Threat Coverage : How FortiEDR Protects against Qakbot

mrobson · ‎10-25-2021

Introduction

Qakbot is primarily a banking trojan first observed in 2008. Despite its age, Qakbot’s broad range of features including keystroke logging, credential dumping, persistence mechanisms and discovery features make it an attractive tool for adversaries to adopt into their TTPs. Recently the FortiGuard Responder team have seen an increase in activity involving this malware. A phishing email is the most common initial access vector that Qakbot uses to gain access to a system. Typically, a Qakbot phishing email arrives with an attached Microsoft Word document, Microsoft Excel spreadsheet or zip file containing Microsoft Office documents (T1566.001). When opened these Microsoft Office documents run a macro that attempts to download the Qakbot trojan to infect the end user’s machine.

As a modern EDR solution, FortiEDR provides protection against new Qakbot variants by blocking the suspicious behaviours associated with the Qakbot infection chain. Post-execution detection rules (Exfiltration and Ransomware Prevention Policies) allow FortiEDR to block the Qakbot downloader from downloading a malicious executable as part of these initial macro scripts. These FortiEDR protections also prevent the execution of other possible malicious scripts that might compromise the end user’s system. FortiEDR’s pre-execution policy (Execution Prevention policy) detects known Qakbot samples while the machine learning employed as part of FortiEDR online sandboxing identifies characteristics of new Qakbot variants and prevents them from executing.

Post-Execution

Let's see how FortiEDR detects and blocks the Qakbot intrusion chain by switching to simulation mode and emulating a typical intrusion. In simulation mode, FortiEDR generates events but does not enforce rule actions. This allows the Qakbot downloader to fully execute which gives us the opportunity to observe the scope of behavioural detections and blocks that are applied by FortiEDR and the layers of rules that protect defended endpoints.

Below in Figure 1 is an example of the ‘end-user' view of a malicious Microsoft Excel spreadsheet distributed as part of a Qakbot campaign observed in the wild. By default, Microsoft Excel prevents the execution of macros. Once the user opens the spreadsheet, Microsoft Excel will show a security warning that macros are disabled by default. The spreadsheet is designed to look legitimate and contains simple instructions on how to unlock the document. Of the observed Qakbot malicious attachments there is no legitimate content and these instructions are added to encourage the user to enable the execution of the macros.

Figure 1. Example of a malicious Microsoft Excel document used a part of a Qakbot campaign.

Suspicious Network Access

Once the user enables the macro by clicking “Enable Content”, it attempts to connect to the internet to download a malicious executable that contains the main Qakbot payload. This behaviour triggers the “Dynamic Code – Malicious Runtime Generated Code Detected” rule that is part of the “Exfiltration Protection” policy. Additionally, FortiEDR incorporates FortiGuard Labs threat intelligence as part of its automated analysis which flagged the destination IP as malicious. As a result, this event was flagged as suspicious and FortiEDR would block the connection.

Figure 2. FortiEDR detected a “Network Access” event related to Excel creating a network connection to attempt to download a Qakbot DLL following successful execution of the embedded macro.

Looking at the “Geo Location” tab in the “Advanced Data” window for the event in FortiEDR event viewer in Figure 3 below, we can see that the IP address the macro attempted to connect to was in Latvia.

Figure 3. FortiEDR “Geo Location” tab can be used to quickly identify anomalous geolocation data associated with a flagged events.

The Fortinet CTS (Central Threat System), which contains FortiGuard Labs Threat Intelligence feeds, shows that the IP: 94.140.112.119 the macro interacts with is known to have been previously used by the Qakbot trojan. This can be seen in Figure 4 below:

Figure 4. Fortinet CTS can be used to quickly identify information about atomic indicators observed through FortiEDR.

Downloading the Qakbot trojan

FortiEDR detects the “Suspicious Network Access” event as discussed above. During this event, the embedded macro tries to download a DLL (dynamic link library) file with a filename format <today’s time and date>.dat, such as: “44470.0032425947.dat”. Combining it with the IP address, the embedded macro tries to downloaded a file similar to hxxp://94[.]140[.]112[.]119/44470.0032425947.dat. As we can see from the macro shown below in Figure 5, the NOW() function generates the filename, and .dat extension name is appended to it. If the file is successfully downloaded, it will be renamed using “Xertis.dll”, “Xertis1.dll”, or “Xertis2.dll”.

