Quakbot Strikes with QuakNightmare Exploitation

Prologue

After nearly two months of “summer vacation”, Quakbot is back with a new set of skills and tricks. We have handled several incident response cases where Quakbot infected organizations through an email as the initial access vector (malicious spam distribution campaigns) to deliver a weaponized Microsoft Office Excel document.

We found that Quakbot threat actors exploited the PrintNightmare vulnerability (CVE-2021-34527 – “Windows Print Spooler Remote Code Execution”) in the later stages of the attack to perform privileged file operations and code execution via the Windows Print Spooler service. Quakbot also used credential theft functionality to steal Outlook passwords intended for internal spear-phishing, luring users to interact with the malicious emails to infect additional assets.

The threat actors also deployed Cobalt Strike beacons which allowed them to launch human-operation activities such as lateral movement, discovery, privilege-escalation, etc.
These actions serve two main objectives – exfiltration of sensitive data and setting up the stage for ransomware execution.

Quakbot Overview

Quakbot (also known as Qabot or Qbot) is a modular Banking Trojan, active since the end of 2007. Quakbot originally targeted financial sectors to steal credentials, financial information, and web browser data by using web injection and browser hooking techniques that allowed it to “redirect” API calls to intercept financial data.

In the last two years, Quakbot’s targets expanded beyond the financial sector. We have observed victims from the IT services industry, telecommunications providers, manufacturing facilities and infrastructure companies. Quakbot threat actors upgraded the range of malicious capabilities and functionality to evade detection and spread via different lateral movement techniques.

In this same period, we also detected Quakbot infections that include ransomware executions. During our threat intelligence activities and incident response cases we observed instances where Quakbot delivered REvil (A.K.A Sodinokibi) and Egregor ransomware.

Case Overview

In this report, we will go through Quakbot’s execution tactics, techniques, and procedures (TTPs), and present different behaviors, methods, tools, and strategies used by threat actors.

During the Cynet Orion Research Team’s continuous campaign hunting cycle, we have observed an increase in malicious email campaigns using Quakbot. Additionally, we have responded to incidents where companies asked for Cynet 360 assistance in Quakbot infections.

The Quakbot infection has two initial execution paths. We gave them the following names:

1. Datoploader
2. Relativeloader

As with many infections across organizations today, threat actors obtained an initial foothold through  malicious email campaigns that lured users to interact with malicious links or attachments.

In both cases, a malicious link (lead to a ZIP file) or a direct attachment in the malicious email leads to the next step of the infection – a weaponized Office document. The weaponized Office document contains macros code (macro 4.0 XLM) that executes when the user clicks on “Enable Content”.

The macro execution leads to multi-stage malicious actions that include a command-and-control (C2) connection, download of malicious payloads, and execution of commands.
Quakbot threat actors use several Defense Evasion (TA0005) techniques, such as process injection, masquerading, Fileless executions, etc. to bypass security solutions such as anti-virus and EDR.
The malicious macro code executes the payload by abusing the legitimate Microsoft file Regsvr32.exe. This type of procedure is also known as LOLBin (Living Off the Land Binaries), where threat actors abuse legitimate Microsoft files instead of bringing their own malicious files. These LOLBins files could be abused for proxy execution of processes to bypass whitelisting policies, credential dumping, discovery, and more.

Quakbot Initial Access Execution Flow

• Initial Access (TA0001) Phishing (T1566) – distribution via malicious spam campaigns.
• Execution (TA0002) User Execution (T1204) – the victim interacts with the malicious link or attachment (weaponized Office document).
  • The victim interacts with the weaponized Office document and enables the macros.
• Defense Evasion (TA0005) Signed Binary Proxy Execution: Regsvr32 (T1218.010) – DLL payloads downloaded from C2 server and executed via regsvr32.

The Quakbot payload executes multiple actions including process hollowing injection, Outlook credential theft, Cobalt Strike beacons, and Fileless persistence via registry.

For the first time, we have observed PrintNightmare exploitation in Quakbot infections.

You can find an analysis of PrintNightmare at the end of this report.

MITRE Attack Tactics and Techniques Coverage

Technical Analysis: Initial Access and Execution

Update by Kevin Beaumont – “Something is going on with Qakbot which alters detection/threat landscape in past week.”

It seems that threat actors abused enterprises and corporations that are using MS Exchange on-prem in order to distribute malicious emails. This led us to suspect that ProxyLogon and ProxyShell vulnerabilities are being exploited. These vulnerabilities allow Quakbot threat actors to bypass email security policies and propagate Quakbot infections.

• ProxyLogon – CVE-2021-26855, CVE-2021-27065
• ProxyShell – CVE-2021-34473, CVE-2021-34523, CVE-2021-31207

Quakbot “TR” infrastructure stands for the distribution actor name that distributes malicious spam campaigns. This name was given by researchers, who also named the actor “ChaserLdr.”

Malicious emails are sent as part of phishing campaigns and contain a link to a compromised URL which leads to the ZIP file. The threat actors’ motivation is to lure the victim to interact with the phishing email and download the ZIP file.

