Email Threat Review May 2021

Email Threat Review May 2021

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in May 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails by category.

Email category %
Rejected 81.56
Spam 13.81
Threat 3.73
AdvThreat 0.87
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails between 2021-05-23 and 2021-05-26 is caused by a wave of sextortion scam emails targeting German language users.

Sextortion email

This campaign and the resulting spike in rejected emails is similar to the one observed in March1 in which the attackers made around 5,000 €. This time there were no incoming transactions to the attacker’s Bitcoin wallets used in the attack.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

Filetypes used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 33.1
Other 19.9
HTML 17.8
Excel 7.6
PDF 7.5
Executable 5.8
Disk image files 4.7
Word 2.8
Powerpoint 0.6
Script file 0.2
Email 0.1
LNK file 0.0

The following time histogram shows the email volume per file type used in attack per 7 days.

Filetypes used in attacks

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to clean emails received (in median) by each industry.

Industries Share of threat in threat and clean emails
Research industry 6.9
Transport industry 5.3
Manufacturing industry 5.0
Education industry 4.1
Healthcare industry 4.0
Media industry 3.9
Automotive industry 3.9
Entertainment industry 3.8
Utilities 3.8
Hospitality industry 3.8

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index May 2021

For comparison last month’s email threat index bar chart:

Hornetsecurity Industry Email Threat Index April 2021

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculated the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values overall organizations within the same industry to form the industry’s final threat score.

Impersonated company brands or organizations

The following table shows which company brands our systems detected most in impersonation attacks.

Impersonated brand or organization %
DocuSign 19.9
Amazon 17.6
Deutsche Post / DHL 16.8
Other 15.4
LinkedIn 4.0
Microsoft 2.8
PayPal 2.7
1&1 2.5
HSBC 2.1
O2 2.0

The following time histogram shows the email volume for company brands detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands to entice recipients to open the emails.

Highlighted threat email campaigns

In this section, we want to highlight some malspam campaigns of prominent, well-known threat actors.

The following time histogram shows the email volume for highlighted threat email campaigns per hour.

Highlighted threat email campaigns

We can see that the malspam waves of the selected campaigns have well-defined start and endpoints, unlike less sophisticated mass-spam email campaigns, which will send email in a constant stream.

Please be advised that this does not contain all campaigns. The ranking, as well as volume figures, should therefore not be taken as a global ranking.

From the data, we can see that the Hancitor malspam impersonating DocuSign is a consistent reoccurring high volume malspam campaign.

At the end of the month, the increase in URL-based QakBot “tr” (named after the configuration tag/campaign ID tr found in the distributed QakBot malware’s configuration) malspam can be seen. This campaign (as other QakBot malspam campaigns) uses email conversation threat hijacking.2

QakBot TR email

Another interesting aspect of the campaign is that it uses non-clickable plain text URLs missing the http://. Victims must thus copy the URL manually to their browser. This is likely done in hopes that URL filters do not detect the URL in this form. Obviously, the campaign uses various compromised websites to host the malicious ZIP archives, further complicating detection.

Methodology

Hornetsecurity observes hundreds and thousands of different threat email campaigns of varying threat actors ranging from very unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only major sophisticated threat email campaigns.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them into paying not only for decrypting the files encrypted by the ransomware but also for not making the data stolen before encryption public. We observed the following number of leaks on ransomware leaksites:

Leaksite Number of victim data leaks
Conti 73
Avaddon 56
Pysa 33
Darkside 25
REvil 21
Lorenz 19
Babuk 15
Xing Team 13
Nephilim 8
Cuba 6
Networm 5
Grief 5
Cl0p 4
RansomEXX 4
MountLocker 3
Everest 3
RagnarLocker 3
Astro Team 2

The following bar chart visualizes the number of victim data leaks per leaksite.

Ransomleaks May 2021

We added data collection for the following ransomware leaksites:

The leaksite of the Cuba ransomware was first seen at the end of 2019. However, the group was not very active. The leaksite currently features six leaks.

Cuba ransomware leaksite

Cuba ransomware has recently been reported to be cooperating with the Hancitor malware, the malspam campaigns of which we reported on in a previous section. We, therefore, added the Cuba ransomware leaksite to our dataset.

The leaksite of the Xing Team was announced via the Astro Team leaksite on 2021-05-06 as a new partner of the Astro Team.

Astro Team leaksite Xing Team announcement

The Xing Team leaksite features an identical layout to the Astro Team leaksite, but contains different data leaks.

Xing Team leaksite

What this partnership entails is currently unknown.

Another leaksite that emerged this month is the leaksite of the Prometheus ransomware. On its site, they claim an affiliation with the REvil ransomware. However, it needs to be seen what that affiliation is and whether the REvil ransomware even knows that this new leaksite claims an affiliation with them.

Prometheus leaksite

The Prometheus leaksite does not remove entries for companies that have paid the ransom or for data it could sell. The respective entries are simply updated to reflect whether the company paid or the data has been soled.

Prometheus leaksite

Another new entry is the Grief leaksite.

Grief leaksite

Currently, it is unknown what ransomware is associated with the Grief leaksite, whether it is an already known ransomware rebranded as Grief or whether they use their own ransomware.

References

Email Threat Review April 2021

Email Threat Review April 2021

Summary

In this second installment of our monthly email threat review, we present an overview of the email-based threats observed in April 2021 and compare the it with March 2021.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails by categories.

Email category %
Rejected 78.60
Spam 16.41
Threat 4.05
AdvThreat 0.89
Content 0.04

The following time histogram shows the email volume per category per hour.

Unwanted emails by category

Unlike in March, there were no obvious anomalous spikes in the unwanted email volumes in April.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain dangerous content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as sender’s identity, and the emails are not analyzed further.

Filetypes used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicous emails) %
Archive 35.6
Other 17.6
HTML 17.3
Excel 7.6
Executable 7.0
PDF 4.8
Disk image files 4.6
Word 3.5
Powerpoint 1.3
Script file 0.5
Email 0.1
LNK file 0.0

The following time histogram shows the email volume per file type used in attacks per 7 days.

