Unveiling Qakbot: Exploring one of the Most Active Threat Actors

I would like to share my presentation at the Security Bootcamp 2023 (SBC2023) event, which took place over three days from September 8th to September 10th, 2023, in Da Nang city.

2023 is the 10th anniversary of Security Bootcamp, and the second time was held in Da Nang city. The event continues its mission of building and connecting the community of cybersecurity professionals nationwide to share the latest knowledge and skills, creating a reputable and quality conference for cybersecurity in Vietnam.

My presentation focused on Qakbot (also known as Qbot), a notable banking Trojan that emerged in 2007. Initially, Qakbot was used to steal user information and bank account details. However, over time, Qakbot has undergone significant improvements and upgrades, becoming one of the most multi-functional and dangerous malware on the Internet. Threat actors can leverage this malware to download other malicious code, including well-known ransomware, to maximize cyber-criminal profits. The main objectives of this presentation included:

1. Summarizing the top malware threats in 2022, with a particular emphasis on Qakbot as a prominent and concerning threat. This malware continues to exhibit strong activity and potential, and it is predicted to remain a dangerous threat in 2023.
2. Exploring the primary distribution method of Qakbot, which is through email, also known as email hijacking. This involves malicious responses being injected into legitimate email exchanges. The attackers continuously experiment with various file types to distribute the malicious payload in their campaigns. Examples include using Excel files containing Excel 4.0 macros, HTML smuggling techniques (embedding malicious content into HTML attachments), distribution via Microsoft OneNote (.one) files, or Windows Script Files (.wsf). This highlights the flexibility and adaptability of Qakbot in deceiving users and infiltrating systems.
3. Lastly, a crucial part of the Qakbot research process involved reverse-engineering the Qakbot core DLL. This process included steps such as manual unpacking to obtain the Core DLL, decoding the strings concealed by Qakbot during execution, recovering the APIs used by Qakbot, and decrypting the configuration containing information about the bot and its command and control (C2) addresses. Through this reverse engineering process, we gain insights into the inner workings and structure of Qakbot, enabling us to develop effective prevention and response measures.

Download my presentation here!

m4n0w4r