Here is a URL search on TR campaign URLs that distribute Quakbot ZIP file:

https://urlhaus.abuse.ch/browse/tag/TR/

The ZIP file contains the weaponized Excel document. We have identified several unique patterns of the weaponized Excel document names, including:

• miss-[0-9]{9}.xls
• trend-[0-9]{7}.xls
• charts-[0-9]{10}.xls
• Claim-Copy-[0-9]{10}.xls
• Service-Interrupt-[0-9]{10}.xls

The weaponized Excel document (Datoploader maldoc) contains a fake Microsoft Office template message which lures the user to click on two messages:

1. Select “Enable Editing” – Protection View message
2. Select “Enable Content” – Security Warning message

The weaponized Excel document (Relativeloader maldoc) contains a fake DocuSign template message which lures the user to click on two messages:

1. Select “Enable Editing” – Protection View message
2. Select “Enable Content” – Security Warning message

Both weaponized Excel documents – Datoploader and Relativeloader – contain malicious macro code. Threat actors crafted these weaponized Excel documents with several tricks to bypass security detections and security researchers’ complex analyses.

Datoploader contains macro version 4.0 XLM. These macros hide in different Sheets and hide the macros in a white font with highly obfuscated code.  Evasion techniques include:

• Hiding sheets in the document
• Hiding Excel 4.0 macros in different sheets
• AutoOpen function – run a macro when Excel starts
• Hiding the macro formula by applying a white font color
• Obfuscation and scrambling of the macros in deferent sheets

Relativeloader also contains macro version 4.0 code and a VBA code that protects with a password.  Evasion techniques include:

• Hiding sheet in the document
• Hiding Excel 4.0 macros in sheet
• VBA code protect with password
• AutoOpen function – run a macro when Excel starts
• Hiding the macro formula by applying a black font color
• Obfuscation and scrambling of the macro

Update (04/11/2021): We observed a new payload name. Threat actors now name the payload:

• good.good
• good1.good
• good2.good

For the new payload named good.good, here is the macro code with the new format:

Relativeloader and Datoploader highlight keys in the macros code:

Threat actors abuse Regsvr32.exe (MITRE T1218.010) to proxy execute the malicious payload dropped by the macro execution.

Technical Analysis: Persistence and Defense Evasion

Regsvr32.exe is a legitimate Microsoft file responsible for registering DLL files as command components in the registry. This file is also classified as a LOLBin with application whitelisting (AWL) bypass and execute capabilities.

Quakbot execution flow – Relativeloader:

Malicious Excel macro call process creates (=EXEC) action in order to execute regsvr32 command:

The regsvr32 command executes the payload with -silent parameter:

Quakbot execution flow – Datoploader:

Malicious Excel macro calls process create (ShellExecuteA) action in order to execute regsvr32 command:

In both cases, the Quakbot execution flow executes the regsvr32 process three times in order to load masqueraded DLL payloads (test, good, random).

In this step, the machine is fully compromised and infected and Quakbot is ready to strike with the next attack techniques. We discovered that the next step is process injection.

Quakbot uses CreateProcessW to create a new process. By default, Quakbot creates an Explore.exe process. There are two other process which could be injected during the infection:

• msra.exe
• OneDriveSetup.exe

The Regsvr32 (initial Quakbot loader) process opens a handle (0x1fffff == Full control) to the created Explorer process in order to allocate memory for the malicious code.

WriteProcessMemory function – Writes data to an area of memory in a specified process. The first parameter is hProcess (PID of the target process) and the third parameter is the lpBuffer (the buffer that contains data to be written in the address space of the specified process). After the WriteProcessMemory WinAPI function, the Quakbot malicious function executes and injects PE code inside the RWX page of the targeted Explorer process.

Note: Explorer process executes most of the time from C:\windows directory and not from C:\windows\Syswow64\. Additionally, thanks to SANS DFIR – Find Evil – Know Normal’s poster, we can confirm that the legitimate parent process of Explorer.exe is userinit.exe. In a Quakbot infection, the parent process of injected Explorer process is Regsvr32.

After examining the injected explorer process, we have found the C2 configuration in clear text format in the memory:

We have spotted that Quakbot C2 servers’ pattern is https//[IP]/t4

The injected explorer process creates a Scheduled Task (Scheduled Task/Job: Scheduled Task – T1053.005) with a random name to perform privilege escalation and persistence on the infected machine.

Scheduled Task creation command:

The malicious Scheduled Task configured to execute whether or not the user is logged on:

In addition, we saw another form of task creation where the malicious task executes a PowerShell command which launches FileLess execution from this registry value:

The Regsvr32 process executed thanks to the malicious Scheduled Task with System User and performed a process injection to Explorer.exe (once more). Additionally, the injected explorer process swapped two new processes of reg.exe.

