Rule of the Week: QakBot Malware Detection

QakBot banking trojan (aka QBot) has been used in attacks on organizations for over 10 years, and its authors continuously monitor threat landscape trends adding new features or removing them if they don’t work properly. In 2017, this malware possessed worm-like capabilities and was capable of locking Active Directory users to make additional damage to organizations. In 2019 adversaries used this Trojan in attacks on the US government institutions delivering it along with IcedID malware via Emotet. Also malware authors retained QBot polymorphic features and added new infection vectors and multiple persistence mechanisms. This Trojan is usually spread via phishing emails with malicious attachments.

Now QakBot is “helping” a new player on the ransomware scene – ProLock ransomware – to infect corporate networks and they loudly announced their alliance at the end of April with a successful attack on Diebold Nixdorf. In the past, QakBot was used to deliver MegaCortex ransomware, as this trojan has the capabilities and additional tools that ransomware operators need to infect critical servers. Community rule by Emir Erdogan is based on the latest indicators of compromise and is able to detect this infection in your organization’s network: https://tdm.socprime.com/tdm/info/8vslvqdm0uRX/IyHENnIBjwDfaYjK_ZeI/?p=1

Interview with the content developer: https://socprime.com/en/blog/interview-with-developer-emir-erdogan/

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Carbon Black,Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Defense Evasion, Execution, Initial Access, Privilege Escalation, Persistence

Techniques: Code Signing (T1116), Execution through Module Load (T1129), Process Injection (1055), Scheduled Task (1053)

 

More content to spot this malware:

Detection of QBot/QakBot Trojan(Sysmon Behaviour) by Emir Erdogan – https://tdm.socprime.com/tdm/info/9aOw7wqzGVM7/R0Iyom4ByU4WBiCt_zvQ/

QakBot Detector (Sysmon) by SOC Prime – https://tdm.socprime.com/tdm/info/SK8nqjq4237M/Wm7wzGgBFVBAemBcdw4V/

Qakbot Malware Detector (Sysmon Behavior)(27-March-2020) by Lee Archinal – https://tdm.socprime.com/tdm/info/Gi5YxC2sRJEO/-EEHK3EBya7YkBmwnOoO/