Filetypes used in attacks

Archives (.zip, .rar, .gzip, .ace, .tar.gz, etc.) are more popular. The most prevalent use for archives in attacks is compressing the malware executable and attaching it directly to the attack email. This is done in hopes that the targeted email system is not able to scan compressed attachments. Low-quality criminal threat actors often use this technique as it does not require any technical expertise. Another use for archives is to compress malicious documents. This is also done to reduce detection.

HTML files (.htm, .html, etc.) are used either for phishing, having the phishing website attached directly to the email1 (thus circumventing URL filters), redirecting victims to websites for malware downloads2 (again to not directly include a clickable URL in the email), or social engineering.

Excel files (.xls, .xlsm, .xlsx, .xslb, etc.) with their XLM macros gained popularity last year. Unlike VBA macros malware, XLM macro malware is less detected and thus favored by many threat actors.3,4 In fact, many threat actors use the same malicious document generator called “EtterSilent” to generate their XLM macro documents.

PDFs (.pdf) use embedded links or other social engineering lures.4

Attaching executables (.exe) directly to emails is the laziest approach. It is used mainly by low-quality criminal threat actors.

Disk image files (.iso, .img, etc.) are used similarly to archives.5 Windows can automatically mount disk image files similarly to ZIP files.

Industry Email Threat Index

The following table shows the Top 10 of our Industry Email Threat Index calculated based on the number of threat emails compared to clean emails received (in median) by each industry.

Industries Share of threat in threat and clean emails
Research industry 5.0
Manufacturing industry 3.9
Media industry 3.6
Hospitality industry 3.6
Education industry 3.5
Healthcare industry 3.5
Automotive industry 3.3
Transport industry 3.2
Retail industry 3.0
Information technology industry 3.0

The following bar chart visualizes the email-based threat posed to each industry.

  • March 2021:

Hornetsecurity Industry Email Threat Index March 2021

  • April 2021:

Hornetsecurity Industry Email Threat Index April 2021

The global median of threat emails in threat and clean emails for organizations fell from 3.7% in March to 3.0% in April. This decrease can be seen for all industries. However, while the manufacturing industry dropped from 5.3% to 3.9% and the other industries similarity the research industry remains at 5% ratio of threat emails in their received threat and clean emails.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, to compare organizations, we calculated the percent share of threat emails from each organization’s threat and clean emails. We then calculate the median of these percent values over all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack technique used in attacks.

Attack technique %
Other 38.4
Phishing 23.4
URL 20.8
Extortion 9.0
Executable in archive/disk-image 3.4
Advance-fee scam 2.8
Impersonation 1.8
Maldoc 0.4
LNK 0.0

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

Impersonated company brands or organizations

The following table shows which company brands our systems detected most in impersonation attacks.

Impersonated brand or organization %
Amazon 23.0
DocuSign 21.5
Deutsche Post / DHL 11.9
PayPal 3.4
Microsoft 2.9
LinkedIn 2.8
1&1 2.6
HSBC 2.2
Unicredit 1.6
O2 1.5
Others Rest

The following time histogram shows the email volume for company brands detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands to entice recipients to open the emails.

A reoccurring Hancitor malspam campaign dominates the impersonation of the DocuSign brand.

Highlighted threat email campaigns

In this section, we want to highlight some malspam campaigns of prominent, well-known threat actors.

The following time histogram shows the email volume per hour for a list of highlighted threat email campaigns.

Highlighted threat email campaigns

Please be advised that this does not contain all campaigns. The ranking, as well as volume figures, should therefore not be taken as a global ranking. We strive to expand this section of our reporting in the future.

We can see that the malspam waves of the selected campaigns have well-defined start and endpoints, unlike less sophisticated mass-spam email campaigns, which will send email in a constant stream.

As outlined earlier in the section on impersonated company brands or organizations the reoccurring Hancitor malspam campaign pretends to be documents send via DocuSign. The campaign spikes correspond to the previously spikes in DocuSign impersonation detections.

One shown campaign stands out not because of its volume but for its low detection rate by other security solutions. The Cutwail-A botnet updated their XLSM maldocs. This time it was distributing Ursnif.

Cutwail-A email

At the time of delivery, the maldocs of the campaign were detected by only 3 of 62 detections on VirusTotal.

XLSM distributing Ursnif via malspam from Cutwail-A botnet low detection

We are aware that VirusTotal detection does not represent the real dynamic detection of the listed security products. However, because the campaign was already caught by Hornetsecurity’s Spam and Malware filter using static detection signatures, it is an apples-to-apples comparison and outlines Hornetsecurity’s detection capabilities when it comes to threat email detection.

Methodology

Hornetsecurity observes hundreds and thousands of different threat email campaigns of varying threat actors ranging from very unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only major sophisticated threat email campaigns.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them into paying not only for decrypting the files encrypted by the ransomware but also for not making the data stolen before encryption public. We observed the following number of leaks on ransomware leaksites:

Leaksite Number of victim data leaks
Conti 41
Avaddon 40
REvil 33
Darkside 19
Babuk 17
Ragnarok 12
Astro Team 10
Cl0p 9
Everest 5
RansomEXX 2
Nephilim 1
RagnarLocker 1

The following bar chart visualizes the number of victim data leaks per leaksite.

Ransomleaks

This month the Darkside ransomware group announced that they offer insider trading information for sale. Short sellers could buy information on companies compromised by Darkside ransomware before publication on the Darkside leaksite.

Darkside offering insider trading information for sale

After the announcement, Darkside started tagging their posted victims with their respective stock tickers.

Darkside tagging victims with their stock ticker

Also, this month the Babuk ransomware announced the closing of their ransomware operation.

Babuk ransomware press release announcing closing

However, only a few days later, they clarified that they would only close the ransomware part of their operation. They will continue stealing data from victims and extorting them with the publication of the stolen data.

