1. Home
  2. Software
  3. QakBot

QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

ID: S0650
Associated Software: Pinkslipbot, QuackBot, QBot
Type: MALWARE
Platforms: Windows
Contributors: Edward Millington; Inna Danilevich, U.S. Bank
Version: 1.3
Created: 27 September 2021
Last Modified: 17 September 2024
Version Permalink

Associated Software Descriptions

Name Description
Pinkslipbot

[3][4]
QuackBot

[3]
QBot

[1][2][3][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.[5][6][3]
Enterprise T1010 Application Window Discovery

QakBot has the ability to enumerate windows on a compromised host.[4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

QakBot can maintain persistence by creating an auto-run Registry key.[5][6][1][7]
Enterprise T1185 Browser Session Hijacking

QakBot can use advanced web injects to steal web banking credentials.[8][3]
Enterprise T1110 Brute Force

QakBot can conduct brute force attacks to capture credentials.[9][6][3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

QakBot can use PowerShell to download and execute payloads.[7]
.003 Command and Scripting Interpreter: Windows Command Shell

QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.[6][4][3][10]
.005 Command and Scripting Interpreter: Visual Basic

QakBot can use VBS to download and execute malicious files.[5][9][6][1][8][7][10]
.007 Command and Scripting Interpreter: JavaScript

The QakBot web inject module can inject Java Script into web banking pages visited by the victim.[3][10]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

QakBot can remotely create a temporary service on a target host.[11]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

QakBot has collected usernames and passwords from Firefox and Chrome.[3]
Enterprise T1132 .001 Data Encoding: Standard Encoding

QakBot can Base64 encode system information sent to C2.[6][3]
Enterprise T1005 Data from Local System

QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.[2][3]
Enterprise T1074 .001 Data Staged: Local Data Staging

QakBot has stored stolen emails and other data into new folders prior to exfiltration.[9]
Enterprise T1140 Deobfuscate/Decode Files or Information

QakBot can deobfuscate and re-assemble code strings for execution.[8][4][3]
Enterprise T1482 Domain Trust Discovery

QakBot can run nltest /domain_trusts /all_trusts for domain trust discovery.[3]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

QakBot can use domain generation algorithms in C2 communication.[5]
Enterprise T1114 .001 Email Collection: Local Email Collection

QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.[9][1][3]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

QakBot can RC4 encrypt strings in C2 communication.[3]
Enterprise T1041 Exfiltration Over C2 Channel

QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.[3]
Enterprise T1210 Exploitation of Remote Services

QakBot can move laterally using worm-like functionality through exploitation of SMB.[6]
Enterprise T1083 File and Directory Discovery

QakBot can identify whether it has been run previously on a host by checking for a specified folder.[4]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

QakBot has placed its payload in hidden subdirectories.[10]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

QakBot has the ability to use DLL side-loading for execution.[12]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.[7]
Enterprise T1070 .004 Indicator Removal: File Deletion

QakBot can delete folders and files including overwriting its executable with legitimate programs.[9][6][4][7]
Enterprise T1105 Ingress Tool Transfer

QakBot has the ability to download additional components and malware.[5][6][1][8][3][7]
Enterprise T1056 .001 Input Capture: Keylogging

QakBot can capture keystrokes on a compromised host.[9][1][3]
Enterprise T1036 .008 Masquerading: Masquerade File Type

The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.[7][10]
Enterprise T1112 Modify Registry

QakBot can modify the Registry to store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.[2][7]
Enterprise T1106 Native API

QakBot can use GetProcAddress to help delete malicious strings from memory.[4]
Enterprise T1135 Network Share Discovery

QakBot can use net share to identify network shares for use in lateral movement.[5][3]
Enterprise T1095 Non-Application Layer Protocol

QakBot has the ability use TCP to send or receive C2 packets.[3]
Enterprise T1027 Obfuscated Files or Information

QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.[8]
.001 Binary Padding

QakBot can use large file sizes to evade detection.[5][7]
.002 Software Packing

QakBot can encrypt and pack malicious payloads.[8]
.005 Indicator Removal from Tools

