Qakbot Leveraging DLL-SideLoading to Deliver Malware – Detection & Response

0

Security expert ProxyLife and Cyble researchers recently uncovered a Qakbot campaign that was leveraging the Windows Calculator app for DLL side-loading attacks.  DLL sideloading is a technique used by TAs to execute malicious code using legitimation applications. In this technique, TAs place legitimate applications and malicious .dll files together in a common directory.

The malicious .dll file name is the same as a legitimate file loaded by the application during execution. The attacker leverages this trick and executes the malicious .dll file.

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

In this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for calc.exe.

Upon executing the calc.exe, it further loads WindowsCodec.dll and executes the final Qakbot payload using regsvr32.exe. The final payload injects its malicious code into explorer.exe and performs all the malicious activities.

Infection Chain:

Source: Cyble

The initial infection of Qakbot starts with a malicious spam campaign that contains various themes to lure the users into opening the attachments.

Source: Cyble

Upon opening the zip file using the password, it extracts another file from the folder containing an ISO image file named “Report Jul 14 47787.iso”. The ISO file contains four different files:

  • a .lnk file
  • a legitimate calc .exe
  • WindowsCodecs.dll
  • 7533.dll.

If the user executes the ISO file, it mounts the ISO to a drive and shows only the .lnk file to the user. In this case, the .lnk file is named “Report Jul 14 4778.lnk” and masquerades as a PDF file.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

The property of the .lnk file shows that it executes calc.exe present in the ISO file. The figure below shows the .lnk file.

Source: Cyble

The TAs behind Qakbot are highly active and are continuously evolving their methods to increase their efficacy and impact.

Qakbot steals credentials from the victim’s system and uses them for the TA’s financial gain. Apart from the direct financial impact, this can also lead to incidences of fraud, identity theft, and other consequences for any victim of Qakbot malware.

Indicators of Compromise:

c2’s
70.46.220.114:443
179.111.8.52:32101
208.107.221.224:443
176.45.218.138:995
24.158.23.166:995
24.54.48.11:443
89.101.97.139:443
24.55.67.176:443
24.139.72.117:443
120.150.218.241:995
174.69.215.101:443
38.70.253.226:2222
41.228.22.180:443
217.165.157.202:995
172.115.177.204:2222
173.21.10.71:2222
69.14.172.24:443
47.23.89.60:993
104.34.212.7:32103
66.230.104.103:443
81.158.239.251:2078
179.158.105.44:443
189.253.167.141:443
24.178.196.158:2222
174.80.15.101:2083
187.116.126.216:32101
100.38.242.113:995
74.14.5.179:2222
40.134.246.185:995
172.114.160.81:443
72.252.157.93:995
70.51.137.244:2222
82.41.63.217:443
197.89.11.218:443
37.34.253.233:443
67.209.195.198:443
67.165.206.193:993
93.48.80.198:995
111.125.245.116:995
1.161.118.53:443
76.25.142.196:443
148.64.96.100:443
217.128.122.65:2222
32.221.224.140:995
47.180.172.159:443
39.57.56.11:995
186.90.153.162:2222
37.186.58.99:995
86.97.10.37:443
39.44.116.107:995
182.191.92.203:995
86.98.78.118:993
117.248.109.38:21
39.52.44.132:995
1.161.118.53:995
91.75.85.128:1194
121.7.223.45:2222
39.41.90.210:995
46.107.48.202:443
190.252.242.69:443
187.172.31.52:443
72.252.157.93:993
72.252.157.93:990
47.145.130.171:443
63.143.92.99:995
197.92.136.122:443
45.46.53.140:2222
196.203.37.215:80
94.59.138.43:2222
92.132.132.81:2222
39.49.48.167:995
103.246.242.202:443
84.241.8.23:32103
94.59.15.180:2222
89.211.209.234:2222
94.36.193.176:2222
47.156.129.52:443
201.172.20.105:2222
109.12.111.14:443
85.6.232.221:2222
96.37.113.36:993
2.178.120.112:61202
193.136.1.58:443
103.133.11.10:995
120.61.3.142:443
182.52.159.24:443
78.100.219.38:50010
173.174.216.62:443
106.51.48.188:50001
67.69.166.79:2222
45.241.254.69:993
88.240.59.52:443
86.213.75.30:2078
24.43.99.75:443
101.50.67.155:995
108.56.213.219:995
5.32.41.45:443
39.53.139.2:995

80.11.74.81:2222

Detection & Response:

Splunk:

source="WinEventLog:*" AND (((((Image="*\\cmd.exe") AND (CommandLine="*/q*" OR CommandLine="*/c*" OR CommandLine="*calc.exe*")) OR ((ParentImage="*\\calc.exe") AND Image="*\\regsvr32.exe" AND (CommandLine="*.dll*" OR CommandLine="*/s*"))) OR (Image="*\\schtasks.exe" AND (CommandLine="*/Create*" OR CommandLine="*/RU*" OR CommandLine="*-encodedCommand*"))) OR (Image="*\\powershell.exe" AND (CommandLine="*-encodedCommand*")))

Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ((((("Image" ilike '%\cmd.exe') and ("Process CommandLine" ilike '%/q%' or "Process CommandLine" ilike '%/c%' or "Process CommandLine" ilike '%calc.exe%')) or (("ParentImage" ilike '%\calc.exe') and "Image" ilike '%\regsvr32.exe' and ("Process CommandLine" ilike '%.dll%' or "Process CommandLine" ilike '%/s%'))) or ("Image" ilike '%\schtasks.exe' and ("Process CommandLine" ilike '%/Create%' or "Process CommandLine" ilike '%/RU%' or "Process CommandLine" ilike '%-encodedCommand%'))) or ("Image" ilike '%\powershell.exe' and ("Process CommandLine" ilike '%-encodedCommand%')))

Elastic Query:

((((process.executable.text:*\\cmd.exe AND process.command_line.text:(*\/q* OR *\/c* OR *calc.exe*)) OR (process.parent.executable.text:*\\calc.exe AND process.executable.text:*\\regsvr32.exe AND process.command_line.text:(*.dll* OR *\/s*))) OR (process.executable.text:*\\schtasks.exe AND process.command_line.text:(*\/Create* OR *\/RU* OR *\-encodedCommand*))) OR (process.executable.text:*\\powershell.exe AND process.command_line.text:*\-encodedCommand*))

Arcsight:

(((((((((sourceProcessName ENDSWITH "\cmd.exe" OR destinationProcessName ENDSWITH "\cmd.exe" OR deviceProcessName ENDSWITH "\cmd.exe")) AND ((destinationServiceName CONTAINS "/q" OR destinationServiceName CONTAINS "/c" OR destinationServiceName CONTAINS "calc.exe" OR deviceCustomString1 CONTAINS "/q" OR deviceCustomString1 CONTAINS "/c" OR deviceCustomString1 CONTAINS "calc.exe"))) OR (sourceProcessName ENDSWITH "\calc.exe" AND ((sourceProcessName ENDSWITH "\regsvr32.exe" OR destinationProcessName ENDSWITH "\regsvr32.exe" OR deviceProcessName ENDSWITH "\regsvr32.exe")) AND ((destinationServiceName CONTAINS ".dll" OR destinationServiceName CONTAINS "/s" OR deviceCustomString1 CONTAINS ".dll" OR deviceCustomString1 CONTAINS "/s"))))) OR (((sourceProcessName ENDSWITH "\schtasks.exe" OR destinationProcessName ENDSWITH "\schtasks.exe" OR deviceProcessName ENDSWITH "\schtasks.exe")) AND ((destinationServiceName CONTAINS "/Create" OR destinationServiceName CONTAINS "/RU" OR destinationServiceName CONTAINS "-encodedCommand" OR deviceCustomString1 CONTAINS "/Create" OR deviceCustomString1 CONTAINS "/RU" OR deviceCustomString1 CONTAINS "-encodedCommand"))))) OR (((sourceProcessName ENDSWITH "\powershell.exe" OR destinationProcessName ENDSWITH "\powershell.exe" OR deviceProcessName ENDSWITH "\powershell.exe")) AND ((destinationServiceName CONTAINS "-encodedCommand" OR deviceCustomString1 CONTAINS "-encodedCommand"))))) AND type != 2 | rex field = flexString1 mode=sed "s//Sigma: Regsvr32 Anomaly/g"

CarbonBlack:

((((process_name:*\\cmd.exe AND process_cmdline:(*\/q* OR *\/c* OR *calc.exe*)) OR (parent_name:*\\calc.exe AND process_name:*\\regsvr32.exe AND process_cmdline:(*.dll* OR *\/s*))) OR (process_name:*\\schtasks.exe AND process_cmdline:(*\/Create* OR *\/RU* OR *\-encodedCommand*))) OR (process_name:*\\powershell.exe AND process_cmdline:*\-encodedCommand*))

Crowdstike:

(((((ImageFileName="*\\cmd.exe") AND ((CommandLine="*/q*" OR CommandLine="*/c*" OR CommandLine="*calc.exe*") OR (CommandHistory="*/q*" OR CommandHistory="*/c*" OR CommandHistory="*calc.exe*"))) OR ((ParentBaseFileName="*\\calc.exe") AND ImageFileName="*\\regsvr32.exe" AND ((CommandLine="*.dll*" OR CommandLine="*/s*") OR (CommandHistory="*.dll*" OR CommandHistory="*/s*")))) OR (ImageFileName="*\\schtasks.exe" AND ((CommandLine="*/Create*" OR CommandLine="*/RU*" OR CommandLine="*-encodedCommand*") OR (CommandHistory="*/Create*" OR CommandHistory="*/RU*" OR CommandHistory="*-encodedCommand*")))) OR (ImageFileName="*\\powershell.exe" AND ((CommandLine="*-encodedCommand*") OR (CommandHistory="*-encodedCommand*"))))