Figure 5. Section of the macro embedded in the malicious Microsoft Excel document.

File Execution Attempt

Once downloaded and saved as one of the “Xertis” files, the DLL file is executed using regsvr32.exe from within the macro, as can be observed in Figure 5. This activity generates a “File Execution Attempt” event in FortiEDR, as it triggers the “Suspicious Script Execution – A script was executed in a suspicious context” rule in the “Execution Prevention Policy”. FortiEDR flags this event as suspicious and would block the execution, effectively halting the intrusion.

Figure 6. FortiEDR detected a “File Execution Attempt” event related to the embedded macro attempting to execute the downloaded Qakbot DLL with “regsvr32.exe”.

We can validate the expected macro behaviour using the FortiEDR Threat Hunting feature as the macro tries to execute regsvr32.exe with a command line parameters “\-silent ..\\Xertis<value>.dll”. We can turn these indicators into a Lucene query compatible with the Threat Hunting search bar like the one below. An example of a returned Threat Hunting event is also shown below in Figure 7.

Type: ("Process Creation") AND Source.Process.Name: ("excel.exe") AND Target.Process.File.Name: ("regsvr32.exe") AND Target.Process.CommandLine: ("\-silent ..\\Xertis.dll" OR "\-silent ..\\Xertis1.dll" OR "\-silent ..\\Xertis2.dll")

Figure 7. Example Threat Hunting event from the Qakbot macro execution using the query from above.

File Read Attempt

As of this writing, the .dat file is no longer available from the links generated by the macro. After further malware hunting, we were able to grab a similar sample that the Qakbot should be able to download. The .dat file will be renamed as “Xertis.dll”, “Xertis1.dll”, or “Xertis2.dll”, and will be executed using regsvr32.exe. Simulating the downloading of the file and renaming it to Xertis2.dll, FortiEDR detects the Xertis2.dll file as GenKryptik.FKXB!tr, and generates “File Read Attempt” event.

Figure 8. FortiEDR detected a “File Read Attempt” event related to the OS attempting to read the known Qakbot DLL dropped through the embedded macro.

File Creation and File Write Events

After executing through regsvr32.exe from the embedded macro, the original Qakbot DLL drops another DLL to disk. Given this original Qakbot DLL has already been flagged as malicious, the associated file creation activity generates both a “File Creation” and “File Write” event that would be blocked by FortiEDR if it was in Protection mode.

Figure 9. FortiEDR detected a “File Creation” and “File Write” event related to the original Qakbot DLL dropping an embedded dll to disk (c762d953.dll above).

File Write Access (Process Hollowing)

Following this file write, Qakbot performs a series of process injections and unmapped executable loads. When the original DLL (Xertis<number>) executes, it decrypts and loads its code into newly allocated virtual memory space. Afterwards, it performs process hollowing by overwriting the original content of the Qakbot DLL (Xertis<number). FortiEDR detects these series of process injections and unmapped executable loads as shown below.

Figure 10. FortiEDR detected a “File Write Access” event which contains multiple events related to memory modification and process injection associated with the original Qakbot DLL.

File Write Access (Process Injection)

After this initial process hollowing, Qakbot injects itself into another process, in this case “msra.exe”, to continue executing the rest of its payloads. Process injection is another malware trick to avoid static and dynamic analysis. Process injection also supports defensive evasion and persistence by targeting benign executables, such as msra.exe, to delay scrutiny by defenders. FortiEDR detects the above activity with the “Process Injection – Entry Point Modification Detected” and “Unmapped Executable – Executable File Without Corresponding File System Reference” rules in the “Exfiltration” Prevention security policy and blocks this detected activity in Protection mode.

Exfiltration Prevention (Multiple Destinations)

Qakbot’s final payload is to connect to its C2 servers for exfiltration of discovery data and to request malware updates/command instructions. Qakbot tries to connect to its C2 servers which are detected by FortiEDR.

Figure 11. FortiEDR detected a “Network Connection Attempt” events related to C2 communications.

Qakbot injects its code in msra.exe and tries to connect to its C2 servers. The generic Threat Hunting query below can be used to quickly identify IP addresses associated with C2. An example of the Threat Hunting output is shown below in Figure 12.

Type: ("Socket Connect") AND Source.Process.Name: ("msra.exe")

Figure 12. FortiEDR detected a “File Creation” and “File Write” event related to the original Qakbot DLL dropping an embedded dll to disk (c762d953.dll above).

