During a routine threat-hunting exercise, researchers last week came across a Twitter post in which a researcher shared new indicators-of-compromise (IOCs) related to the Qakbot malware, aka QBot.
The tweet by threat researchers ProxyLife said that Qakbot has abused the Windows 7 Calculator app for DLL sideloading attacks since at least July 11.
In a blog post by Cyble Research Labs, the researchers explained that Qakbot uses a mass-spamming email campaign to steal credentials from the victim’s system and uses them to make money. Along with the financial impact, these attacks can also lead to incidences of fraud and identity theft for any victim of Qakbot malware.
Qakbot operates as a Windows malware strain that started as a banking trojan, but evolved into a malware dropper. The researchers say it’s often used by ransomware gangs in the early stages of an attack to drop Cobalt Strike beacons.
Using DLL sideloading to bypass endpoint protection has been a well-known technique for several years, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said what’s notable here with this latest QBot malware campaign is that the first stage runs as a phishing attack, and the second relies on the Windows 7 Calculator application. For the first point, Parkin said it puts the emphasis back on the need for user education.
“While good anti-phishing-spam-malware tools for email can reduce the risk, it ultimately comes down to the users knowing when not to open an attachment,” Parkin said. “This attack relies on them not only opening the attachment, but using a provided password to decrypt it, which users really should know better than to do. They don’t, unfortunately, which is the problem. The second part relies on the Windows 7 version of calc, as the Windows 10 version is not vulnerable. Seeing that Windows 7 was end-of-life almost two-and-a-half years ago, this highlights the need to retire obsolete operating systems and applications.”
Saryu Nayyar, founder and chief executive officer at Gurucul, added that bad threat actors continue to leverage email attacks to spark the initial compromise from which they can execute the core of their attack campaign. Nayyar said once the user accidentally clicks on a link, the full malware gets executed and this opens up systems for well-known tools like Cobalt Strike.
“The reality is the QBot Malware goes undetected by many current SIEMs and even XDR tools based on masking itself as legitimate .DLL,” Nayyar said. “However, neither QBot nor Cobalt Strike are new tools. This shows that organizations need to invest in better security analytics, including a mature set of behavioral analytics, that can detect unusual activity and not just known attacks that have been modified as a new variant."