020_519.doc
  • SHA256: b1e8b724380e6e041e3c2b4dfe5d4827fe0ae1bb0816b47d14d21d6f94194797
This was a typical phishing document that attempts to lure intended victims to enable macros that execute malicious code.
Figure 2. User Prompt (click image to enlarge)
The malicious macro included in the document is locked — an example of the many anti-analysis and sandbox-evasion features included in these campaigns.

 

Figure 3. Locked Macro Modules (click image to enlarge)
The locked macros prevent sandboxes from inspecting the macro content and also impede manual analysis. Once this protection is bypassed, the contents of the Visual Basic for Applications (VBA) project are then available.

 

Figure 4. Macros Now Accessible
The macros are highly obfuscated and broken down into either UserForm objects or modules containing more typical Functions and Subs. The UserForm objects are structured in a variety of different text boxes, buttons and label objects that don’t actually execute code themselves, but hold string data in their tags that is called by Functions in the macros code.
Figure 5. Modules and Objects (click image to enlarge)

Macro De-obfuscation

The macro contents are extracted to a text editor for continued static analysis and easier de-obfuscation. The macros are extensively obfuscated with a variety of anti-analysis techniques. This includes using several lines of garbage code, along with confusing variable assignments, string reversals and an interesting string encoding technique that leverages nested conversions. The two components of greatest interest are the functions that include an encoding algorithm and a block of strings that contain the encoded URLs, from which the code will attempt to download the next-stage payload.

 

Figure 6. Encoding Algorithm (click image to enlarge)
The encoding algorithm leverages the VBA Mid function to perform operations on URL strings. The $Mid function sets the text block, sets the starting position of the text’s index, and then instructs it to select the number of characters (in this case, 1). It is also wrapped in a For Loop that instructs the Function to loop over the length of the string in reverse order. Finally, it includes a series of string conversions following the loop operation. Each character is converted to ASCII and then subtracted by a value of 1, then converted back into a character. This new character string is actually Base64 encoded and must then be decoded to reveal the actual URL.

 

 

 

Figure 7. Obfuscated URLs (click image to enlarge)
For example, the URLs are decoded by taking the last character in each string, converting it to ASCII, subtracting by 1 and then looping backward the length of the string. Finally, the Base64 string is decoded. The first variable in Figure 9,

 

“dkekr(1),” which holds the string

 

“o6HdvhEP5hEP5h{M5iHdkS4Mu:3Zv1H
Figure 8. Decoded URL (click image to enlarge)
The VB code contains a total of six URLs that it will loop through until it receives a valid response to download the next stage payload. It is necessary to break down this obfuscation to successfully identify all six of these indicators of compromise (IOCs). If only network log data or sandbox results are used, the infection chain may stop at the first valid response and not loop through all six URLs. The complete list of IOCs may then be implemented in the appropriate network control such as a web proxy or firewall. When executed, the final macro code as interpreted by CMD decodes into a classic PowerShell download cradle that fetches the initial QakBot payload. There is one last bit of obfuscation here as the script does contain two more encoded strings. One is the URL as seen above in Figure 8, and another is the full path to which the payload will initially be written: “C:\Users\Public\tmpdir\file”.

 

Figure 9. Download Cradle (click image to enlarge)
The cradle appends “1.exe” to the file named “file” and eventually writes itself to “C:\Users\Public” before continuing with the remainder of the execution chain if the appropriate anti-analysis checks are met. The execution chain for this delivery style is shown below in Figure 10. Please note that the examples in the following scenarios have CrowdStrike Falcon® configured with DETECTIONS ONLY and PREVENTIONS OFF for illustrative purposes. A properly configured Falcon instance would prevent the activity presented here.
Figure 10. Process Tree as Displayed in Falcon (click image to enlarge)
The Falcon Complete team frequently responds to detections where Falcon has prevented a successful QakBot phishing attempt. In these cases that have proper implementation of preventions, the remediation simply consists of removing the original attachment written to the disk and any associated residual script artifacts. In these cases, Falcon interrupts the infection before binaries are executed or persistence is established.