Conclusion

We hope you found the second installment of our monthly email threat review informative. Get back next month for more and updated email threat landscape insights.

References

Ransomware: Prices, Pressure and Protection

Ransomware: Prices, Pressure and Protection

Summary

Ransomware is the simplest way to monetize computer intrusions. Ransomware is thus the single greatest cyber-risk for corporations today. This blog post discusses ransomware prices, the pressure ransomware threat actors put on victims, and how companies can protect their assets.

Ransom amount

To estimate the currently demanded ransom amount, we analyzed ransomware samples available from OSINT sources. These are samples uploaded to various online services, such as online anti-virus scanning or malware analysis sandbox services, and thus shared with the security research community.

We have observed ransom demands spanning from US $100 up to US $10,000,000.

The highest ransom demand we observed was US $10,000,000. The Clop ransomware demanded it.

Clop US $ 10M ransom demand

While preparing this blog post, public reporting of a US $50,000,000 ransom demand has surpassed our observed maximum demand. It is essential to understand why such an enormous range in demanded ransom exists. Therefore, we will discuss ransom amount volatility in the next section.

Ransom amount volatility

Ransom demand is adjusted based on several factors. One factor is victimology, i.e., threat actors demand a higher ransom from large corporations than a private, individual computer user.

As a case study, we can take a look at the first campaign of the Avaddon ransomware. It was spread via malspam sent by the Phorpiex botnet. Hornetsecurity reported on this campaign.1 The Phorpiex botnet usually sends Sextortion spam and other low-quality threats. The demanded ransom by Avaddon at the time was only US $500. The ransomware deployment was fully automatic, i.e., once a victim executed the ransomware from the email attachment, it started to encrypt the victim’s computer. Higher-quality threat actors will specifically target large companies and use the initial infection for reconnaissance first. After they have mapped the company’s network and identified all assets, they start the ransomware on many of the company’s computer systems simultaneously. This way they can demand more ransom because restoring the entire company computer infrastructure from backups is much harder than to restore a single encrypted computer.

During our research we found a recent Avaddon ransomware sample with a ransom demand of US $3,000,000. This is much higher than Avaddon’s previous demand of only US $500.

Avaddon ransomware US $3M ransom demand

The demand above is addressed to a large company—and this is what is driving the difference in ransom demand. The threat actors will adjust the ransom to how much they think they can get. Thus, there are no clear figures when it comes to ransom demands. Sometimes ransomware threat actors will even analyze the financial documents found on a company’s internal network to discover how much ransom they can demand or how much the company’s cyber-insurance coverage for ransomware will pay.

Negotiation

For higher tier, human-operated ransomware, demanded amounts are often simply asking prices and are the basis for negotiation. The ransomware operators know that getting only a fraction of what they asked for is better than getting nothing. Hence, they are willing to negotiate.

Smaller automated ransomware pricing is mostly fixed, and if the ransomware operation offers ” support” at all, it is only provided to assist victims in obtaining the cryptocurrency needed to pay the ransom. The following are chat logs with the “support” of the Adhubllka (named after the .adhubllka extension it adds to encrypted files) ransomware. The ransomware executable was attached to the email within a ZIP file and distributed via the Phorpiex botnet in an unsophisticated but fully automated ransomware attack—in an identical fashion as the first Avaddon ransomware campaign we reported on.1

Adhubllka ransomware offers no negotiation

So while there is human-operated “support” even in low-tier mass delivered automated ransomware operations, this “support” is not entitled to negotiate. We traced the total earnings of their campaign, which were 0 BTC, so giving in to our fake demands for a discount would have potentially made them US $1,000. But as said, low-tier automated ransomware operations usually do not offer negotiations.

Putting pressure on ransomware victims

Some ransomware operators provide additional “services.” These are actions designed to pressure victims into paying the demanded ransom.

Leaksites

Ransomware leaksites are Tor hidden service websites on which ransomware threat actors threaten to publish data stolen from victim computer networks before encrypting them if the victim refuses to pay the ransom. We have reported on this practice.2

DDoS

Ransomware actors may also, in addition to the already existing issue with encrypted files, DDoS a victim network. One ransomware operation doing so is SunCrypt.

Suncrypt DDOS

Harassing the victim’s customers and/or business partners

Another tactic is to “notify” the victim’s customers and/or business partners of the compromise. This can happen via spam emails—for example, the threat actors behind the Clop ransomware are using this tactic in the following message:

Clop email to victim customers and/or business partners

Spamming journalists and news outlets

Ransomware actors will also “notify” journalists and news outlets of the data breach with instructions on where to download the leaked data. Here is again an example of the Clop ransomware using this tactic.

Clop email to journalists and news outlets

Notifying authorities

Some ransomware operations also threaten to inform the responsible data protection authorities about the breach if the victim does not pay the ransom. They will often cite the EU GDPR and the potential fines that authorities can incur for data leaks.

Prices for ransomware

The cost for a threat actor to acquire ransomware software varies. A threat actor can develop their own ransomware. This will only incur the development time as a cost. However, many criminals are technically unable to develop malware themselves or it is too much additional work. Alternatively, they can buy, rent, subscribe and/or partner with a ransomware developer and/or operator. To this end, the ransomware developer can sell the entire source code of their ransomware software for a one-time payment. However, this is often not attractive given the large ransom payments generated with such ransomware software. But demanding tens or even hundreds of thousands of US $ for the ransomware software may not get the software sold, as a ransom payment is not guaranteed.

To resolve this, ransomware as a service (RaaS) operations established themselves. A threat actor with access or means to access company networks can rent, subscribe and/or partner with a ransomware operation. The threat actor gets the ready-made ransomware software for deployment on victim computer systems. In contrast, the ransomware operator provides the ransomware software and—if available and/or necessary—the backend infrastructure for the ransomware, such as an online ransomware portal to support victims in buying and using the decryption software.

Like the demanded ransom, the price for ransomware varies. The entry price can be as low as hundreds of US $, as can be seen from the following example offers from the Egalyty ransomware.

