Executive Summary

  • Qakbot is distributed via a complex infection chain using email conversation threat hijacking, HTML smuggling, and DLL side-loading. All techniques aim to bypass defense mechanisms.
 

Summary

In this monthly email threat review installment, we present an overview of the email-based threats observed in July 2022 and compare them to the previous month’s threats. The report provides insights into:  

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.
Email category %
Rejected 82.11
Spam 13.42
Threat 3.02
AdvThreat 1.40
Content 0.05
The following histogram shows the email volume per category per day. The spike in rejected emails between 2022-07-17 and 2022-07-19 can be attributed to a sextortion scam spam campaign.  

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:
Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.
File type (used in malicious emails) %
Archive 27.5
PDF 16.5
HTML 14.8
Disk image files 8.3
Executable 5.4
Excel 5.1
Word 5.1
Script file 0.8
Other 16.4
The following histogram shows the email volume per file type used in attacks per 7 days. The drop in Excel documents used in attacks from 14.4 % to 5.1 % can be attributed to attackers shifting tactics due to Microsoft’s measures to disable Excel 4.0 macros per default. The prominent malware distributed via malicious Excel 4.0 macros was QakBot and Emotet. QakBot switched to a complex infection chain using HTML smuggling and DLL side-loading, which we highlight later in this report.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).
Industries Share of threat in threat and clean emails
Research industry 4.8
Manufacturing industry 4.1
Transport industry 4.0
Mining industry 4.0
Utilities 3.8
Media industry 3.7
Information technology industry 3.6
Education industry 3.6
Agriculture industry 3.4
Construction industry 3.4
The following bar chart visualizes the email-based threat posed to each industry. While the research industry’s Email Threat Index fell from 7.2 to 4.8, it is still in the lead. However, it is now closer to the second most threatened manufacturing industry.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.
Attack technique %
Phishing 29.4
URL 12.5
Advance-fee scam 9.4
Extortion 5.3
Executable in archive/disk-image 4.6
Maldoc 2.3
HTML 1.6
Impersonation 1.2
PDF 1.2
Other 32.4
The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.
Impersonated brand or organization %
Sparkasse 36.8
DHL 9.0
Amazon 6.7
LinkedIn 3.8
1&1 2.8
Postbank 2.8
Microsoft 2.4
Intuit 2.1
Mastercard 1.8
HSBC 1.5
American Express 1.5
DocuSign 1.5
UPS 1.3
Fedex 1.3
Strato 1.1
Volks- und Raiffeisenbank 0.9
Other 12.1
The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour. This month saw Intuit, best known for its TurboTax and QuickBooks tax and accounting software, rising from 13th to 8th place on our most impersonated company brand in phishing attacks.

Highlighted threat email campaigns

QakBot was distributed via a complex infection chain using HTML smuggling and DLL side-loading to evade detection. HTML smuggling uses HTML to bundle malicious content into one HTML attachment. Hornetsecurity has reported about HTML smuggling previously in the context of phishing in which the phishing website was fully contained in the HTML attachments.1 In the observed QakBot campaign, the emails distributing malicious HTML files are used to deliver the QakBot malware onto the victim’s computer without the need for an additional download, as was the case in previous Excel document-based QakBot attacks.3 When received by the victim, the malware is built from the HTML code, making additional second-stage downloads unnecessary, giving organizations fewer opportunities to detect such malware infection. In addition to HTML smuggling, the campaigns use a chain of password-protected encrypted ZIP files containing an ISO file, an LNK file, two DLL files, and a legitimate calc.exe binary. The complete chain works as follows: First an email using email conversation thread hijacking2 with an HTML attachment is received. The HTML attachment pretends to be an Adobe “Online Document”, immediately prompting the user for a download. The ZIP file download is facilitated via Javascript, with the ZIP file contents being encoded as base64 within the HTML document. This way, no additional network communication is triggered. Additionally, the HTML document displays the password needed to decrypt the ZIP file. The ZIP file contains an ISO image file, which includes two DLL files, an LNK file, and a legitimate calc.exe executable. The LNK file is used to launch the legitimate calc.exe from the path within the mounted ISO file. The calc.exe is then used to side-load one of the malicious DLLs (in the example seen in the screenshots named WindowsCodecs.dll). This first DLL is used to load the actual QakBot malware DLL (in the example seen in the screenshots named 102755.dll) via regsvr32.exe.

Methodology

Hornetsecurity observes thousands of threat email campaigns of varying threat actors ranging from unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only a subset of those threat email campaigns.

References