Thu, Jun 4, 2020
Kroll identified a growing trend in Qakbot (also known as Qbot) cases targeting and exfiltrating locally stored emails to commit a sophisticated phishing method known as email thread hijacking. This increase, merged with intelligence gathered by Kroll and analysts from the National Cyber-Forensics and Training Alliance (NCFTA) suggests the attacks are part of an ongoing campaign to steal financial data from multiple industries including media, education and academia.
This new tactic of exfiltrating emails opens Qakbot victims up to multiple issues:
Email thread hijacking occurs when cyber criminals respond to or forward legacy email threads with new phishing lures. Even though the threads may originate from a compromised user account or an actor-controlled system, by leveraging existing email threads and adding a malicious link or attachment, these messages help threat actors evade phishing detection software such as antivirus or spam filters. In addition, these threads appearing to come from a trusted sender increases the likelihood that others will click on the message, thereby exponentially spreading the infection.
In this flood of recent incidents, Kroll observed the attackers scraping and exfiltrating locally stored emails to an actor-controlled system where the actor can continue to hijack email threads even after leaving the compromised network.
In one instance, a company approached Kroll stating that they were receiving suspicious emails from one of their subsidiaries. Upon further inspection, Kroll learned that an employee using their work computer had clicked on a malicious link from their personal email account that downloaded a Qakbot dropper.
From that initial compromise, the malware scraped thousands of emails and contacts across multiple users.
Banking trojan Qakbot has been active for over a decade. Like other trojans, it is most well-known for targeting banking customer information. Its repertoire of malicious behavior includes:
In the spring of 2019, multiple outlets reported on a massive Qakbot campaign which included the new tactic of email thread hijacking. After these public reports, the group appeared to go on a brief hiatus through late 2019. This new campaign shows efforts to strengthen the malware and cause even more damage by stealing emails and potentially sensitive data. Such tactics mean that Qakbot victims could now be subject to notification requirements around leaked data.
Kroll Observations: Anatomy of a Qakbot Email Hijack
Initial Compromise |
Malicious attachment from a phishing email |
Execution |
Visual basic script execution which drops and executes a malicious file |
Evasion |
One of the tell-tale indicators of Qakbot: the original malicious executable is overwritten with the legitimate Microsoft calculator executable calc.exe. |
Persistence |
Series of automated installation and processes such as establishing folders within the infected user directory and persistent scheduled tasks within user and system registry hives |
Collection |
New folders are populated with individual email messages and aggregated text files containing additional contact details.
|
A review of recent Qakbot cases identified the following:
As mentioned by Devon Ackerman, Managing Director in our Cyber Risk practice, in a previous article on banking trojans, employee education and awareness is still key for defense.
Additionally, it’s important to highlight that traditional antivirus solutions have historically proved ineffective against trojans like Qakbot. It’s crucial to implement a robust endpoint detection solution that can monitor suspicious activity and behaviors.
Kroll identified a growing trend in Qakbot (also known as Qbot) cases targeting and exfiltrating locally stored emails to commit a sophisticated phishing method known as email thread hijacking. This increase, merged with intelligence gathered by Kroll and analysts from the National Cyber-Forensics and Training Alliance (NCFTA) suggests the attacks are part of an ongoing campaign to steal financial data from multiple industries including media, education and academia.
This new tactic of exfiltrating emails opens Qakbot victims up to multiple issues:
Email thread hijacking occurs when cyber criminals respond to or forward legacy email threads with new phishing lures. Even though the threads may originate from a compromised user account or an actor-controlled system, by leveraging existing email threads and adding a malicious link or attachment, these messages help threat actors evade phishing detection software such as antivirus or spam filters. In addition, these threads appearing to come from a trusted sender increases the likelihood that others will click on the message, thereby exponentially spreading the infection.
In this flood of recent incidents, Kroll observed the attackers scraping and exfiltrating locally stored emails to an actor-controlled system where the actor can continue to hijack email threads even after leaving the compromised network.
In one instance, a company approached Kroll stating that they were receiving suspicious emails from one of their subsidiaries. Upon further inspection, Kroll learned that an employee using their work computer had clicked on a malicious link from their personal email account that downloaded a Qakbot dropper.
From that initial compromise, the malware scraped thousands of emails and contacts across multiple users.
Banking trojan Qakbot has been active for over a decade. Like other trojans, it is most well-known for targeting banking customer information. Its repertoire of malicious behavior includes:
In the spring of 2019, multiple outlets reported on a massive Qakbot campaign which included the new tactic of email thread hijacking. After these public reports, the group appeared to go on a brief hiatus through late 2019. This new campaign shows efforts to strengthen the malware and cause even more damage by stealing emails and potentially sensitive data. Such tactics mean that Qakbot victims could now be subject to notification requirements around leaked data.
Initial Compromise | Malicious attachment from a phishing email |
Execution | Visual basic script execution which drops and executes a malicious file |
Evasion | One of the tell-tale indicators of Qakbot: the original malicious executable is overwritten
with the legitimate Microsoft calculator executable calc.exe. |
Persistence | Series of automated installation and processes such as establishing folders within the infected user directory and persistent scheduled tasks within user and system registry hives |
Collection | New folders are populated with individual email messages and aggregated text files containing additional contact details.
|
A review of recent Qakbot cases identified the following:
As mentioned by Devon Ackerman, Managing Director in our Cyber Risk practice, in a previous article on banking trojans, employee education and awareness is still key for defense.
Additionally, it’s important to highlight that traditional antivirus solutions have historically proved ineffective against trojans like Qakbot. It’s crucial to implement a robust endpoint detection solution that can monitor suspicious activity and behaviors.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.
Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.