Egalyty ransomware offering

Profit-sharing affiliate schemes will split the paid ransom between the party supplying the ransomware and the party facilitating the intrusion. Also, here, the split ratio widely varies. While we have seen notices in cybercrime forums offering 90% of the ransom to the intruding party, this is not the norm.

Cheap ransomware affiliate program offering

The usual reported split ratio for well-established ransomware affiliate programs only awards 10% to 30% of the ransom to the intruding party.

Conclusion and Countermeasures

These new developments in ransomware tactics make malware infections more dangerous to businesses than ever before. While good backups, preferably using the 3-2-1 backup strategy,3 helped against classic ransomware attacks, they do not provide any protection against private and/or confidential data being intentionally leaked to the public. The broad announcement of the data leak to business partners and customers will cause further damage and loss of reputation to victims, business partners, and customers. Worse still, competitors will also get unfettered access to internal documents, such as contracts, pricing, research, and development results. The media will start contacting the affected company, causing further stress in the ransomware crisis. Additionally, suppose the network is DDoS’d. It would be tough to recover from that situation, as this will likely affect any remaining network infrastructure a company might have to relay information, such as its public website.

Next, do not upload the ransomware that infected you to the Internet. Even though online services such as VirusTotal or other online sandboxes are convenient, they grant registered users access to the sample. The URL of the ransomware note may point at a “support” website that features an online chat for negotiation. These online chats are accessible to anyone with access to the data in the ransom note, thus everyone with access to the ransomware sample. So if you, in addition to all the other problems, do not want media outlets to leak your negotiation chat logs, keep your ransomware samples private. Or follow good practice and do not negotiate but share the ransomware sample with the security research community.

Paying a ransom is not recommended anyway:
1. The data breach remains. Even if a company pays to have the leaked data deleted, it must adhere to its respective breach notification laws.
2. Paying a ransom to a threat actor located in a country on sanction lists can violate trade and/or export sanction laws and cause the victim even more trouble in the long run.
3. There is no guarantee of decryption nor that leaked data is deleted.
Once leaked data has already been downloaded from the leaksite, there is no way to contain the leak.

Hornetsecurity, with its cloud offerings, can help organizations to prepare and prevent ransomware. Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market and Hornetsecurity’s Advanced Threat Protection can detect and quarantine email-based malware attacks before they can lead to a ransomware infection. Hornetsecurity’s Email Archiving is a legally compliant, fully automated audit-proof email archiving solution for long-term, unchangeable and secure storage of important company information, data, and files. This way, important communication cannot be destroyed by ransomware.

But even if your company is affected by ransomware, offerings such as Hornetsecurity’s Email Continuity Service will keep your email communication available if ransomware has put your local mail server out of service.

References

BazarLoader’s Elaborate Flower Shop Lure

BazarLoader’s Elaborate Flower Shop Lure

Summary

Since 2021-01-20 Hornetsecurity observes a new malspam campaign using a fake flower shop in an elaborate social engineering lure to spread the BazarLoader malware. The campaign sends invoices from a fake flower shop in hopes that potential victims will manually find the fake flower shop website and download the BazarLoader malware.

In order to lure the victims into providing manual assistance the campaign setup a fully functional flower shop website and can thus evade automated detection schemes looking for malicious content, as the malicious download will be manually downloaded by the victim following several manual steps of the social engineering trap.

Background

BazarLoader1 is a malware loader attributed to a threat actor with a close relation to the TrickBot malware. The threat actor is tracked under the name Team9 (Cybereason) or UNC1878 (FireEye).

BazarLoader is also aptly named KEGTAP by FireEye, as in a device used to open a beer keg, because it is used to “open” the network of victims for follow up malware in order to move laterally on the network and eventually deploy the Ryuk ransomware.2

We have previously reported on a BazarLoader campaign using an employment termination social engineering lure to spread its malware.3

The observed campaign started on 2021-01-21 and is ongoing.

BazarLoader campaign subject histogram

It uses various subjects referring to an invoice from the Rose World flower shop. Spoiler: The flower shop isn’t real. The attached invoice is an elaborate social engineering scam to trick victims into downloaded the BazarLoader malware.

Technical Analysis

The following analysis outlines each step of BazarLoader’s new elaborate social engineering campaign.

Email

The attack starts with an email.

BazarLoader flower shop email

The email pretends to be an invoice from the Rose World online store, an online flower shop.

PDF

Attached to the email is a PDF invoice.

BazarLoader flower shop PDF

The PDF has no clickable links. It however features a domain name under the address of the supposed invoicing party.

BazarLoader flower shop URL in PDF

Fake Flower Shop

When the recipient visits this domain a webshop for flowers is presented.

BazarLoader fake flower shop

Even though this is a fake shop it features

  • an about page

BazarLoader flower shop fake about us page

  • a blog

BazarLoader flower shop fake blog

  • a shop with fully functional checkout cart, wish list, and Twitter and Facebook share buttons

BazarLoader flower shop

However, the checkout fails because allegedly there are no available payment methods.

BazarLoader fake flower shop fake checkout

The checkout is the only thing not working on the fake shop. Thus it is very hard to identify this as a malicious website.

The Lure

Because the shop looks legit a recipient will likely try to contact the shop owner to clear up the invoice they falsely received. To do so, they visit the contact us section of the fake shop.

BazarLoader fake flower shop contact us page

Here is one last indicator that something is not quite right. The Google Maps frame is in Russian language, while the rest of the webshop pretends to be from the United States of America. However, a victim will likely continue to the convenient order number entry field.

BazarLoader social engineering lure

When the victim enters the order number – in fact any input will suffice – they are redirected via a loading screen.

BazarLoader fake loading page

The loading page is also fake, the content is already loaded under the loading page overlay.

Next, the victim is presented instructions on how to download and execute the malware.

BazarLoader flower shop malware download instructions

It includes instructions to bypass the malicious file download warning on Google Chrome.

