UNDER ATTACK?

Qakbot; Black Basta ransomware delivery

Qakbot, also known as Qbot, is a banking malware and infostealer that primarily spreads through phishing emails and exploit kits. It was first discovered in 2008 and has since been a significant problem for organizations and users globally. Qakbot is designed to infect Windows operating systems and take control of computers and corporate networks. Once a system is compromised, the malware begins to collect sensitive information such as login credentials, banking data, and personal information. It can also monitor user activity, record keystrokes, and steal stored passwords.

Additionally, Qakbot has propagation capabilities that allow it to spread within a corporate network, infecting other devices and further compromising security. The malware can also perform malicious activities such as downloading other malware, executing Distributed Denial of Service (DDoS) attacks, and distributing spam.

In this analysis, its use for spreading the Black Basta ransomware has been taken into account.

Important elements of the analysis: 

  • Compilation in Delphi 
  • High entropy of the CODE section 
  • Registry management functions 
  • Threading functions for concurrential executions 
  • Keyboard events capturing 
  • Sockets connections 
  • Message encoding 
  • Subtraction of credentials 
  • Use of the UrlMon module to make external connections 
  • String encryption for evasion and code hiding 
  • Command and Control connections 
  • Enumeration of security monitoring processes to be terminated 

Introduction and static analysis 

In the present analysis, a sample of Qakbot threat having hash b9dd2d79e9b78f0d3f439c302f19b0bbec463f135701ab2ea99c27f48fa2eb1a was taken in consideration, it was compiled in Delphi and has a rather high entropy coefficient for the CODE and .reloc sections. Qakbot is a type of threat discovered in 2008 that primarily targets the theft of credentials and was ranked as one of the most widespread threats in 2021. Since it also performs Remote Code Execution tasks, Qakbot’s targets include the distribution of additional threats, especially ransomware. Among the ransomware that has been distributed through the use of Qakbot are REvil, ProLock and Lockbit and, indeed, Black Basta (the specific case of this article). Qakbot has been constantly updated with new features, specifically in 2015 new updated versions were released, in 2020 the threat landscape saw a significant increase of 465 %. In 2021, there was a major compromise of the meat processing company JBS, demanding a ransom of USD 11 million. [0] 

Here is a detail of the disassembled sample, where instructions such as stosb for transferring memory locations, jp representing a conditional jump to a given instruction in the event that the compare of the previous instruction gives 1 as the result, as well as various or operations such as those between the cl and ebx – 0x347e5e9e registers and between [edi + eax – 0x76] and the dh register are evident. 

Looking at the details of the contents of some sections of the executable’s memory mapping, one notices functions of virtual memory allocations, such as VirtualAlloc and VirtualFree, as well as the function of obtaining threads instances GetCurrentThreadId

Further registry key management functions followed, including RegOpenKeyExA, RegCloseKey

Below are some functions for gathering details of keyboard events, in detail GetKeyboardState

By checking further strings extracted from the artefact, it is possible to observe evidence related to Delphi (including the vcltest3.dll library) and the registry key System\CurrentControlSet\Control\Keyboard Layouts\%.8x 

Below are several strings relating to network socket connections, including accept, closesocket, connect and getsockname. 

Here are various functions for encoding and decoding strings and attributes, specifically IdMessageCoder, IdCoder, TldDecoder4to30jE. 

The string h5ylku8yh049yu034hkofw42h4ryj02g940g9vrghw08 appears to be related to the DLL library dropped by the Qakbot ghyphy.dll: 

There are references to concurrent thread management and execution functions: GetCurrentThreadId

As shown below, the threat executes a function concatenated with three different executions of the functions AL and JK with the external function IE. These executions specify the parameters and their type, in particular %s, which indicates string type. 

Dynamic analysis and debugging 

Below is a detail of the concatenated IE, AL and JK functions in the CODE section at 004298968

The JumpID function is then called in order to handle Delphi context strings by specifying the attribute and type, in this case string type. 

Below are further details of the above mentioned functions relating to sockets connections: 

At label loc_45B705 we can see the call to function LoadLibraryA_0 to call up the ghyphy DLL library, which is inherent in the execution context of the GUI representation: 

The string h5ylku8yh049yu034hkofw42h4ryj02g940g9vrghw08 appears to be associated with the encoding phase, the string is contained in the label loc_45B73A

In the function sub_4598B8 there is a reference to function sub_456400, which contains strings comparing references: 

At the function sub_45AE48 we can observe attributes relating to access credentials. This evidence may also be correlated with Qakbot’s ability to steal credentials and authentication data. 

The date on which the executable was compiled appears to be improbable: in fact, it is set for 19 June 1992, while the resources stamp appears to be for 25 April 2015. 

Between the most suspicious indicators of malware there are compilation in Delphi, attributes related to networking, file management (which may also be related to file stealing and file gathering). 

Some of this evidence can also be seen from an examination of the hexadecimal code of the threat, for example with regard to IdHTTP, IdWinSock2: 

Further references associated with Base64 encoding, password management (and stealing) and registry management follow: 

Following the details of the DLL sections, the entropy of the CODE section, which contains the executable code of the DLL, stands at 6.513: 

Through the functions that could be considered suspicious we can see threads management, file loop management, file writing and keyboard information gathering: 

Here are fundamental details concerning connections to external URLs via the UrlMon module: 

Among the imports we can identify the advapi32.dll library that can be used to call the RegQueryValueExA function, which can be used to obtain the type and data associated with a value of a specific registry key. 

Below are some details of the resources included in the library, which refer to various images within the GUI: 

Looking at the disassembled CODE section, we can observe a LOOPNE (Loop Not Equal) function inherent to address 0x40128E so a conditional execution that “jumps” to a given instruction in the event that the reference attribute is different from zero. 