Threat Hunting

To search for suspicious script execution following successful original Qakbot dll download:

Type: ("Process Creation") AND Source.Process.Name: ("excel.exe") AND Target.Process.File.Name: ("regsvr32.exe") AND Target.Process.CommandLine: ("\-silent ..\\Xertis.dll" OR "\-silent ..\\Xertis1.dll" OR "\-silent ..\\Xertis2.dll")

To search for renaming for the file to "Xertis.dll" OR "Xertis1.dll" OR "Xertis2.dll" (generic):

Type: ("File Rename") AND Target.File.Name: ("Xertis.dll" OR "Xertis1.dll" OR "Xertis2.dll")

To search for suspicious network access initiated by Excel application:

Type: ("Socket Connect") AND Source.Process.Name: ("EXCEL.EXE") AND RemoteIP: ("94.140.112.119")

To search for suspicious network access initiated by Excel application (generic):

Type: ("Socket Connect") AND Source.Process.Name: ("EXCEL.EXE")

To search for possible exfiltration (generic):

Type: ("Socket Connect") AND Source.Process.Name: ("msra.exe")

MITRE ATT&CK

TA0001 – Initial Access

Technique ID

Technique Description

Observed Activity

T1566.001

Phishing: Spear phishing Attachment

Phishing emails with malicious attachments are the most common initial access vector for a Qakbot intrusion.

TA0002 – Execution

Technique ID

Technique Description

Observed Activity

T1059.005

Command and Scripting Interpreter: Visual Basic

Qakbot contains macros used to connect to a C&C to download another malicious executable, and to register a malicious DLL.

T1204.002

User Execution: Malicious File

Qakbot spear-phishing campaigns centre around the use of embedded macros for execution. Users need to enable macros for the attack chain to start. Qakbot malicious documents are designed to look legitimate and include instructions on how to enable macros.

TA0005 – Defense Evasion

Technique ID

Technique Description

Observed Activity

T1218.010

Signed Binary Proxy Execution: Regsvr32

Qakbot malware uses regsvr32.exe to try to register a malicious DLL.

T1140

Deobfuscate/Decode Files or Information

Initial Qakbot DLL contains various encrypted payloads that are only extracted following sandboxing and virtualization checks. This helps evade sandbox based detection.

T1027.001

Obfuscated Files or Information: Binary Padding

Qakbot has remained effective since 2008 by being flexible around the indicators it leaves. This includes being able to simply change its hash without affecting functionality.

T1055.002

Process Injection: Portable Executable Injection

The original Qakbot DLL decrypted and injects additional executables directly into process memory avoiding creation of disc based artifacts.

TA0010 – Exfiltration

Technique ID

Technique Description

Observed Activity

T1041

Exfiltration Over C2 Channel

Qakbot malware connects to C&C server to download another malicious executable, and for possible data exfiltration.

TA0011 – Command & Control

Technique ID

Technique Description

Observed Activity

T1041

Ingress Tool Transfer

Qakbot malicious macros connect out to known malicious IPs to download initial Qakbot DLL. This DLL contains all payloads (encrypted) required for the rest of the intrusion.

T1571

Non-Standard Port

Qakbot C2 following initial DLL download from the embedded macro uses both port 443 and port 995. These network connections can be tracked back to the injected processes for anomalies i.e. regsvr32.exe should not communicate to external IPs on port 995 (POP3 mail port).

Indicators of Compromise

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

Payment-<randomnumber>-<date>.xls Hash

26164943D535B3EF534B8B0292AD5D03A5C905A2

SHA1 Hash

Initial Access

File hash of known malicious Microsoft Excel document used for this analysis. A different xls document will likely be generate per intrusion to avoid hash based detection.

Xertis2.dll Hash

F3645BCC6F8F2031BA2D936F495E3D1C4BDF7C23

SHA1 Hash

Execution, Command and Control

Initial Qakbot executable. Detection of this file hash on an endpoint indicates that the macro has successfully executed and the initial Qakbot payload has been written to disk.

Qakbot Download IP

94.140.112.119

IP Address

Initial Access, Execution

Malicious macro in Excel document requests initial Qakbot payload from this address. Traffic to this IP indicates successful execution of the malicious macro.

Qakbot C2 IP

120.150.218[.]241

IP Address

Command and Control