BazarLoader flower shop malware download instructions

It even includes instructions to bypass Windows security features preventing the file from being executed because it was downloaded from the Internet.

BazarLoader flower shop malware execution instructions

The “Request Form” link will download a malicious document from hxxps[:]//rosedelivery[.]us/.

Malicious Document

The malicious document pretends to be protected by DocuSign and macros need to be allowed to decrypt it.

BazarLoader flower shop malicious document

The XLM macro code will download the BazarLoader executable from hxxps[:]//www.smowengroup[.]com/fer/iertef.php and execute it.

BazarLoader flower shop malicious XLM macro script

The BazarLoader uses the decentralized Emerald DNS system based on the Emercoin blockchain to establish its C2 communication. It will download and install the BazarBackdoor1. This backdoor will be used to move laterally in the victim’s network in order to take over the domain controller. Eventually the intrusion is monetized by deploying the Ryuk2 ransomware.

Targeting

The campaign is targeted towards US companies. We conclude this from the email, PDF, fake webshop, but also from the recipients, which are US companies and/or international companies with a US presence.

Conclusion and Countermeasures

The new BazarLoader campaign does not feature malicious indicators in its emails, such as macro documents or clickable URLs. It rather relies on an elaborate social engineering lure to lead the victim towards finding and downloading the malware themselves rather then directly handing it over. The amount of manual work required by victims makes this campaign difficult to detect via automated measures. This is why Hornetsecurity is closely tracking malspam operations by threat actors to quickly engage newly emerging threats. Hence Hornetsecurity is already aware of this new elaborate social engineering scheme to distribute the BazarBackdoor and Hornetsecurity’s Spam and Malware Protection, already quarantines the new BazarLoader emails.

References

Indicators of Compromise (IOCs)

Email

Subjects

  • Congratulations on the latest purchase you have made!Your order number is KCD[0-9]{8}G.
  • Congratulations on your purchase from our store! Your order number is KCD[0-9]{8}G.
  • Order Confirmed. Your order number KCD[0-9]{8}G will be send to you soon.
  • Purchase confirmation for order number KCD[0-9]{8}G
  • Thanks for your order, your order number KCD[0-9]{8}G.
  • Thank you for using the (Rose Deliver|Rose World) stores service. Your order number is KCD[0-9]{8}G.
  • Thank you for your order from the (Rose Deliver|Rose World) online shop, your order number is KCD[0-9]{8}G.
  • Thank you for your order from the (Rose Deliver|Rose World) online store, your order number is KCD[0-9]{8}G.
  • Thank you for your purchase, your order number is KCD[0-9]{8}G.
  • You have formed an order KCD[0-9]{8}G from (Rose Deliver|Rose World) online store.
  • Your order No. KCD[0-9]{8}G has been completed by (Rose Deliver|Rose World).

Representation was condensed by using the following regex patterns: KCD[0-9]{8}G, (Rose Deliver|Rose World)

Attachment Filenames

  • invoice_KCD[0-9]{8}G.pdf

Representation was condensed by using the following regex patterns: KCD[0-9]{8}G

Hashes

MD5 Filename Description
c3347d329bda013282d32ee298c8dc45 invoice_KCD86786085G.pdf Lure PDF
e8b0cc2767cc0195570af56e9e7750fe request_form_1611584809.xlsm Downloaded Maldoc

URLs

  • hxxps[:]//roseworld[.]shop
  • hxxps[:]//rosedelivery[.]us/

DNS

  • roseworld[.]shop
  • rosedelivery[.]us
Emotet Botnet Takedown

Emotet Botnet Takedown

Summary

On 2021-01-27 it was announced by Europol that an international worldwide coordinated law enforcement and judicial action has disrupted the Emotet botnet and investigators have taken control of Emotet’s infrastructure. If successful this could mean the end of Emotet, its botnet, malspam, and malware loader operation. While the situation is still developing, we can confirm that the Emotet botnet infrastructure is disrupted. Victims will be notified by responsible country CERTs and should take appropriate actions to clean their Emotet malware and secondary malware infections to prevent still active malware that was downloaded by Emotet to deploy ransomware.

Background

Emotet (also known as Heodo) was first observed in 2014. It was a banking trojan stealing banking details and banking login credentials from victims. But it pivoted to a malware-as-a-service (MaaS) operation providing malware distribution services to other cybercriminals. Today, Emotet is probably the most prolific malware distribution operation. To this end, it steals the emails of its victims and replies to the victim’s previous conversations. This is known as email conversation thread hijacking5. Hornetsecurity has written numerous blogposts about Emotet2,3,4,5.

What happened?

An international worldwide law enforcement and judicial effort, coordinated by Europol and Eurojust, has disrupted the Emotet botnet. The following authorities took part in this operation:

  • Netherlands: National Police (Politie), National Public Prosecution Office (Landelijk Parket)
  • Germany: Federal Criminal Police (Bundeskriminalamt), General Public Prosecutor’s Office Frankfurt/Main (Generalstaatsanwaltschaft)
  • France: National Police (Police Nationale), Judicial Court of Paris (Tribunal Judiciaire de Paris)
  • Lithuania: Lithuanian Criminal Police Bureau (Lietuvos kriminalinės policijos biuras), Prosecutor’s General’s Office of Lithuania
  • Canada: Royal Canadian Mounted Police
  • United States: Federal Bureau of Investigation, U.S. Department of Justice, US Attorney’s Office for the Middle District of North Carolina
  • United Kingdom: National Crime Agency, Crown Prosecution Service
  • Ukraine: National Police of Ukraine (Національна поліція України), of the Prosecutor General’s Office (Офіс Генерального прокурора).

The investigators obtained control over the infrastructure from one suspect located in Ukraine. Emotet’s C2 communication has been sinkholed and information of connecting victims has been given to the responsible country CERTs, which will notify the victims so they can clean up the infection.

The Dutch National Police has also obtained a database containing e-mail addresses, usernames and passwords stolen by Emotet over the years. They provide a website to check whether an email address has been compromised at http://www.politie.nl/emocheck.