There is then a series of substraction instructions relating to the AL register interrupted by jumping functions that jump to different memory addresses from time to time: 

Below are some reference details to the Relative Virtual Addresses of the DLL in question. These addresses refer to the loading addresses of the DLL itself.

 

By carrying out a debugging session of the Qakbot threat, we can see the file header placed as “MZP”, so an executable file compiled in Delphi. The letter “P” is associated with “Pascal”. 

Following a jb instruction there is a mov instruction between the above string attribute and the eax register. 

By examining process execution in the context of dynamic analysis, there are references to LoadLibrary and LoadDll functions. 

Here is evidence of the malicious module loaded during the debugging session: 

Here a detail referring to the executable’s icon, included within its resources: 

Here are the loading details of the graphical components of Qakbot (for example LoadBitmapA and LoadIconA). 

Here we have various keyboard information gathering functions. For example, the function GetKeyboardLayout, GetKeyBoardState (which copies the status of 256 virtual keys to the specific buffer). 

Here we can see further dynamic executions of registry key openings and closures: 

Following is evidence of process monitoring, where the dropping and use of the ghyphy.dll library is evident: 

At the same time, there are details of LoadLibrary, LdrLoadDll functions (in order to load specific modules): 

Below are further references to the Qakbot resources, for example images contained within the GUI: 

The following is a detail of source code dumping inherent to the definition of the string h5ylku8yh049yu034hkofw42h4ryj02g940g9vrghw08, where details of reinterpret_cast instructions of the eax and ebp registers to convert the value of the pointers, as well as the setting of the eax4 registers to gddbfd8 and gddf660 for the ecx19 register are evident. 

Here’s a representation of the distribution of bytes of the artefact, with which one can observe the presence of shuffling bytes and a not inconsiderable entropy regarding certain sections.

 

Threat research 

The Qakbot contacts the malicious IP address 41.111.118[.]56, registered by Telecom Algeria. 

The e-mail address mentioned in its Whois details is contained in evidences of data breaches and spam bots. 

Further details on the domain of that e-mail address and some URLs associated with it follow: 

Malware techniques 

Below is a detail of the POST request made by the Qakbot to the malicious IP address contacted with the attribute of the variable lpszObjectName set to “/t5”: 

Regarding access to the registry during the cyber kill chain, it is possible to identify the key Software\Microsoft\Fdircmnenyey with the value 3665b42c

The threat performs strings encryption and decryption tasks in order to arrange evasion and anti-analysis operations. Through the strings that can be obtained are numerous infection commands: obfuscated PowerShell commands, obtaining screenshots of the compromised machine, ping commands, access to ProgramData folders, netstat -nao to obtain the list of currently running processes with their used ports, connections to network shares with the net share command, deletion of specific scheduled tasks with the schtasks.exe /Delete /F /TN %u command. 

Here are numerous references to adding Windows Defender exclusions, bypassing the Windows Defender SpyNet module, WMI queries in order to enumerate antivirus products currently installed on the machine. 

Following is a detail of an enumeration of processes inherent to analysis and monitoring, this enumeration can be used by the Qakbot in order to perform an evasion operation of these monitoring tools. 

IOCs: 

  • b9dd2d79e9b78f0d3f439c302f19b0bbec463f135701ab2ea99c27f48fa2eb1a 
  • c05798268fcde7fbda9305a54389bb79 
  • 41.111.118[.]56 
  • Software\\Microsoft\\Fdircmnenyyey 
  • 3665b42c 
  • n[.]djouahra[@]djaweb[.]dz 

YARA Rule: 

rule QakbotBlackBastaRule 

{  

strings:  

$regString = “Fdircmnenyyey” 

$regHex = { 46 64 69 72 63 6d 6e 65 6e 79 79 65 79 } 

condition: $regString or $regHex  

CONCLUSIONS: 

The Qakbot threat under investigation has numerous anti-analysis, string encryption and encoding features, as well as numerous evasion tasks. At the same time, Qakbot carries out rather invasive infection routines, such as registry enumeration, keyboard events capturing, socket connections, file stealing and Command and Control connections. 

The fact that this threat is also used in contexts other than the sole purpose of stealing data and sensitive files from victim hosts is reasonable, since it has the numerous evasion features mentioned above. It is therefore possible to initialize compromises of different magnitude by creating a ransomware infection scenario, in this case by Black Basta Ransomware, which not only encrypts the victim’s files but also performs a double extortion: if the requested payment is not made, the stolen data is published. 

An example of using a Qakbot threat to carry out ransomware delivery could be to steal the RDP credentials of a critical infrastructure server and proceed with a malware implanting action, followed by encrypting the files and possibly publishing the stolen data. 

Given these considerations, it is not difficult to imagine that the same scenario could occur with other similar types of threats in order to perform an initial attack phase of infrastructure access and targeting, and then proceed with a second, consequential phase involving even more dangerous and malicious threats. 

References: 

(introduction to Qakbot malware family): What Is Qakbot? (blackberry.com) 

Security Advisory: Dolibarr 17.0.0 PHP Code Injection (CVE-2023-30253)
Security Advisory: MicroFocus Filr Appliance 3.0 build 4670 (Exposed LDAP Credential)
NAVIGATION
SWASCAN SRL

COMPANY SUBJECT TO THE MANAGEMENT
AND COORDINATION OF TINEXTA S.P.A.

Headquarters: Via Fabio Filzi, 2b
20063 Cernusco sul Naviglio MI - Italy

VAT: 09399680967

© 2017 - 2024 | Swascan Srl

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.