Security news that informs and inspires

Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads


Researchers have observed a resurgence of Qakbot over the past few months, with the malware using email thread hijacking techniques to attack enterprise organizations with the end goal of deploying a tangle of payloads.

A recent attack by the botnet delivered at least three different payloads, including a web injector for stealing login credentials, a module for identifying the addresses of a dozen Simple Mail Transfer Protocol (SMTP) email servers for further spam targeting and an ARP scanning component for profiling the victim’s network. The malware then collected a wide range of profile data from victims, including all the configured user accounts and permissions, installed software, running services and more.

“Qakbot is a versatile malware family with a growing popularity among a wide variety of criminal groups, who may use the malware itself or any of its variety of payloads to accomplish tasks,” said Andrew Brandt, principal threat researcher with Sophos, in an analysis last week. “Security teams need to take seriously the presence of Qakbot infections on their network and investigate and remove every trace. Botnet infections are a known precursor for a ransomware attack. This is not simply because botnets can deliver ransomware, but because botnet developers sell or lease their access to breached networks.”

The initial infection vector behind the attack involved inserting malicious email messages into existing email conversations, which were tailored to the victim’s language (such as English or German) and included a short sentence and link to download a zip file. The known tactic of email thread hijacking makes the attack especially convincing, with some messages asking recipients to “read something ASAP” and others saying “sorry for my late reply to your question” and attaching a document the recipient purportedly needed.

“Its abuse of email threads make it particularly dangerous, as mail recipients may not realize that the Qakbot-spreading email messages are not just part of an ongoing conversation between multiple parties,” said Brandt.

“Its abuse of email threads make it particularly dangerous, as mail recipients may not realize that the Qakbot-spreading email messages are not just part of an ongoing conversation between multiple parties."

This file contained a malicious Excel spreadsheet, and once the target enabled macros the botnet’s infection chain was activated and it performed a detailed profile scan, shared data with its command-and-control (C2) server and downloaded additional malicious modules. Of the three payloads that were subsequently downloaded, Brandt said the one that performed the ARP scan was “the most troubling.” The scan of the the entire IP address range for the target’s NAT network address space allowed the attackers to hunt for a way to move laterally on the victim’s network.

Qakbot’s malware code and its C2 communications feature “elaborate levels” of obfuscation and encryption. Researchers said they have also encountered Qakbot samples that deliver Cobalt Strike beacons directly to an infected host, before operators leased out the beacons to paying customers.

Qakbot, which has been around since 2007 when it first emerged as a banking trojan, has since grown into a multi-purpose malware with multiple functionalities, including tools for performing reconnaissance, exfiltrating data and delivering other payloads. Researchers have noted that Qakbot’s modular nature gives it flexibility for keeping up with the changing threat landscape, allowing attackers to pick and choose the components needed for specifically tailored attacks.

Researchers said that Qakbot infections have crept up as competing email driven botnets - like Emotet and Trickbot - have faced roadblocks due to disruptions by law enforcement and tech companies. They recommended that users approach suspicious emails with caution even if they come from existing email threads.

“Like those families, the Qakbot malware is modular, with a core engine component and, potentially, multiple malicious plugins or components it will download and inject into system processes,” said Brandt.