Emotet “uninstaller”

Additionally, German Federal Criminal Police (Bundeskriminalamt (BKA)) is distributing a Emotet remover program from within the Emotet botnet that will uninstall Emotet on 2021-04-25 at 12:00.

The program will create a timestamp for 2021-04-25 12:00 (note tm_month goes from 0 to 11, while tm_day goes from 1 to 31).

Emotet uninstaller timestamp

The program will spawn a thread that in a loop will sleep for 1000 minutes (16.6 hours) until the time to uninstall Emotet is reached.

Emotet uninstaller thread

Once the time to uninstall Emotet is reached Emotet’s registry key and its service are removed. The Emotet binary is moved to a temporary file path presumably to quarantine it for possible DFIR investigations on the infected system.

Emotet unistallation

The likely reason why Emotet isn’t removed immediately is to allow affected parties to run DFIR investigations to discover potentially secondary malware that was deployed via Emotet.

From our understanding the sinkholing and “uninstallation” actions are performed under the auspices of the German Federal Criminal Police (Bundeskriminalamt (BKA)), hence, the sinkhole IP addresses are owned by German ISP Deutsche Telekom.

What will happen next?

While our mail filters are still detecting sporadic emails containing malicious Emotet documents, these are likely emails that had still been lurking in queues either of the Emotet spambots or email systems and are just now being delivered even though the Emotet botnet infrastructure has been disrupted.

Emotet malspam histogram

We expect that these last drips of Emotet malspam dripping out of the dying Emotet botnet to dry out over the next days and weeks and if the takedown is successful stop entirely.

While there is always a chance that a botnet can regroup after a disruption (see TrickBot), this, however, seems unlikely in this case as not just the Tier 1 C2 proxy servers have been disrupted (as was the case with the disruption of the TrickBot botnet), but – from our information – also the Tier 2 C2 server, i.e., the real C2 server, to which the Tier 1 C2 proxy servers only relayed the traffic to, have been disruption as well.

Who will fill the void?

Emotet constituted around 20% of the malicious email traffic processed by Hornetsecurity. It distributed malware by other threat actors. While a successful takedown will mean no more Emotet malspam, it likely won’t mean a decrease in malspam, as other threat actors will try to fill the void and take over the existing customer base of Emotet’s malware-as-a-service (MaaS) operation.

One strong contender to fill the void generated by Emotet’s disruption is QakBot10. Last year QakBot added email conversation thread hijacking5 to its arsenal, i.e., like Emotet it steals emails from victims and crafts no tailored malspam by replying to existing email conversation threads. QakBot has also been observed loading other malware, such as ZLoader.8 In addition to that, QakBot’s XLM macro based malicious documents7 often have a lower detection rate then Emotet’s VBA macro base malicious documents. Thus, fulfilling all requirements a criminal would have towards an Emotet replacement.

Conclusion and Countermeasures

We congratulate all participating parties and hope for a successful longterm takedown of Emotet.

While Emotet itself may be inoperable, other threats Emotet has previously loaded such as TrickBot6, QakBot7, or Zloader8 remain active and could still deploy ransomware such as Ryuk and Egregor. If the authorities inform you of an Emotet infection you must also clean up these possible secondary infects to mitigate the complete threat.

In case the Emotet botnet can recover, Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market, will again, as before the disruption, detect and quarantine malicious Emotet documents.

References

Indicators of Compromise (IOCs)

IPs

These are the IPs used by the German Federal Criminal Police (Bundeskriminalamt (BKA)) to sinkhole Emotet.

  • 80.158.3.161:443
  • 80.158.51.209:8080
  • 80.158.35.51:80
  • 80.158.63.78:443
  • 80.158.53.167:80
  • 80.158.62.194:443
  • 80.158.59.174.8080
  • 80.158.43.136:80

Hashes

This is the hash of the program distributed by the German Federal Criminal Police (Bundeskriminalamt (BKA)) to remove Emotet on 2021-04-25 at 12:00.

MD5 Description
9a062ead5b2d55af0a5a4b39c5b5eadc Emotet “uninstaller”
QakBot reducing its on disk artifacts

QakBot reducing its on disk artifacts

Summary

QakBot has been updated with more evasion techniques. QakBot’s configuration is now stored in a registry key instead of a file. The run key for persistence is not permanently present in the registry but only written right before shutdown or reboot, and deleted immediately after QakBot is executed again. QakBot’s executable is also not stored permanently on the file system anymore, but similarly to the run key registry entry, dropped onto the file system before reboots and deleted afterwards. This way security software can only detect QakBot artifacts on disk, right before system shutdown, and shortly after system boot. However, at that time security software itself is shutting down and booting up, hence may not detect QakBot’s new persistence method.

Other changes include dynamic just-in-time decoding and destruction of strings at runtime. So any string used in the malware is only decoded at runtime into memory only and destroyed right afterwards.

The delivery method for the observed QakBot campaigns identified via the regular expression pattern of abc[0-9]+ is still XLM macro documents as reported previously.

Background

QakBot (also known as QBot, QuakBot, Pinkslipbot) has been around since 2008. It is distributed via Emotet, i.e., Emotet will download QakBot onto victims that are already infected with Emotet but it is also distributed directly via email. To this end, it uses email conversation thread hijacking in its campaigns1, i.e., it will reply to emails that it finds in its victim’s mailboxes. QakBot is known to escalate intrusions by downloading the ProLock ransomware2 or lately the Egregor ransomware.

The observed QakBot campaigns identified by campaign ID abc use XLM macro documents for infection. We previously reported on their low detection.3

An overview of the current chain of infection used by the QakBot campaign with identifiers following the regular expression pattern of abc[0-9]+ can be seen in the following flow graph.

QakBot abc chain of infection

Technical Analysis

In the following analysis we briefly analyze the infection chain of QakBot after being downloaded and launched by the malicious Excel document.

