Qakbot Leveraging DLL-SideLoading to Deliver Malware – Detection & Response

Security expert ProxyLife and Cyble researchers recently uncovered a Qakbot campaign that was leveraging the Windows Calculator app for DLL side-loading attacks.  DLL sideloading is a technique used by TAs to execute malicious code using legitimation applications. In this technique, TAs place legitimate applications and malicious .dll files together in a common directory.

The malicious .dll file name is the same as a legitimate file loaded by the application during execution. The attacker leverages this trick and executes the malicious .dll file.

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

In this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for calc.exe.

Upon executing the calc.exe, it further loads WindowsCodec.dll and executes the final Qakbot payload using regsvr32.exe. The final payload injects its malicious code into explorer.exe and performs all the malicious activities.

Infection Chain:

The initial infection of Qakbot starts with a malicious spam campaign that contains various themes to lure the users into opening the attachments.

Upon opening the zip file using the password, it extracts another file from the folder containing an ISO image file named “Report Jul 14 47787.iso”. The ISO file contains four different files:

• a .lnk file
• a legitimate calc .exe
• WindowsCodecs.dll
• 7533.dll.

If the user executes the ISO file, it mounts the ISO to a drive and shows only the .lnk file to the user. In this case, the .lnk file is named “Report Jul 14 4778.lnk” and masquerades as a PDF file.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

The property of the .lnk file shows that it executes calc.exe present in the ISO file. The figure below shows the .lnk file.

The TAs behind Qakbot are highly active and are continuously evolving their methods to increase their efficacy and impact.

Qakbot steals credentials from the victim’s system and uses them for the TA’s financial gain. Apart from the direct financial impact, this can also lead to incidences of fraud, identity theft, and other consequences for any victim of Qakbot malware.

Indicators of Compromise:

c2’s

70.46.220.114:443

179.111.8.52:32101

208.107.221.224:443

176.45.218.138:995

24.158.23.166:995

24.54.48.11:443

89.101.97.139:443

24.55.67.176:443

24.139.72.117:443

120.150.218.241:995

174.69.215.101:443

38.70.253.226:2222

41.228.22.180:443

217.165.157.202:995

172.115.177.204:2222

173.21.10.71:2222

69.14.172.24:443

47.23.89.60:993

104.34.212.7:32103

66.230.104.103:443

81.158.239.251:2078

179.158.105.44:443

189.253.167.141:443

24.178.196.158:2222

174.80.15.101:2083

187.116.126.216:32101

100.38.242.113:995

74.14.5.179:2222

40.134.246.185:995

172.114.160.81:443

72.252.157.93:995

70.51.137.244:2222

82.41.63.217:443

197.89.11.218:443

37.34.253.233:443

67.209.195.198:443

67.165.206.193:993

93.48.80.198:995

111.125.245.116:995

1.161.118.53:443

76.25.142.196:443

148.64.96.100:443

217.128.122.65:2222

32.221.224.140:995

47.180.172.159:443

39.57.56.11:995

186.90.153.162:2222

37.186.58.99:995

86.97.10.37:443

39.44.116.107:995

182.191.92.203:995

86.98.78.118:993

117.248.109.38:21

39.52.44.132:995

1.161.118.53:995

91.75.85.128:1194

121.7.223.45:2222

39.41.90.210:995

46.107.48.202:443

190.252.242.69:443

187.172.31.52:443

72.252.157.93:993

72.252.157.93:990

47.145.130.171:443

63.143.92.99:995

197.92.136.122:443

45.46.53.140:2222

196.203.37.215:80

94.59.138.43:2222

92.132.132.81:2222

39.49.48.167:995

103.246.242.202:443

84.241.8.23:32103

94.59.15.180:2222

89.211.209.234:2222

94.36.193.176:2222

47.156.129.52:443

201.172.20.105:2222

109.12.111.14:443

85.6.232.221:2222

96.37.113.36:993

2.178.120.112:61202

193.136.1.58:443

103.133.11.10:995

120.61.3.142:443

182.52.159.24:443

78.100.219.38:50010

173.174.216.62:443

106.51.48.188:50001

67.69.166.79:2222

45.241.254.69:993

88.240.59.52:443

86.213.75.30:2078

24.43.99.75:443

101.50.67.155:995

108.56.213.219:995

5.32.41.45:443

39.53.139.2:995

80.11.74.81:2222

Detection & Response:

Splunk:

source="WinEventLog:*" AND (((((Image="*\\cmd.exe") AND (CommandLine="*/q*" OR CommandLine="*/c*" OR CommandLine="*calc.exe*")) OR ((ParentImage="*\\calc.exe") AND Image="*\\regsvr32.exe" AND (CommandLine="*.dll*" OR CommandLine="*/s*"))) OR (Image="*\\schtasks.exe" AND (CommandLine="*/Create*" OR CommandLine="*/RU*" OR CommandLine="*-encodedCommand*"))) OR (Image="*\\powershell.exe" AND (CommandLine="*-encodedCommand*")))

Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ((((("Image" ilike '%\cmd.exe') and ("Process CommandLine" ilike '%/q%' or "Process CommandLine" ilike '%/c%' or "Process CommandLine" ilike '%calc.exe%')) or (("ParentImage" ilike '%\calc.exe') and "Image" ilike '%\regsvr32.exe' and ("Process CommandLine" ilike '%.dll%' or "Process CommandLine" ilike '%/s%'))) or ("Image" ilike '%\schtasks.exe' and ("Process CommandLine" ilike '%/Create%' or "Process CommandLine" ilike '%/RU%' or "Process CommandLine" ilike '%-encodedCommand%'))) or ("Image" ilike '%\powershell.exe' and ("Process CommandLine" ilike '%-encodedCommand%')))

Elastic Query:

((((process.executable.text:*\\cmd.exe AND process.command_line.text:(*\/q* OR *\/c* OR *calc.exe*)) OR (process.parent.executable.text:*\\calc.exe AND process.executable.text:*\\regsvr32.exe AND process.command_line.text:(*.dll* OR *\/s*))) OR (process.executable.text:*\\schtasks.exe AND process.command_line.text:(*\/Create* OR *\/RU* OR *\-encodedCommand*))) OR (process.executable.text:*\\powershell.exe AND process.command_line.text:*\-encodedCommand*))

Arcsight:

(((((((((sourceProcessName ENDSWITH "\cmd.exe" OR destinationProcessName ENDSWITH "\cmd.exe" OR deviceProcessName ENDSWITH "\cmd.exe")) AND ((destinationServiceName CONTAINS "/q" OR destinationServiceName CONTAINS "/c" OR destinationServiceName CONTAINS "calc.exe" OR deviceCustomString1 CONTAINS "/q" OR deviceCustomString1 CONTAINS "/c" OR deviceCustomString1 CONTAINS "calc.exe"))) OR (sourceProcessName ENDSWITH "\calc.exe" AND ((sourceProcessName ENDSWITH "\regsvr32.exe" OR destinationProcessName ENDSWITH "\regsvr32.exe" OR deviceProcessName ENDSWITH "\regsvr32.exe")) AND ((destinationServiceName CONTAINS ".dll" OR destinationServiceName CONTAINS "/s" OR deviceCustomString1 CONTAINS ".dll" OR deviceCustomString1 CONTAINS "/s"))))) OR (((sourceProcessName ENDSWITH "\schtasks.exe" OR destinationProcessName ENDSWITH "\schtasks.exe" OR deviceProcessName ENDSWITH "\schtasks.exe")) AND ((destinationServiceName CONTAINS "/Create" OR destinationServiceName CONTAINS "/RU" OR destinationServiceName CONTAINS "-encodedCommand" OR deviceCustomString1 CONTAINS "/Create" OR deviceCustomString1 CONTAINS "/RU" OR deviceCustomString1 CONTAINS "-encodedCommand"))))) OR (((sourceProcessName ENDSWITH "\powershell.exe" OR destinationProcessName ENDSWITH "\powershell.exe" OR deviceProcessName ENDSWITH "\powershell.exe")) AND ((destinationServiceName CONTAINS "-encodedCommand" OR deviceCustomString1 CONTAINS "-encodedCommand"))))) AND type != 2 | rex field = flexString1 mode=sed "s//Sigma: Regsvr32 Anomaly/g"

CarbonBlack:

((((process_name:*\\cmd.exe AND process_cmdline:(*\/q* OR *\/c* OR *calc.exe*)) OR (parent_name:*\\calc.exe AND process_name:*\\regsvr32.exe AND process_cmdline:(*.dll* OR *\/s*))) OR (process_name:*\\schtasks.exe AND process_cmdline:(*\/Create* OR *\/RU* OR *\-encodedCommand*))) OR (process_name:*\\powershell.exe AND process_cmdline:*\-encodedCommand*))

Crowdstike:

