Security News

SweetOrange ExploitKit and Qakbot (July 11, 2014)

By

The Dell SonicWALL Threats Research Team has recently encountered an example of the Qakbot malware family. This long lived malware family was seen being dropped by a SweetOrange Exploit Kit. This bot has many features and capabilities and is a danger to sensitive networks and data.

Infection Cycle

This sample of Qakbot is self contained and, besides log and config files, only drops identical copies of itself to disk. Multiple stages of unpacking are required to reveal the full capabilities of the sample. After the initial execution, the original file is deleted with a typical invocation of cmd.exe: [cmd /c ping -n 10 localhost && del “C:windowstempfile.exe”]

Once the original file is melted via cmd.exe and the malware is unpacked in memory, it injects into numerous processes, particularly applications that stay resident in the system tray.

Qakbot Process Injection

In this case, the main injection target was Skype process that was then used to beacon out to a command and control server.

The injected Skype process is connected to a C&C server

This C&C traffic is very simple and serves as a beacon to let the attackers know that a new machine has been infected. The IP address of the infected machine and the malware-generated host identifier are the primary contents.

The beacon traffic contains only basic information

In addition to the beacon traffic, this malware also sends a record of the user’s browsing behavior in real time.

Browsing behavior is sent out to a C&C server in encoded HTTP requests

The data is only URL-escaped and can be easily decoded to show the true nature of the HTTP traffic:

The decoded C&C traffic clearly shows the user's browsing behavior

Indicators of Compromise

In order to persist upon reboot, the malware creates multiple run keys. Our analysis included one that uses the malware’s “/c” flag to execute and inject a target application.

The malware auto-runs itself and piggy-backs on a normal start-up application

The following randomized mutexes were seen during analysis and are used to prevent unnecessary reinfection and to manage the different infection threads.

  • Sessions1BaseNamedObjectsfilea
  • Sessions1BaseNamedObjectsizbtitjv
  • Sessions1BaseNamedObjectskyeuyya
  • BaseNamedObjectskyeuyy
  • BaseNamedObjectstlkpito
  • BaseNamedObjectsdiges
  • BaseNamedObjectsfrxikyn

Summary

Overall, the purpose of this malware is to gain control of and gather information from the target machine. Qakbot has a variety of functionality and will steal banking information and other personal data and credentials. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signature:

  • GAV: Qbot.BH
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Spam campaign roundup: The Fathers Day Edition (June 13, 2014)
Ransomware purports to be from National Security Bureau (Dec 12, 2014)
curl SOCKS5 Heap overflow Vulnerability
LokiBot is using Living Off The Land Technique
OpenSSL CRL Verification Vulnerability
Infostealer Trojan with Bitcoin mining and DDoS features (May 30, 2013)
LOCKID Ransomware actively spreading in the wild
MFC Virus uses PROPagate Injection