QakBot infection process tree

Evasion

QakBot uses various evasion techniques to avoid detection by anti-virus software.

PE header manipulation

We observed some QakBot DLLs with a manipulated PE header. The message text This program cannot be run in DOS mode. has been altered.

QakBot PE header manipulation

This seems like an attempt to circumvent some static detection rules matching for this message in the legacy MS-DOS stub of PE binaries.

Code signing

First, the initial downloaded and executed DLL is signed with a (at the time the analyzed sample was distributed) valid code signing certificate.

$ chktrust 904400.jpg
Mono CheckTrust - version 6.8.0.123
Verify if an PE executable has a valid Authenticode(tm) signature
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

WARNING! 904400.jpg is not timestamped!
SUCCESS: 904400.jpg signature is valid
and can be traced back to a trusted root!

The signing CA is Sectigo and the organization is given as Aqua Direct s.r.o., which is an existing company.

$ osslsigncode verify 904400.jpg 
Current PE checksum   : 00091021
Calculated PE checksum: 00091021

Message digest algorithm  : SHA1
Current message digest    : 632DCB214EE9FB08441C640D240F672A7ABA6EB1
Calculated message digest : 632DCB214EE9FB08441C640D240F672A7ABA6EB1

Signature verification: ok

Number of signers: 1
    Signer #0:
        Subject: /C=CZ/postalCode=619 00/L=Brno/street=\xC5\xBDelezn\xC3\xA1 646/8/O=Aqua Direct s.r.o./CN=Aqua Direct s.r.o.
        Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA

Number of certificates: 4
    Cert #0:
        Subject: /C=CZ/postalCode=619 00/L=Brno/street=\xC5\xBDelezn\xC3\xA1 646/8/O=Aqua Direct s.r.o./CN=Aqua Direct s.r.o.
        Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
    Cert #1:
        Subject: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
        Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
    Cert #2:
        Subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
        Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
    Cert #3:
        Subject: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
        Issuer : /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

Succeeded

It is unknown whether the certificate was obtained from Sectigo by giving false information, the certificate was stolen from Aqua Direct s.r.o., or whether the certificate was obtained from Sectigo by giving stolen information from Aqua Direct s.r.o..

QakBot is known to steal victim emails and use them in future malspam campaigns. So it is likely that they also use stolen victim data to obtain code signing certificates. However, the actors behind QakBot can also buy the code signing certificate from a (malicious) third party.

Strings only decoded at runtime

QakBot will decode its strings only at runtime into memory. After usage the decoded strings are removed from memory again.

Processes

QakBot uses CreateToolhelp32Snapshot and Process32{First,Next}W to enumerate the running processes.

QakBot enumerating processes API log

It checks for the following processes:

  • CcSvcHst.exe
  • avgcsrvx.exe
  • avgsvcx.exe
  • avgcsrva.exe
  • MsMpEng.exe
  • mcshield.exe
  • avp.exe
  • kavtray.exe
  • egui.exe
  • ekrn.exe
  • bdagent.exe
  • vsserv.exe
  • vsservppl.exe
  • AvastSvc.exe
  • coreServiceShell.exe
  • PccNTMon.exe
  • NTRTScan.exe
  • SAVAdminService.exe
  • SavService.exe
  • fshoster32.exe
  • WRSA.exe
  • vkise.exe
  • iserv.exe
  • cmdagent.exe
  • ByteFence.exe
  • MBAMService.exe
  • mbamgui.exe
  • fmon.exe

QakBot will set specific bits in a bit mask for each running process it finds. Depending on the resulting bit mask the further infection path is altered, e.g., if avp.exe has been encountered. QakBot will later inject its code into mobsync.exe instead of explorer.exe. Because the searched process names are related to security solutions, we believe that this way QakBot tailors its execution path to evade detection by specific vendors.

Then in another loop, again using CreateToolhelp32Snapshot and Process32{First,Next}W, it checks for:

  • srvpost.exe
  • frida-winjector-helper-32.exe
  • frida-winjector-helper-64.exe

If it detects any of those processes the execution flow will run into a loop continuously calling WaitForSingleObject(handle, 0x1fa) on a handle previously generated via CreateEvent(NULL, FALSE, FALSE, ...), i.e., it runs in an infinite loop.

Device drivers

Next, QakBot uses SetupDiGetDeviceRegistryPropertyA (querying properties SPDRP_DEVICEDESC and SPDRP_SERVICE) to check for device drivers containing the following strings:

  • VBoxVideo
  • Red Hat VirtIO
  • QEMU
  • A3E64E55_pr

We believe the search for A3E64E55_pr is used to detect an artifact of the ANY.RUN sandbox.4 Alternatively, but unlikely, it could be used to detect an artifact of the long ago defunct xCore Complex Protection AV solution using a similar driver with the name A3E64E55_pr.sys.

If it detects any of those device drivers the execution flow will run into the same infinite loop continuously calling WaitForSingleObject(handle, 0x1fa) on a handle previously generated via CreateEvent(NULL, FALSE, FALSE, ...), as previously mentioned.

Process injection

QakBot starts C:\Windows\SysWOW64\explorer.exe in suspended state and injects a DLL into it using CreateProcessInternalW, NtMapViewOfSection, NtAllocateVirtualMemory, WriteProcessMemory, memcpy, NtProtectVirtualMemory and NtResumeThread.

QakBot process injection into explorer.exe API log

The injected DLL can be extracted via PE-sieve5 or other tools for simplyfied further analysis.

Injected QakBot DLL extracted with PE-sieve

Depending on whether the previous process enumeration yielded results on the list, QakBot will inject into mobsync.exe (e.g., in case a avp.exe process is found running) instead of explorer.exe. But for simplicity we will only follow the explorer.exe process injection path we observed in our analysis environment.

C2 communication

After avoiding detection, the injected QakBot code within explorer.exe will start communicating with the C2 servers.

