Qakbot Attacks Spike Amid Concerning Cybercriminal Collaborations

The Qakbot group has successfully ramped up its operations, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

4 Min Read
Source: Stuart Miles via Alamy

The Qakbot malware group resumed expanding its access-as-a-service network in early September, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms, threat researchers said this week.

In the most recent incident, cybersecurity firm Trend Micro observed Qakbot-infected systems deploying Brute Ratel, an "adversary emulation" platform used by penetration testers, but also — along with Cobalt Strike — used by cybercriminals for its sophisticated capabilities. Another group, known as Black Basta, is likely responsible for the subsequent attacker activity using the two platforms, Trend Micro said.

Black Basta's use of the Qakbot, also known as QBot or Pinkslipbot, highlights how cybercriminal groups are specializing in particular attack-chain activities, says Jon Clay, vice president of threat intelligence for Trend Micro.

"QBot appears to have improved their offering as they have to compete with other groups selling similar services in the underground — BlackBasta is one such group that feels their tool set works for them," he says. "They continue to update their code and malware to enhance obfuscation and ability to successfully compromise victims."

After Qakbot infects a system, the attack tools conducts automated reconnaissance and then downloads and installs Brute Ratel, which is then used by Black Basta to move laterally to other systems in the network and execute payloads, according to Trend Micro's report.

Other security firms have also noted that cybercriminal groups have increasingly focused on specific elements of the attack chain. While Qakbot started out as a banking trojan, different groups have augmented its capabilities with additional modules, according to the NCC Group, a threat intelligence firm.

"QBot is considered a banking Trojan, but thanks to its modular design, it can also act as an infostealer, a backdoor — with its backconnect module — and a downloader," the Global Threat Intelligence Team at NCC Group said in response to questions from Dark Reading, adding: "After the takedown attempt on Emotet and the recent pause of its operation, QBot and Bokbot had been sharing the market."

The approach has garnered success for the group. In a separate report, threat researchers at cybersecurity firm Kaspersky said that Qakbot had infected at least 1,800 victims, at least half of which are business systems or workers' computers.

Black Basta is just one of the groups that have either use a Qakbot service or distribute the malware themselves. The Black Basta group first appeared in April, conducting double extortion operations in which the attacker installs ransomware and steals data to put pressure on the business to pay the ransom. The group is likely made up of member of the Conti gang, which dissolved in May, but whose members continue to be a threat.

Brute Ratel in the Qakbot Mix
In May, a malicious file linked to the attack tool, Brute Ratel, was uploaded to VirusTotal, a common way to check whether current anti-malware scanners can detect a new variant. None of the 56 scanners detect that the file contained malicious code, Mike Harbison and Peter Renals, two threat researchers at network security firm Palo Alto Networks, wrote in an analysis of Brute Ratel in July.

The attack likely came from a Russian group known as APT29 and poses issues for companies, the researchers stated.

"While [Brute Ratel C4] has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated," Harbison and Renals wrote. "Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities."

Trend Micro concurred with Palo Alto Networks that, while Cobalt Strike is a well-known payload used by many cybercriminals, more attackers are starting to use Brute Ratel for extending their compromise and delivering payloads, especially after stolen code and leaked licenses have made pirated copies of the software available.

Obscurity helps the program be successful, Trend Micro stated in its analysis.

"This makes Brute Ratel and other less established C2 frameworks an increasingly more attractive option for malicious actors, whose activities may remain undetected for a longer period," the company stated.

Since the current Qakbot group extensively uses spam, targeted emails, and compromising email threads as a way to distribute the initial links and malware, Trend Micro recommends that users follow email security best practices, such as verifying the email sender and content before downloading attachments and hovering over embedded links to see the actual target URL. Security-awareness training is important part of raising the level needed to infect a company.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights