- Table of contents
Qakbot Banking Trojan
Originally Published March 14, 2021
Updated: September 10th, 2023
Qakbot, also known as Pinkslipbot, Qbot and Quakbot, is a notorious Banking Trojan designed to steal account credentials and online banking session information leading to account takeover fraud. Commonly distributed via malicious unsolicited email (malspam), Qakbot campaigns reportedly deployed ‘Cobalt Strike’ beacons likely in an attempt to move laterally as well as gaining persistency and establishing a robust communication channel back to the threat actor.
In March 2023 Qakbot was taken down in the FBI-led operation “Duck-Hunt”, seizing almost $9 million (Full update at end of article)
The use of ‘recycled’ legitimate emails, likely obtained from other victims and potentially sent to known recipients of these, appeared convincing to many. Users were warned to be wary of any out-of-character or unexpected email, especially when including unusual links or attachments.
Whilst reports vary on the first observation of Qakbot, potentially as early as 2007, the Trojan was heavily maintained and updated by its creators leading to the active threat observed up until the take down. Demonstrating this continued development, features included a worm-like ability to spread over networks, advanced web-injection techniques to steal credentials and a persistence mechanism that some believed to be the best in its class.
Additionally, the Trojan implemented anti-debug, anti-sandbox and anti-VM functionality in addition to regularly shifting their command and control (C2) infrastructure to prevent the retrieval of malicious payloads in an attempt to thwart security analysis and research attempts.
In an attempt to further evade detection, Qakbot was considered a polymorphic threat in that it could modify itself even after it had infected an endpoint. Additionally, Qakbot constantly modified files, including the payloads involved, resulting in newer variants continuously cycling through C2 servers.
The combination of all of these abilities ensured that Qakbot remained a highly effective threat responsible for countless successful attacks on organizations, including governmental structures, worldwide, leading to the infection of tens of thousands of hosts and high financial losses for both victims and their associated financial institutions.
Since Qakbot predominantly targeted the corporate sector, the primary infection vector involved the delivery of an initial malicious payload, typically using malicious unsolicited email (malspam) or phishing campaigns, as well as exploiting common vulnerabilities to infiltrate target organizations.
In addition to this common delivery method, reports suggest that the threat was also distributed by a dropper that installed the threat using a delayed execution function. Specifically, after a dropper was deployed to a target machine, likely through some malware-as-a-service (MaaS) campaign such as those orchestrated by ‘Emotet‘, it waited approximately fifteen minutes before dropping the Qakbot payload, . This was likely an attempt to evade detection by security solutions such as sandboxes.
In this recently observed campaign, victims were targeted with malicious email lures that appear to be in response to, or modified versions of, legitimate business communications between two parties (Figure 1).
Figure 1 – Example lure email seemingly using content known to the recipient/victim
The use of an existing legitimate email, aside from making the lure appear far more convincing to a recipient recognizing their own message and possibly the purported sender, is consistent with previously identified Qakbot behavior in which email accounts are compromised and message threads hijacked. This tactic effectively created a ‘snowball effect’ in which more and more organizations could be targeted with lures derived from legitimate email messages obtained from previously compromised victims.
As is common with this delivery method, the malicious document, in this case a Microsoft Excel spreadsheet, was compressed and attached as a Zip archive. Notably, of the samples observed in recent Qakbot campaigns, the filename of these archives appeared somewhat similar, utilizing common phrases followed by a two digit number, for example:
Furthermore, the compressed Microsoft Excel spreadsheet filenames also appear to follow a naming convention beginning with
document- and followed nine to ten digits and
.xls, for example,
Given this, any suspicious email attachment that exhibited similar naming conventions would have been considered potentially malicious.
Victim’s falling for the email lure, opening the Zip archive and subsequently the malicious spreadsheet were presented with content that claimed to be ‘encrypted by [the] Docusign® Protect Service’ (Figure 2).
Figure 2 – Qakbot fake ‘Docusign Protect Service’ encrypted spreadsheet
Fake content such as this was an attempt to socially engineer the victim into bypassing the security controls within Microsoft Office by clicking on ‘Enable Editing’ and ‘Enable Content’ which in turn would allow embedded macro code to be executed. This tactic was not unique to Qakbot and is regularly observed across multiple cybercrime campaigns such as those conducted by ‘Emotet’ and ‘Trickbot‘.
Likely in an attempt to evade detection, malicious code embedded within the spreadsheet was obfuscated and split across multiple cells on Excel macro sheets (XLM) that sat alongside the main ‘DocuSign’ sheet. To prevent a casual visual inspection of these values, with the additional sheets appearing blank, the font color is set to ‘white’ so as to match the cell background albeit this text can easily be revealed (Figure 3).
Figure 3 – Obfuscated code hidden within the lure spreadsheet (Revealed in ‘red’)
Once the victim lowered the security posture of Microsoft Office, the malicious code was automatically executed using the
Auto_Open() function leading to the reassembly of the download and execution commands by concatenating the various strings (Figure 4).