QakBot DLL in explorer.exe C2 communication

Like in previous versions of QakBot the C2 IP list is stored RC4 encrypted in resource section 311. The first 20 bytes of the section contains the RC4 key with which the rest of the section is decrypted. The first 20 bytes of the decrypted data will contain the SHA1 sum calculated over the rest of the decrypted data. It is used as a verification for correct decryption. Unlike in previous version, the C2 list is now stored in binary form and not as ASCII text anymore.

QakBot C2 list storage

For details on how to extract the C2 list and QakBot’s configuration see the Python3 script in the appendix. The input to the script is the path to the DLL that QakBot injected into explorer.exe, which we previously extracted via PE-sieve5.

QakBot configuration extraction with Python3 script

The configuration is stored using the same RC4 encryption scheme in resource section 308. In it we can see the bot and/or campaign ID abc103 that is associated with the analyzed sample. It is still stored in plain ACSII text. For each campaign the number is increased by one. This allows the operators behind QakBot to keep track to which campaign each victim connecting to their C2 server belongs to. Another currently observed identifier is tr02. This identifier, however, stayed the same over multiple malspam campaigns.

Via the C2 connection the operators behind QakBot can remote control the malware and deploy additional malicious modules.

QakBot will not store its configuration and C2 list on disk anymore. It will use the registry for storage.

QakBot using registry for configuration storage

Wiping

The previous QakBot version used to overwrite its initial executable with a copy of cmd.exe. This version will overwrite the portion of the initially downloaded DLL after the PE header with zeros.

Here is the entropy of the QakBot DLL as downloaded.

QakBot DLL entropy before being overwritten

The zeroing of data after the header can be clearly seen when comparing the previous plot against a plot of the DLL file after wiping.

QakBot DLL entropy after being overwritten

Persistence

The persistence mechanism of QakBot has also changed. While it still uses a run key registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, this key is only set right before the system is shutdown, rebooted or put to sleep. The corresponding DLL is also only dropped to disk right before shutdown, rebooted or sleep.

After the system boots up again, QakBot is started via the run key. The execution tree also starts via regsvr32.exe -s ... like the initial execution from Excel. QakBot follows the same steps as previously outlined resulting in process injection into explorer.exe.

QakBot process tree after reboot

QakBot will then delete the run key registry entry and delete the DLL it dropped to disk prior to the reboot.

QakBot cleaning persistence

This way QakBot’s persistence can not be detected at runtime.

Egregor

While we have previously reported on QakBot deliverying the ProLock ransomware,2 latests reports indicated that QakBot is now used to deliver the Egregor ransomware. We previously reported on the Egregor ransomware as part of an article on ransomware leaksites6 in which we explain the practice of ransomware operators stealing their victims data before encrypting it to extort them not only with decryption but also public release of the stolen data.

Conclusion and Countermeasures

From our analysis we can conclude that QakBot is trying to avoid persistent file artifacts. In previous version the configuration and QakBot executable were permanently stored on disk. This made it easy for security tools to detect them. The new version tries to avoid permanently leaving its artifacts on disk. While QakBot is not going fully fileless, it new tactics will sure lower its detection.

But even though QakBot has changed, the delivery mechanism behind the QakBot “abc[A-Z]+” campaign did not. Hence, an infection by this threat actor can be successfully prevented by blocking the initial emails.

Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market, already detects and blocks the outlined threat. Hornetsecurity’s Advanced Threat Protection extends this protection by also detecting yet unknown threats.

References

Indicators of Compromise (IOCs)

Hashes

The hashes of the analyzed QakBot samples are:

MD5 Filename Description
6bc0584f6cbb74714add1718b0322655 904400.jpg QakBot DLL as downloaded by XLM macro
e23bc27212f61520cfb130185d74cfb1 26e0000.dll Extracted QakBot DLL

MITRE ATT&CK

The tactics and techniques used by QakBot as defined by the MITRE ATT&CK framework are as follows:

Tactic Technique
TA0001 – Initial Access T1566.001 – Phishing: Spearphishing Attachment
TA0001 – Initial Access T1566.002 – Phishing: Spearphishing Link
TA0002 – Execution T1027 – Obfuscated Files or Information
TA0002 – Execution T1204.002 – User Execution: Malicious File
TA0003 – Persistence T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
TA0004 – Privilege Escalation T1053.005 – Scheduled Task/Job: Scheduled Task
TA0005 – Defense Evasion T1027.002 – Obfuscated Files or Information: Software Packing
TA0005 – Defense Evasion T1055 – Process Injection
TA0005 – Defense Evasion T1055.012 – Process Injection: Process Hollowing
TA0005 – Defense Evasion T1070 – Indicator Removal on Host
TA0005 – Defense Evasion T1497.001 – Virtualization/Sandbox Evasion: System Checks
TA0006 – Credential Access T1003 – OS Credential Dumping
TA0006 – Credential Access T1110.001 – Brute Force: Password Guessing
TA0006 – Credential Access T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
TA0011 – Command and Control T1071.001 – Application Layer Protocol: Web Protocols
TA0011 – Command and Control T1090 – Proxy
TA0011 – Command and Control T1090.002 – Proxy: External Proxy

Appendix

Qakbot configuration extraction Python3 script

import sys
import pefile
from arc4 import ARC4

pe = pefile.PE(sys.argv[1])
c2list = []
for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries:
    for e in entry.directory.entries:
        n = e.name.string.decode()
        data = pe.get_data(e.directory.entries[0].data.struct.OffsetToData, e.directory.entries[0].data.struct.Size)
        data = ARC4(data[:20]).decrypt(data[20:])[20:]
        if n == '311':
            for i in range(1,len(data),7):
                c2 = list(data[i:i+6])
                c2list.append("%d.%d.%d.%d:%d" % (c2[0],c2[1],c2[2],c2[3],(c2[4]<<8)+c2[5]))
        elif n == '308':
            config = data.decode().split()
print("# QakBot Config\n\n```\n" + "\n".join(config) + "\n```\n")
print("# QakBot C2\n\n```\n" + "\n".join(c2list) + "\n```\n")