Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3

This blog is the last in a three-part series presenting the CrowdStrike® Falcon Complete™ team’s analysis of the recent QakBot campaigns observed in the wild and outlining a strategy for the remote identification of a QakBot-infected host. While Part 1 and Part 2 provided an analysis of techniques used by the threat actor to gain successful infections, Part 3 provides recommendations for countermeasures that can be deployed via the CrowdStrike Falcon®® platform to prevent and contain infections before a widespread incident occurs. We also outline a strategy for how the team helps organizations recover from incidents via our remote remediation capabilities.

 

QakBot is an eCrime banking trojan that is capable of spreading laterally throughout a network. Utilizing a worm-like functionality, it spreads through brute forcing network shares, brute forcing Active Directory user group accounts or via SMB exploitation. QakBot also employs a robust set of anti-analysis features to evade detection and frustrate analysis. Despite these protections, the CrowdStrike Falcon®® platform detects and prevents the malware from completing its execution chain.

 

Solution: Prevention, Containment and Remediation

The Falcon Complete team’s approach to defeating the QakBot threat can be defined in several ways, depending on the tailored approach created for the customer. The best way to defend against QakBot is never allowing it to get a foothold in the first place, and the Falcon platform offers the prevention policies that are effective in stopping QakBot in its tracks. For situations where prevention is not enabled, a strategy of containment and fast remote response allows our analysts to quickly remediate the infection via the Falcon Real Time Response (RTR) console, resulting in less downtime, less interference and more productivity.

Configuring Proper Prevention Policies

 

 

Prevention policies are policies configured in the Falcon UI that allow organizations to customize how aggressive the Falcon sensor is with detections and preventions. Organizations can choose to configure these policies themselves or take advantage of the Falcon Complete team’s expertise to configure and offer guidance for best practices regarding these configurations.
Figure 1. Prevention policy settings as shown in the Falcon UI (click image to enlarge)
Falcon’s next-gen antivirus has the ability to block malware based on machine learning and behavioral pattern analysis. Being a non-signature-reliant platform with the proper prevention policies in place, Falcon reliably prevents known QakBot infections before any second-stage payloads are executed. With prevention policies configured like those depicted in Figure 1, we can see that the execution of a senate.m4a Zloader payload was blocked, and the detection details appear in the Falcon UI for analyst review (see Figure 2).

 

Figure 2. Falcon blocking second-stage payload execution of senate.m4a (click image to enlarge)

Host Network Containment via the Falcon UI

In the event that prevention policies are not set to actively block the QakBot threat — as is sometimes the case in more sensitive environments — customers can take advantage of the 24/7/365 virtual security operations center (SOC) offered by Falcon Complete. In these cases, Falcon Complete will triage, stop lateral spread and remediate the QakBot banking trojan threat. In the instance of an unprevented QakBot infection, the Falcon Complete team receives a high-confidence alert for malicious files, triggered by Falcon’s machine-learning algorithms.
Figure 3. Detection in the UI as shown by Falcon (click image to enlarge)
Upon expanding the alert, the analyst can recognize the QakBot threat by the tactics employed — many discovered during CrowdStrike’s tracking of this threat.
Figure 4. Ability to network-contain hosts in emergency situations (click image to enlarge)
If among the pre-approved countermeasures, the analyst can network-contain the host to prevent the lateral spread of the info-stealer within the environment. This limits business impact and productivity loss for users, and saves time and cleanup for your internal SOC team.

Remediation with Falcon RTR

QakBot malware is fairly simple in its functionality, but its capability to move laterally can be potentially devastating in enterprise networks. Because of this worm-like spreading and its costly repercussions, the Falcon Complete team has classified the difficulty of the remediation process as “Hard.” The following is a brief illustration of the remote remediation process via Falcon Real Time Response (RTR).

 

red and black chart The remediation of QakBot can be broken into three distinct steps:
  1. Killing the malicious processes (e.g., injected explorer)
  2. Removing the persistence mechanism (e.g., scheduled task, registry run key)
  3. Removing disk artifacts (e.g., binaries and directories).
Please note: Some of the examples in the following scenario have CrowdStrike Falcon® configured with DETECTIONS ONLY and PREVENTIONS off for illustrative purposes. A properly configured Falcon instance, as noted previously, would prevent the activity presented here.

 

STEP 1. Finding and Killing the Malicious explorer.exe Process

QakBot will create a new instance of the explorer.exe process and inject itself into the new process. It is possible for multiple instances of this process to occur, but responders must determine the malicious instance. It may not be immediately clear which explorer.exe process is legitimate, but this can be determined by querying the process with the “-Module” parameter, as shown in Figure 5.
Figure 5. Query for explorer.exe process injection (click image to enlarge)
In the example in Figure 5, “gps” is a built-in alias for the “Get-Process” cmdlet, and the process id was determined by an early query (not shown). The legitimate explorer process will have several modules associated with it, but the malicious instance will have very few — typically less than ten. In this case, Falcon had already prevented the injected process, but if there were a malicious instance present, it could be killed with the following command: “kill ‘<PID>.’”