 

 

Conclusion

 

QakBot has the potential to severely impact an organization due to its capability for lateral movement and data theft. As we have seen, QakBot employs a robust set of anti-analysis features and has recently surged in its operational volume within the threat landscape.

 

In this blog, we presented an analysis of a DOC-based QakBot downloader. The threat actors behind QakBot, tracked by CrowdStrike Intelligence as MALLARD SPIDER, have demonstrated the ability to rapidly re-tool, implement anti-analysis techniques and develop methods of advanced obfuscation in a short period.

 

Stay tuned for Parts 2 and 3 where we delve deeper into our analysis and offer

 

recommendations for improving your defenses against QakBot and similar threats.

 

As QakBot evolves, so does the Falcon Complete team’s ability to adapt, react to and remediate this threat to protect our client environments. The team provides the expertise to identify and remediate infections to help organizations recover from potentially devastating incidents. The Falcon Complete team focuses on stopping breaches so CrowdStrike clients can focus on their business goals and operations.

Appendix

Table 1 below contains a mapping of QakBot tactics to the MITRE ATT&CK® framework.
TacticTechniqueSub-TechniqueID
Initial AccessPhishingSpear-Phishing AttachmentT1566.001
ExecutionUser ExecutionMalicious Link, Malicious FileT1204.001, T1204.002
ExecutionCommand and Scripting InterpreterPowerShell, CMD Shell, Visual BasicT1059.001, T1059.003, T1059.005
ExecutionSigned Binary Proxy ExecutionMsiexec, Rundll32T1218.007, T1218.011
PersistenceBoot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder

 

T1547.001
PersistenceScheduled Task/JobScheduled TaskT1053.005
Defense EvasionObfuscated Files or InformationNoneT1027
Defense EvasionProcess InjectionDynamic-link Library InjectionT1055.001
Defense EvasionVirtualization/Sandbox EvasionSystem ChecksT1497.001
DiscoveryVirtualization/Sandbox EvasionUser Activity Based ChecksT1497.002
DiscoveryNetwork Share DiscoveryNoneT1135
Credential AccessBrute ForcePassword GuessingT1110.001
Lateral MovementRemote ServicesSMB/Windows Admin SharesT1021.002
Command and ControlApplication Layer ProtocolWeb ProtocolsT1071.001
Table 1. MITRE ATT&CK Mapping IOCs associated with QakBot analyses are shown in Table 2.
IndicatorPurpose
PicturesViewer.dll, PicturesViewer.exe, PaintHelper.dll, PaintHelper.exe, file1.exeQakBot binary names
“<0-9>{6,9}\.zip”, “NUM_<0-9>{4,6}\.vbs”Regular expression of observed filename convention of zip archives containing vbs to that launches QakBot downloader
“dfPEZd”, “ezQVN”, “wCdZgXH”Scheduled Task tasknames
"""C:\windows\System32\WScript.exe"" ""C:\Users\*\AppData\Local\Temp\Temp1_*.zip\NUM_*.vbs""Command line example of initial execution

 

C:\Users\*\Downloads\“<0-9>{6,9}\.zip"Initial QakBot download path. Observed as an 8 or 9-character numeric name.

 

C:\Users\*\AppData\Local\Temp\Temp1_“<0-9>{6,9}\.zip\NUM_<0-9>{4,6}\.vbsExecution path of VB downloader script
%AppData%\lwob\esexydry.dll %AppData%\PicturesViewer.dll %APPDATA%\dasfdsfsdf.exe %APPDATA%\Iwhoq\pozypua.dll %APPDATA%\IE\GGYJG27Z\dasfdsfs.df<1>.exe C:\Users\Public\tmpdirQakBot binary paths in home directories, observed as an alphabetical name under an alphabetical folder in %AppData%, or pre-named PicturesViewer, PaintHelper
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunRegistry run key persistence
Table 2. IOCs Associated with QakBot

Additional Resources

Breaches Stop Here