Figure 4 – Excel ‘malicious command’ string concatenation formula
De-obfuscating these formulas and reassembling the strings allowed the first stage payload download and execution commands to be viewed:
- Uses the Visual Basic for Applications (VBA)
CALLstatement to access the
URLMon.dllto downloads the first stage payload from the specified URL to the specified path, in this case the parent directory as signified by
..\and a seemingly random or nonsense filename
- Uses the VBA
EXECfunction to execute the
rundll32.exeutility to register the downloaded payload, a dynamic link library (DLL), allowing its malicious code to be executed:
Notably, utilizing hardcoded domains and URLs for these payloads indicated that each lure document was tailored to the campaign and/or victim, behavior somewhat consistent with the tactics, techniques and procedures (TTP) observed in campaigns conducted by other threat actors such as ‘Emotet’.
Having downloaded the first stage payload, a dynamic link library (DLL),
rundll32.exe was executed by the malicious Microsoft Office ‘downloader’ macro to register and spawn the malicious Qakbot payload.
Subsequently a scheduled task was created, using the Windows Task Scheduler,
schtasks.exe, to load the DLL payload with the Register Server utility,
regsvr32.exe, using the following parameters:
/Create– Schedules a new task;
/RU "NT AUTHORITY\SYSTEM"– Executes the task with elevated system privileges;
/tn <RANDOM_STRING>– Specifies the task name, seemingly using a random string;
/tr "regsvr32.exe -s \"<PAYLOAD>"– The process to be executed, in this case
regsvr32is passed a malicious dynamic link library (DLL);
/SC ONCE– Task scheduled to execute once at the specified time;
/Z– Delete the task upon completion of the schedule;
/ST <Now + 3 minutes as hh:mm>– Start time, used by the
/ET <Now + 15 minutes as hh:mm>– End time, used by the
The start time was consistently set three minutes into the future and the end time fifteen minutes later, presumably allowing the malicious process to act on its objectives within a twelve minute window.
Whilst not observed in our attempts to execute this threat, a recent SANS ISC diary entry  suggests that a ‘Cobalt Strike’ payload was delivered by Qakbot leading to additional command and control (C2) traffic.
Likely used by the threat actor for managing and tracking their attack activity, both a botnet and campaign identifier were embedded within the payload and could be extracted alongside C2 IP addresses. This data, whilst encrypted and packed, could be easily seen within the sandbox analysis results within ‘Hatching Triage’  (Figure 5).
Figure 5 – Example ‘Hatching Triage’ Qakbot analysis (https://tria.ge)
- Employee security awareness training can help them to identify and handle suspicious content such as unexpected or out-of-character communications, especially those containing email attachments or external links.
- Reinforce the message that Microsoft Office files that encourage users to ‘Enable Editing’, ‘Enable Content’ or disable any other security setting are almost certainly malicious.
- Consider the use of Group Policy to disable macros from running in Microsoft Office applications altogether; legitimate macros should be digitally signed to allow an exception to the disable rule.
- Administrative tools and script interpreters, such as PowerShell, should be disabled to prevent misuse by malicious payloads.
- Enhance the overall security of your infrastructure network monitoring for, and denying access to, malicious domains, hosts and IP addresses as detailed in the Indicators of Compromise section.
Indicators of Compromise
First Stage Payload Domains
The following domains have been identified as hosting the first stage payload as downloaded by the macro within the initial lure spreadsheet.
Update September 2023:
Operation ‘Duck Hunt’ Shuts Down Qakbot Botnet
The FBI-led Operation ‘Duck Hunt’ has taken down the extensive Qakbot botnet. The operation involved partners like Europol, French Police, and more. Cryptocurrency worth almost $9 million was seized from
Qakbot, to be given to victims, as stated by U.S. Attorney Martin Estrada.
First Stage Payload IP Addresses
Based on passive DNS resolution of the first stage payload domains, the following IP addresses were identified and may be reused for nefarious purposes by those responsible for this threat.
First Stage Payload URLs
The following first stage payload URLs were identified as related to initial Qakbot lures and should be considered malicious.
Based on these recent observations, similarly structured URLs ending with the following paths and resource names could potentially be considered malicious.
Initial Lure Attachment SHA256
The following hashes are examples of recent Qakbot attachments (Zip-compressed archives) containing Microsoft Excel spreadsheet lures. Given that these seemingly generated for each campaign and/or victim, these samples are unlikely to be reused in the future and are provided for reference only.
Botnet & Campaign Identifiers
The following botnet (alpha-numeric) and campaign (numeric) identifiers have been observed during March 2021 with those behind Qakbot recently using US President names as well some less ‘catchy’ botnet identifiers:
Command & Control IP Addresses
The following Qakbot command and control (C2) IP addresses have been observed as in use across multiple botnets and campaigns during March 2021:
|T1027 – Obfuscated Files or Information||Defense Evasion|
|T1027.002 – Obfuscated Files or Information: Software Packing||Defense Evasion|
|T1053 – Scheduled Task/Job||Execution, Persistence, Privilege Escalation|
|T1053.005 – Scheduled Task/Job: Scheduled Task||Execution, Persistence, Privilege Escalation|
|T1055 – Process Injection||Defense Evasion, Privilege Escalation|
|T1055.001 – Process Injection: Dynamic-link Library Injection||Defense Evasion, Privilege Escalation|
|T1056 – Input Capture||Collection, Credential Access|
|T1057 – Process Discovery||Discovery|
|T1082 – System Information Discovery||Discovery|
|T1497 – Virtualization/Sandbox Evasion||Discovery, Defense Evasion|
|T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion||Discovery, Defense Evasion|
|T1518 – Software Discovery||Discovery|
|T1518.001 – Software Discovery: Security Software Discovery||Discovery|