The Botnet Makes Detailed Profile Scans of Infected Computers, Downloads Additional Modules and Features Elaborate Encryption

OXFORD, U.K. — 3月 10, 2022 —

Sophos, a global leader in next-generation cybersecurity, today published a technical deep dive into Qakbot, explaining how the botnet is a becoming more advanced and dangerous to organizations. In a new article, “Qakbot Injects Itself into the Middle of Your Conversations,” Sophos researchers detail a recent Qakbot campaign that shows how the botnet spreads through email thread hijacking and collects a wide range of profile information from newly infected machines, including all the configured user accounts and permissions, installed software, running services, and more. The botnet then downloads a series of additional malicious modules that enhance the functionality of the core botnet, according to Sophos.

Qakbot’s malware code features unconventional encryption, which it also uses to conceal the content of its communications. Sophos decrypted the malicious modules and decoded the botnet’s command and control system to interpret how Qakbot receives instructions.

“Qakbot is a modular, multi-purpose botnet spread by email that has become increasingly popular with attackers as a malware delivery network, like Trickbot and Emotet,” said Andrew Brandt, principal threat researcher at Sophos. “Sophos’ deep analysis of Qakbot reveals the capture of detailed victim profile data, the botnet’s ability to process complex sequences of commands, and a series of payloads to extend the functionality of the core botnet engine. The days of thinking of ‘commodity’ bots as merely annoying are long gone.

 “Security teams need to take seriously the presence of Qakbot infections on their network and investigate and remove every trace. Botnet infections are a known precursor for a ransomware attack. This is not simply because botnets can deliver ransomware, but because botnet developers sell or lease their access to breached networks. For example, Sophos has encountered Qakbot samples that deliver Cobalt Strike beacons directly to an infected host. Once the Qakbot operators have used the infected computer they can transfer, lease out or sell access to these beacons to paying customers.”

The Qakbot Infection Chain and Payloads

In the campaign Sophos analyzed, the Qakbot botnet inserted malicious messages into existing email conversations. The inserted emails include a short sentence and a link to download a zip file containing a malicious Excel spreadsheet. The user was asked to “enable content” to activate the infection chain. Once the botnet had infected a new target it performed a detailed profile scan, sharing the data with its command-and-control server and then downloading additional malicious modules.

The Qakbot botnet downloaded at least three different malicious payloads in the form of dynamic link libraries (DLL).  According to Sophos, these DLL payloads provide the botnet with a wider range of capabilities.

The payloads were injected into browsers and contained the following:

  • A module that injects password-stealing code into webpages
  • A module that performs network scans, collecting data about other machines in proximity to the infected computer
  • A module that identified the addresses of a dozen SMTP (Simple Mail Transfer Protocol) email servers and then tried to connect to each one and send spam

Sophos Security Advice

Sophos recommends that users approach unusual or unexpected emails with caution, even when the messages appear to be replies to existing email threads. In the Qakbot campaign investigated by Sophos, a potential red flag for recipients was the use of Latin phrases in URLs.

Security teams should check that the behavioral protections provided by their security technologies prevent Qakbot infections from taking hold. Network devices will also alert administrators if an infected user attempts to connect to a known command-and-control address or domain.

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of attackers.

For further information read “Qakbot Injects Itself into the Middle of Your Conversations” on SophosLabs Uncut.

ソフォスについて

ソフォスは、MDR (Managed Detection and Response) サービス、インシデント対応サービス、およびエンドポイント、ネットワーク、メール、クラウド セキュリティ テクノロジーの幅広いポートフォリオなど、サイバー攻撃を阻止する高度なセキュリティソリューションを提供する世界的なリーダーであり、革新的な企業です。ソフォスは、最大手のサイバーセキュリティ専門プロバイダーの 1つであり、全世界で 60万以上の組織と 1億人以上のユーザーを、アクティブな攻撃者、ランサムウェア、フィッシング、マルウェアなどから保護しています。ソフォスのサービスと製品は、Sophos Central 管理コンソールを介して接続され、企業のクロスドメイン脅威インテリジェンスユニットである Sophos X-Ops を利用しています。Sophos X-Ops のインテリジェンスは、Sophos ACE (Adaptive Cybersecurity Ecosystem) 全体を最適化します。このエコシステムには、お客様、パートナー、開発者、その他のサイバーセキュリティおよび情報技術ベンダーが利用できる豊富なオープン API セットを活用する一元化されたデータレイクが含まれます。ソフォスは、フルマネージド型のソリューションを必要とする組織に、Cyber​​security-as-a-Service を提供します。お客様は、ソフォスのセキュリティ運用プラットフォームを使用してサイバーセキュリティを直接管理することも、脅威ハンティングや修復などソフォスのサービスを使用して社内チームを補完するハイブリッドアプローチを採用することもできます。ソフォスは、リセラーパートナー、MSP (マネージド サービス プロバイダ) を通じて販売しています。ソフォス本社は英国オックスフォードにあります。詳細については www.sophos.com をご覧ください。