QakBot can make small changes to itself in order to change its checksum and hash value.[6][8]
.006 HTML Smuggling

QakBot has been delivered in ZIP files via HTML smuggling.[10][12]
.010 Command Obfuscation

QakBot can use obfuscated and encoded scripts.[8][10]
.011 Fileless Storage

QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.[2][7]
Enterprise T1120 Peripheral Device Discovery

QakBot can identify peripheral devices on targeted systems.[5]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

QakBot can use net localgroup to enable discovery of local groups.[3][10]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

QakBot has spread through emails with malicious attachments.[5][9][1][8][4][3][7][12][13]
.002 Phishing: Spearphishing Link

QakBot has spread through emails with malicious links.[5][9][1][4][3][7][10]
Enterprise T1057 Process Discovery

QakBot has the ability to check running processes.[4]
Enterprise T1055 Process Injection

QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe.[5][9][1][3][10]
.012 Process Hollowing

QakBot can use process hollowing to execute its main payload.[4]
Enterprise T1572 Protocol Tunneling

The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.[3]
Enterprise T1090 .002 Proxy: External Proxy

QakBot has a module that can proxy C2 communications.[3]
Enterprise T1018 Remote System Discovery

QakBot can identify remote systems through the net view command.[6][3][10]
Enterprise T1091 Replication Through Removable Media

QakBot has the ability to use removable drives to spread through compromised networks.[5]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

QakBot has the ability to create scheduled tasks for persistence.[5][9][6][1][2][8][3][7]
Enterprise T1518 Software Discovery

QakBot can enumerate a list of installed programs.[7]
.001 Security Software Discovery

QakBot can identify the installed antivirus product on a targeted system.[6][4][4][3]
Enterprise T1539 Steal Web Session Cookie

QakBot has the ability to capture web session cookies.[9][3]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

QakBot can use signed loaders to evade detection.[4][12]
.005 Subvert Trust Controls: Mark-of-the-Web Bypass

QakBot has been packaged in ISO files in order to bypass Mark of the Web (MOTW) security measures.[10]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

QakBot can use MSIExec to spawn multiple cmd.exe processes.[6]
.010 System Binary Proxy Execution: Regsvr32

QakBot can use Regsvr32 to execute malicious DLLs.[2][8][4][10][11][12]
.011 System Binary Proxy Execution: Rundll32

QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.[6][2][8][4][10]
Enterprise T1082 System Information Discovery

QakBot can collect system information including the OS version and domain on a compromised host.[6][4][7][13]
Enterprise T1016 System Network Configuration Discovery

QakBot can use net config workstation, arp -a, nslookup, and ipconfig /all to gather network configuration information.[6][3][7][10][13]
.001 Internet Connection Discovery

QakBot can measure the download speed on a targeted host.[3]
Enterprise T1049 System Network Connections Discovery

QakBot can use netstat to enumerate current network connections.[3][10]
Enterprise T1033 System Owner/User Discovery

QakBot can identify the user name on a compromised system.[3][10]
Enterprise T1124 System Time Discovery

QakBot can identify the system time on a targeted host.[3]
Enterprise T1204 .001 User Execution: Malicious Link

QakBot has gained execution through users opening malicious links.[5][9][1][4][3][7][10]
.002 User Execution: Malicious File

QakBot has gained execution through users opening malicious attachments.[5][9][6][1][8][4][3][7][12][13]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.[5][4]
.003 Virtualization/Sandbox Evasion: Time Based Evasion

The QakBot dropper can delay dropping the payload to evade detection.[8][3]
Enterprise T1047 Windows Management Instrumentation

QakBot can execute WMI queries to gather information.[3]

Groups That Use This Software

ID Name References
G0127 TA551

[4]
G1037 TA577

[14]

References

  1. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
  2. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  3. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  4. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  5. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  6. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  7. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  1. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  2. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  3. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  4. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  5. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  6. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  7. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.