FireEye:

(metaclass:`windows` ((((process:`*\cmd.exe` args:[`/q`,`/c`,`calc.exe`]) OR (pprocess:`*\calc.exe` process:`*\regsvr32.exe` args:[`.dll`,`/s`])) OR (process:`*\schtasks.exe` args:[`/Create`,`/RU`,`-encodedCommand`])) OR (process:`*\powershell.exe` args:`-encodedCommand`)))

GrayLog:

((((Image.keyword:*\\cmd.exe AND CommandLine.keyword:(*\/q* *\/c* *calc.exe*)) OR (ParentImage.keyword:*\\calc.exe AND Image.keyword:*\\regsvr32.exe AND CommandLine.keyword:(*.dll* *\/s*))) OR (Image.keyword:*\\schtasks.exe AND CommandLine.keyword:(*\/Create* *\/RU* *\-encodedCommand*))) OR (Image.keyword:*\\powershell.exe AND CommandLine.keyword:*\-encodedCommand*))

Microsoft Defender:

DeviceProcessEvents | where (((((FolderPath endswith @"\cmd.exe") and (ProcessCommandLine contains "/q" or ProcessCommandLine contains "/c" or ProcessCommandLine contains "calc.exe")) or ((InitiatingProcessFolderPath endswith @"\calc.exe") and FolderPath endswith @"\regsvr32.exe" and (ProcessCommandLine contains ".dll" or ProcessCommandLine contains "/s"))) or (FolderPath endswith @"\schtasks.exe" and (ProcessCommandLine contains "/Create" or ProcessCommandLine contains "/RU" or ProcessCommandLine contains "-encodedCommand"))) or (FolderPath endswith @"\powershell.exe" and (ProcessCommandLine contains "-encodedCommand")))

Microsoft Sentinel:

SecurityEvent |  where EventID == 4688 | where (((((NewProcessName endswith @'\cmd.exe') and (CommandLine contains '/q' or CommandLine contains '/c' or CommandLine contains 'calc.exe')) or ((ParentProcessName endswith @'\calc.exe') and NewProcessName endswith @'\regsvr32.exe' and (CommandLine contains '.dll' or CommandLine contains '/s'))) or (NewProcessName endswith @'\schtasks.exe' and (CommandLine contains '/Create' or CommandLine contains '/RU' or CommandLine contains '-encodedCommand'))) or (NewProcessName endswith @'\powershell.exe' and (CommandLine contains '-encodedCommand')))

RSA Netwitness:

(((((Image contains '\cmd\.exe') && (CommandLine contains '/q', '/c', 'calc\.exe')) || ((ParentImage contains '\calc\.exe') && (Image contains 'regsvr32.exe') && (CommandLine contains '.dll', '/s'))) || ((Image contains 'schtasks.exe') && (CommandLine contains '/Create', '/RU', '-encodedCommand'))) || ((Image contains 'powershell.exe') && (CommandLine contains '-encodedCommand')))

Logpoint:

((((Image IN "*\\cmd.exe" CommandLine IN ["*/q*", "*/c*", "*calc.exe*"]) OR (ParentImage IN "*\\calc.exe" Image="*\\regsvr32.exe" CommandLine IN ["*.dll*", "*/s*"])) OR (Image="*\\schtasks.exe" CommandLine IN ["*/Create*", "*/RU*", "*-encodedCommand*"])) OR (Image="*\\powershell.exe" CommandLine IN "*-encodedCommand*"))

Sumologic:

(_sourceCategory=*windows* AND ((((((((Image = "*\cmd.exe") AND (CommandLine = "*/q*" OR CommandLine = "*/c*" OR CommandLine = "*calc.exe*")) OR ((ParentImage = "*\calc.exe") AND Image="*\regsvr32.exe" AND (CommandLine = "*.dll*" OR CommandLine = "*/s*")))) OR (Image="*\schtasks.exe" AND (CommandLine = "*/Create*" OR CommandLine = "*/RU*" OR CommandLine = "*-encodedCommand*")))) OR (Image="*\powershell.exe" AND (CommandLine = "*-encodedCommand*")))))

Source/Credits: hts://twitter.com/pr0xylife

h://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html

hs://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/

Previous articleNew Malicious IIS extensions used as Exchange backdoors – Detection & Response
Next articleThreat Actors Leveraging Microsoft Applications via DLL SideLoading – Detection & Response
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here