Attackers are using hijacked email threads, harvested in bulk from previous Microsoft ProxyLogon attacks, in order to send messages to victims that deliver the Qakbot malware.
The campaign utilizes a known tactic that researchers with Cisco Talos call external thread hijacking. Attackers first compromise third-party Exchange servers and exfiltrate their email threads for later use. At a later date, they then use a script to process these aggregated emails at bulk into spoofed responses to email contacts the victim had previously corresponded with, with links to malicious URLs that lead to the deployment of Qakbot.
“After parsing the emails they then seek to weaponize them, but don’t have access to the actual Exchange server that sent the messages initially, just copies of the emails from the ones that received them,” said Nate Pors, senior incident response commander with Cisco Talos. “In this case, they spoofed the addresses to make them appear to come from the original recipient.”
The QakBot campaign was observed as recently as June and coincides with a resurgence of Qakbot that researchers have observed over the past few months, with the malware in March spotted targeting enterprise organizations to infect them with a tangle of payloads. Researchers said due to ongoing investigations they can’t describe victimology; however, higher-value targets could include companies that have potentially strong or trusted relationships with their email contacts, which would make spoofed emails from the attacker seem more legitimate. Qakbot, which has been around since 2007 when it first emerged as a banking trojan, has since grown into a multi-purpose malware with multiple functionalities, including tools for performing reconnaissance, exfiltrating data and delivering other payloads. Qakbot’s modular nature gives it flexibility for keeping up with the changing threat landscape, allowing attackers to pick and choose the components needed for specifically tailored attacks.
Researchers assess that the hijacked email threads were likely stolen in an earlier campaign that targeted the ProxyLogon flaw in vulnerable Microsoft Exchange servers. The dates of the old emails matched the timeframe of the ProxyLogon exploitation campaign, and Pors said that researchers were able to match a public breach disclosure from one of the identified source organizations.
One red flag for spotting an external thread hijacking attack is if the email is from a spoofed, external sender address, even if the existing email thread looks familiar, said researchers. Another telltale sign is the use of old email threads that may be from 2021 or even 2020 (though Talos observed one email thread as recently as May 2022, indicating that attackers may be using newly harvested threads). Finally, researchers said to keep an eye out for emails with a "malformed" appearance, which may be partly legitimate but also coupled with malicious content or that contain partially scrubbed emails.
External thread hijacking shares similarities with email thread hijacking, where attackers use a single compromised organization’s emails to deliver their threat, as opposed to a bulk aggregation of multiple organizations’ harvested emails. External thread hijacking is advantageous to threat actors as it potentially increases the amount of threads to weaponize, said Pors along with Terryn Valikodath with Cisco Talos, in Wednesday research.
“This many-to-one approach is unique from what we have generally observed in the past and is likely an indirect effect of the widespread compromises and exfiltration of large volumes of email from 2020 and 2021,” said researchers.