Law enforcement dismantled the Qakbot botnet’s servers in 2023’s Operation Duck Hunt, but researchers identified its reemergence with a modified DLL, which utilizes the srtasks.exe process for persistence, ensuring its survival on restarted machines.
Qakbot continues to spread via phishing campaigns with various lures, including attachments or links that deliver the malware upon user interaction.
The campaigns have historically used malicious macros, booby-trapped OneNote files, and ISO attachments containing executables and shortcuts.
Researchers at Microsoft discovered a resurgence of QakBot malware after a law enforcement takedown in August 2023 using IRS-themed phishing emails targeting a limited number of users in the hospitality industry.
The emails likely used the common practice of the IRS contacting taxpayers during tax season, which suggests that QakBot might utilize other prevalent phishing tactics to spread infections as the botnet regains its capabilities.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .
QakBot, a versatile piece of malware, employs anti-analysis techniques to hinder investigation, and its code uses functions like IsDebuggerPresent to identify debugging environments.
Recent variants disguise Adobe Reader installation and create a temporary file to launch srtasks.exe with the “ExecuteScopeRestorePoint” command.
The command takes a random number as an argument, suggesting that system restore points are being changed, possibly to avoid being found or future attempts to wipe out the variant since bugs show that it is still being worked on.
Malware utilizes a new persistence method by abusing the legitimate srtasks.exe process to create a restore point named “Adobe Installation” after infecting the system.
As long as the system makes use of restore points, a hidden rundll32 process will then launch this restore point containing a malicious dll file, allowing QakBot to continue operating silently in the background even after a factory reset.
According to BinaryDefense, it also uses a secondary msiexec.exe process to download the dll and further evade detection, which suggests QakBot is becoming a more prevalent initial access method for information gathering or delivering additional payloads.
The appendix outlines detections for suspicious behaviors potentially linked to the Qakbot malware, focusing on events involving processes spawned by msiexec.exe, the Windows installer.
The first detection looks for srtasks.exe execution with specific command line arguments by a child process of msiexec.exe, while the second detection refines this by requiring the msiexec.exe parent process also to have the “/V” argument and looks for additional processes with the “.tmp” extension spawned by msiexec.exe with “/V” and using rundll32.exe.
Registry events searching for specific key modifications under “SystemCurrentControlSetServicesVSSDiagSPP” are also included.
It detects target processes with “.tmp” extensions spawned by another process ending in “.tmp” that use rundll32.exe and potentially try to hide the window. Finally, it searches for a specific file named “KROST.dll” within the user’s AppData roaming folder.
Secure your emails in a heartbeat! Take Trustifi free 30-second assessment and get matched with your ideal email security vendor - Try Here