QakBot infection chain<\/em><\/strong><\/p>\n The infection chain of recent QakBot releases (2020-2021 variants) is as follows:<\/p>\n Typical QakBot malicious activity observed in the wild includes:<\/p>\n The QakBot malware contains a list of 150 IP addresses hardcoded into the loader binary resource. Most of these addresses belong to other infected systems that are used as a proxy to forward traffic to other proxies or the real \u04212.<\/p>\n Communication with the \u04212 is a HTTPS POST request with Base64-encoded data. The data is encrypted with the RC4 algorithm. The static string “jHxastDcds)oMc=jvh7wdUhxcsdt2” and a random 16-byte sequence are used for encryption. The data itself is in JSON format.<\/p>\n Original message in JSON format<\/em><\/strong><\/p>\n HTTPS POST request with encrypted JSON<\/em><\/strong><\/p>\n Usually, after infection the bot sends a ‘PING’ message, ‘SYSTEM INFO’ message and ‘ASK for COMMAND’ message, and the C2 replies with ‘ACK’ and ‘COMMAND’ messages. If additional modules were pushed by the C2, the bot sends a ‘STOLEN INFO’ message containing data stolen by the modules.<\/p>\n ‘PING’ message<\/em><\/strong><\/p>\n ‘ACK’ message<\/em><\/strong><\/p>\n ‘SYSTEM INFO’ message<\/em><\/strong><\/p>\n ‘ASK for COMMAND’ message<\/em><\/strong><\/p>\n ‘COMMAND’ C2 response with empty command<\/em><\/strong><\/p>\n If the C2 pushes some modules, the Base64-encoded binary is placed into field “20” of the message.<\/p>\n ‘COMMAND’ C2 response with additional module to load<\/em><\/strong><\/p>\n ‘STOLEN INFO’ message<\/em><\/strong><\/p>\n Once communication with the C2 server has been established, QakBot is known to download and use additional modules in order to perform its malicious operations.<\/p>\n The additional modules differ from sample to sample and may include: ‘Cookie grabber’, ‘Email Collector’, ‘Credentials grabber’, and ‘Proxy module’ among others.<\/p>\n These modules may be written by the threat actors themselves or may be borrowed from third-party repositories and adapted. It can vary from sample to sample. For example, there are older samples that may use Mimikatz for credentials dumping.<\/p>\n Below are some of the modules that we found during our research.<\/p>\n The threat actors distributed a debug version of the email collector module at some point<\/em><\/strong><\/p>\n The module contains a ciphered list of DLLs and functions that the bot will hook<\/em><\/strong><\/p>\n Procedure that collects passwords from different sources<\/em><\/strong><\/p>\n UPnP port forwarding query construction<\/em><\/strong><\/p>\n After trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module also starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy protocol composed of: QakBot proxy command (1 byte), version (1 byte), session id (4 bytes), total packet length (dword), data (total packet length-10). Incoming and outgoing packets are stored in the buffers and may be received\/transmitted one by one or in multiple packets in a single TCP data segment (streamed).<\/p>\n The usual proxy module execution flow is as follows:<\/p>\n Communicating with the external PROXY-C2:<\/p>\n QakBot proxy commands are as follows:<\/p>\n![\"QakBot](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01145837\/Qakbot_technical_analysis_01-1024x350.png\")
<\/a><\/p>\n\n
Typical QakBot functions<\/h2>\n
\n
\n
Communication with C2<\/h2>\n
![\"Original](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01145926\/Qakbot_technical_analysis_02.png\")
<\/a><\/p>\n![\"HTTPS](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01151603\/Qakbot_technical_analysis_03.png\")
<\/a><\/p>\n\n
![\"'PING'](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01151656\/Qakbot_technical_analysis_04.png\")
<\/a><\/p>\n\n
![\"'ACK'](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01151717\/Qakbot_technical_analysis_05.png\")
<\/a><\/p>\n\n
\n
![\"'SYSTEM](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01151750\/Qakbot_technical_analysis_06.png\")
<\/a><\/p>\n\n
![\"'ASK](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01151810\/Qakbot_technical_analysis_07.png\")
<\/a><\/p>\n\n
\nThis type of message contains the signed value of the SALT (obtained from the bot’s request field “14”), COMMAND ID and MODULE ID. The other values of the message are not signed.In previous versions, the bot received modules and commands immediately after infection and sending a ‘SYSTEM INFO’ message. Now, the C2 responds with an empty command for about an hour. Only after that will the C2 send commands and modules in the response. We believe that this time delay is used to make it difficult to receive and analyze new commands and modules in an isolated controlled environment.<\/li>\n<\/ul>\n![\"'COMMAND'](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01151829\/Qakbot_technical_analysis_08.png\")
<\/a><\/p>\n![\"'COMMAND'](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01151901\/Qakbot_technical_analysis_09.png\")
<\/a><\/p>\n\n
![\"'STOLEN](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01151922\/Qakbot_technical_analysis_10.png\")
<\/a><\/p>\nAdditional modules<\/h2>\n
\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01151946\/Qakbot_technical_analysis_11.png\")
<\/a><\/p>\n\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01152006\/Qakbot_technical_analysis_12.png\")
<\/a><\/p>\n\n
![\"The](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01152027\/Qakbot_technical_analysis_13.png\")
<\/a><\/p>\n\n
![\"The](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01152050\/Qakbot_technical_analysis_14-1.png\")
<\/a><\/p>\n\n
![\"Procedure](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01152123\/Qakbot_technical_analysis_15.png\")
<\/a><\/p>\n\n
![\"UPnP](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01152147\/Qakbot_technical_analysis_16.png\")
<\/a><\/p>\n\n
\n
![\"Parsed](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01152222\/Qakbot_technical_analysis_17-1024x370.png\")
<\/a><\/p>\n![\"Tracking](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01152242\/Qakbot_technical_analysis_18.png\")
<\/a><\/p>\n![\"Fragment](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01152304\/Qakbot_technical_analysis_19-1024x515.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/09\/01155141\/01-en-qakbot.png\")
<\/a>