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule; responsible for the below execution:

The first Reg.exe command executed via injected explorer process:

The second Reg.exe command executed via injected explorer process:

Furthermore, concerning persistence, we have observed a run key persistence (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001):

The excluded paths are the same paths registered in the data of the Run key value, which means that the run key execution avoids the Windows Defender detections, Windows Defender does not scan this path and allows the payloads.

This action allows threat actors to run the dropped Quakbot payloads from the path added to the Defender exclusions path:

• C:\Users\*\AppData\Roaming\Microsoft\[RandomPath]
• C:\ProgramData\Microsoft\ [RandomPath]

Moreover, the initial payloads (test.test or good.good) are overwritten in order to corrupt the artifact:

The next stage of the attack is related to Outlook passwords theft. Quakbot performs this action via credential theft functionality. We have observed an attempt to query and enumerate registry keys and values which are related to Outlook passwords (Credentials from Password Stores – T1555).

Processes execution flow:

Quakbot query value key (RegNtPreQueryValueKey) in order to collect data from:

Technical Analysis: Discovery

The injected process also performed discovery basics commands. We have observed the following legitimate Microsoft binaries used for the discovery execution:

• systeminfo.exe
• arp.exe
• net.exe
• ipconfig.exe
• netstat.exe
• nltest.exe
• schtasks.exe
• qwinsta.exe
• nslookup.exe
• route.exe

systeminfo, arp, netstat and ipconfig commands were used to gather information on the infected machine. Net and nltest commands were used to collect information on the domain network. This information allows the threat actors to plan the next steps to execute lateral movement and privilege escalation. The main goal at this point is to pivot to the Domain Controller server and access the Domain Admin user.

Additionally, we have observed a new Discovery execution flow via an encoded PowerShell command:

The decoded malicious command:

Adfind.exe commands executed as part of the Discovery action:

Technical Analysis: Lateral Movement

Quakbot used lateral movement techniques by abusing services (Remote Services T1021) in order to spread Quakbot DLLs in network shared folders.

Technical Analysis: Cobalt Strike Activity

We have observed Cobalt Strike execution in few forms via PowerShell Fileless script, process injection, and DLL beacons. Cobalt Strike process injection, the injected explorer (by Quakbot) is pivoting to another process to inject the Cobalt Strike shell code to a new process, for example, we have detected an injection to dllhost.exe by creating a remote thread on the new injected process.

• c:\windows\syswow64\explorer.exe > c:\windows\syswow64\dllhost.exe

Another Cobalt Strike injected known processes which we have observed during incident response cases:

Cobalt Strike beacons – As we mentioned, the threat actors excluded two paths. One of these paths is C:\programdata\Microsoft\:

We observed that the Cobalt Strike beacons dropped to this directory:

In addition, we detected an attempt to launch Cobalt Strike Fileless execution via a malicious PowerShell command.

Decoded base64 command:

GzipStream decompress and FromBase64String, next stage decode command:

In order to decode the Cobalt Strike shellcode, we have used this section:

Via CyberChef “bake” we get the clear text shellcode, From Base64 ($var_code) and XOR key (bxor 35 hex):

The shellcode contains “\\.\pipe\mojo.5688.805…”  string that represents the Cobalt Strike beacon pipe inter-process (IPC) mechanism for communication by using CreateNamePipe and ConnectNamePipe.

Cobalt Strike beacon common pipe pattern

• \\.\pipe\mojo.5688.805

The self-injected PowerShell process used a PsExec Cobalt Strike module in order to drop additional Cobalt Strike beacons on other machines in the domain through share folders.

• \\[Host.Doamin]\admin$\[0-9]{7}.exe == C:\Windows\[0-9]{7}.exe

Technical Analysis: PrintNightmare

PrintNightmare is a Windows Print Spooler Remote Code Execution (RCE) Vulnerability (CVE 2021 34527) that allows performing privileged file operations via Windows Print Spooler service. Quakbot threat actors successfully exploited this vulnerability and got SYSTEM privileges execution to execute malicious code. Threat actors exploited the PrintNightmare, Print Spooler service (spoolsv.exe), created a DLL payload in the C:\Windows\System32\spool\drivers\x64\3\ path, the payload name spider.dll.

Spoolsv.exe process configured the DLL payload by abusing the Printer registry key and created a new key named “123456”.

The Print driver key contains values “Configuration File” and “Data File” with the payload DLL name (spider.dll).

After the exploitation the QuakNightmare process (spoolsv.exe) executed CMD command:

• C:\WINDOWS\system32\cmd.exe /c cmd.exe /c C:\Users\Public\25443.exe

Final Thoughts

Our investigation is still active as we have collected more information and logs from several IR cases of Quakbot infections. We believe that the main goals of the threat actors are to exfiltrate sensitive data and information, and to execute a ransomware attack as we have seen in the past. In addition, we have discovered that Quakbot threat actors abused organizational stolen email credentials to spread new Quakbot campaigns upon additional victims. We will provide updates on any new discoveries from our ongoing Quakbot investigation.

INDICATORS OF COMPROMISE