STEP 2. Removing Persistence

QakBot typically employs a scheduled task and a registry run key for persistence mechanisms on compromised hosts. Figure 6 shows a query for scheduled tasks on the affected host. The search can be assisted by the historical knowledge that will point to a binary in %AppData%, so this is used as a search string to quickly identify not only the malicious TaskName but also the full path to the main binary.
Figure 6. Query to find the path for scheduled task persistence mechanism (click image to enlarge)
The parent directory of the QakBot binary is a key indicator of compromise (IOC) and can be used later in the manual remediation process and as an integral search string. In the query shown in Figure 6, the parameter “-context 10” shows the surrounding ten lines and will reveal the actual name of the task that is required for removal. This can simply be deleted with the built-in CMD program schtasks.exe, like so:
Figure 7. Removing the scheduled task (click image to enlarge)
In addition to scheduled tasks, QakBot will often create a registry run key to establish persistence. The modified value is placed under this key name: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Figure 8 shows the output of the query for this registry key.

 

Figure 8. Registry query (click image to enlarge)
In Figure 8, we obtain the value of the malicious run key and again encounter the path to the main QakBot binary location. Removal of the key is performed with the command shown in Figure 9.
Figure 9. Removing the run key (click image to enlarge)

STEP 3. Removing Remaining Artifacts

QakBot leaves file system residue in a few specific locations on infected hosts. The first one is the random alphabetically named folder located in C:\Users\*\AppData\Roaming\Microsoft, identified in the remediation steps above. The name of this directory is dynamic, but it will reliably contain QakBot’s core binary, .dat files and other resources. This initial download along with the temporary location of the loader’s initial execution may also require removal, as shown in Figure 10.
Figure 10. Removal of residual file system artifacts (click image to enlarge)
The steps outlined above are the general process for identifying QakBot artifacts and successfully remediating a host for the QakBot malware. This process is quite effective in singular instances, but in reality this is rarely the case due to QakBot’s lateral movement capabilities. A properly configured Falcon platform is a critical component of a successful defense strategy to defeat this threat.

 

Conclusion

QakBot has undergone a resurgence in both its delivery volumes and technical evolution. The potential impact from a successful QakBot infection includes (but is certainly not limited to) widespread lateral infections, theft of confidential data, deployment of secondary payloads and loss of organizational prestige.

 

Remediating these types of infections becomes more complicated with these variants’ ability to spread laterally to many hosts. Furthermore, with a transition to a more remote workforce, the capability to remotely remediate infections on hosts that are geographically distributed will become increasingly important as rebuilding systems becomes impractical. The Falcon Complete team will continue to track this threat and monitor our clients’ environments for any notable developments. Despite QakBot’s anti-analysis and evasive capabilities, the CrowdStrike Falcon® platform prevents this malware from completing its execution chain when it detects the VBScript execution. The Falcon Complete team deals with threats like this every day, providing our customers with the expertise required to remediate these infections and help organizations recover from potentially devastating incidents.

 

Appendix

Table 1 below contains a mapping of QakBot tactics to the MITRE ATT&CK® framework.
TacticTechniqueSub-TechniqueID
Initial AccessPhishingSpear-Phishing AttachmentT1566.001
ExecutionUser ExecutionMalicious Link, Malicious FileT1204.001, T1204.002
ExecutionCommand and Scripting InterpreterPowerShell, CMD Shell, Visual BasicT1059.001, T1059.003, T1059.005
ExecutionSigned Binary Proxy ExecutionMsiexec, Rundll32T1218.007, T1218.011
PersistenceBoot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder

 

T1547.001
PersistenceScheduled Task/JobScheduled TaskT1053.005
Defense EvasionObfuscated Files or InformationNoneT1027
Defense EvasionProcess InjectionDynamic-link Library InjectionT1055.001
Defense EvasionVirtualization/Sandbox EvasionSystem ChecksT1497.001
DiscoveryVirtualization/Sandbox EvasionUser Activity Based ChecksT1497.002
DiscoveryNetwork Share DiscoveryNoneT1135
Credential AccessBrute ForcePassword GuessingT1110.001
Lateral MovementRemote ServicesSMB/Windows Admin SharesT1021.002
Command and ControlApplication Layer ProtocolWeb ProtocolsT1071.001
Table 1. MITRE ATT&CK mapping

IOCs associated with QakBot analyses are available in Table 2.

IndicatorPurpose
PicturesViewer.dll, PicturesViewer.exe, PaintHelper.dll, PaintHelper.exe, file1.exeQakBot binary names
“<0-9>{6,9}\.zip”, “NUM_<0-9>{4,6}\.vbs”Regular expression of observed filename convention of zip archives containing VBS that launches QakBot downloader
“dfPEZd”, “ezQVN”, “wCdZgXH”Scheduled Task tasknames
"""C:\windows\System32\WScript.exe"" ""C:\Users\*\AppData\Local\Temp\Temp1_*.zip\NUM_*.vbs""Command line example of initial execution

 

C:\Users\*\Downloads\“<0-9>{6,9}\.zip"Initial QakBot download path. Observed as an 8 or 9-character numeric name.

 

C:\Users\*\AppData\Local\Temp\Temp1_“<0-9>{6,9}\.zip\NUM_<0-9>{4,6}\.vbsExecution path of VB downloader script
%AppData%\lwob\esexydry.dll %AppData%\PicturesViewer.dll %APPDATA%\dasfdsfsdf.exe %APPDATA%\Iwhoq\pozypua.dll %APPDATA%\IE\GGYJG27Z\dasfdsfs.df<1>.exe C:\Users\Public\tmpdirQakBot binary paths in home directories, observed as a alphabetical name under an alphabetical folder in %AppData%, or pre-named PicturesViewer, PaintHelper
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunRegistry run key persistence
Table 2. IOCs associated with QakBot

Additional Resources

Breaches Stop Here