(((((ImageFileName="*\\cmd.exe") AND ((CommandLine="*/q*" OR CommandLine="*/c*" OR CommandLine="*calc.exe*") OR (CommandHistory="*/q*" OR CommandHistory="*/c*" OR CommandHistory="*calc.exe*"))) OR ((ParentBaseFileName="*\\calc.exe") AND ImageFileName="*\\regsvr32.exe" AND ((CommandLine="*.dll*" OR CommandLine="*/s*") OR (CommandHistory="*.dll*" OR CommandHistory="*/s*")))) OR (ImageFileName="*\\schtasks.exe" AND ((CommandLine="*/Create*" OR CommandLine="*/RU*" OR CommandLine="*-encodedCommand*") OR (CommandHistory="*/Create*" OR CommandHistory="*/RU*" OR CommandHistory="*-encodedCommand*")))) OR (ImageFileName="*\\powershell.exe" AND ((CommandLine="*-encodedCommand*") OR (CommandHistory="*-encodedCommand*"))))

FireEye:

(metaclass:`windows` ((((process:`*\cmd.exe` args:[`/q`,`/c`,`calc.exe`]) OR (pprocess:`*\calc.exe` process:`*\regsvr32.exe` args:[`.dll`,`/s`])) OR (process:`*\schtasks.exe` args:[`/Create`,`/RU`,`-encodedCommand`])) OR (process:`*\powershell.exe` args:`-encodedCommand`)))

GrayLog:

((((Image.keyword:*\\cmd.exe AND CommandLine.keyword:(*\/q* *\/c* *calc.exe*)) OR (ParentImage.keyword:*\\calc.exe AND Image.keyword:*\\regsvr32.exe AND CommandLine.keyword:(*.dll* *\/s*))) OR (Image.keyword:*\\schtasks.exe AND CommandLine.keyword:(*\/Create* *\/RU* *\-encodedCommand*))) OR (Image.keyword:*\\powershell.exe AND CommandLine.keyword:*\-encodedCommand*))

Microsoft Defender:

DeviceProcessEvents | where (((((FolderPath endswith @"\cmd.exe") and (ProcessCommandLine contains "/q" or ProcessCommandLine contains "/c" or ProcessCommandLine contains "calc.exe")) or ((InitiatingProcessFolderPath endswith @"\calc.exe") and FolderPath endswith @"\regsvr32.exe" and (ProcessCommandLine contains ".dll" or ProcessCommandLine contains "/s"))) or (FolderPath endswith @"\schtasks.exe" and (ProcessCommandLine contains "/Create" or ProcessCommandLine contains "/RU" or ProcessCommandLine contains "-encodedCommand"))) or (FolderPath endswith @"\powershell.exe" and (ProcessCommandLine contains "-encodedCommand")))

Microsoft Sentinel:

SecurityEvent |  where EventID == 4688 | where (((((NewProcessName endswith @'\cmd.exe') and (CommandLine contains '/q' or CommandLine contains '/c' or CommandLine contains 'calc.exe')) or ((ParentProcessName endswith @'\calc.exe') and NewProcessName endswith @'\regsvr32.exe' and (CommandLine contains '.dll' or CommandLine contains '/s'))) or (NewProcessName endswith @'\schtasks.exe' and (CommandLine contains '/Create' or CommandLine contains '/RU' or CommandLine contains '-encodedCommand'))) or (NewProcessName endswith @'\powershell.exe' and (CommandLine contains '-encodedCommand')))

RSA Netwitness:

(((((Image contains '\cmd\.exe') && (CommandLine contains '/q', '/c', 'calc\.exe')) || ((ParentImage contains '\calc\.exe') && (Image contains 'regsvr32.exe') && (CommandLine contains '.dll', '/s'))) || ((Image contains 'schtasks.exe') && (CommandLine contains '/Create', '/RU', '-encodedCommand'))) || ((Image contains 'powershell.exe') && (CommandLine contains '-encodedCommand')))

Logpoint:

((((Image IN "*\\cmd.exe" CommandLine IN ["*/q*", "*/c*", "*calc.exe*"]) OR (ParentImage IN "*\\calc.exe" Image="*\\regsvr32.exe" CommandLine IN ["*.dll*", "*/s*"])) OR (Image="*\\schtasks.exe" CommandLine IN ["*/Create*", "*/RU*", "*-encodedCommand*"])) OR (Image="*\\powershell.exe" CommandLine IN "*-encodedCommand*"))

Sumologic:

(_sourceCategory=*windows* AND ((((((((Image = "*\cmd.exe") AND (CommandLine = "*/q*" OR CommandLine = "*/c*" OR CommandLine = "*calc.exe*")) OR ((ParentImage = "*\calc.exe") AND Image="*\regsvr32.exe" AND (CommandLine = "*.dll*" OR CommandLine = "*/s*")))) OR (Image="*\schtasks.exe" AND (CommandLine = "*/Create*" OR CommandLine = "*/RU*" OR CommandLine = "*-encodedCommand*")))) OR (Image="*\powershell.exe" AND (CommandLine = "*-encodedCommand*")))))

Source/Credits: hts://twitter.com/pr0xylife

h://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html

hs://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/