Qakbot phishing campaign
DFi’s CERT (CERT-DFi) has detected an increase in phishing attacks at several of its clients. These campaigns are accelerating day by day and target all sectors of activity. We strongly recommend that users are made aware of this threat to avoid the compromise of the company.
CERT-DFi has observed during the analysis of several cases that the initial vector that constitutes the entry point into the system seems to be always the same. The attackers use a phishing attack to convince the user to open a malicious attachment.
The initial email including the malicious attachment consists of a conversation history aiming to be as close as possible to a real conversation between several people in the target company.
The emails analysed consist of the following elements:
- The subject is always a reply of the type “Email transfer”. It therefore contains the term “RE:” simulating a past conversation.
- In some cases the characters of the conversation are not correctly displayed
- The conversation used in the body of the “Forwarded” email is very close to reality and includes real actors in the company
- The attached file is always a “ZIP” archive containing a malicious Excel file.
- The naming of the attachment seems to respect the following naming convention:
- A word followed by a separator character, followed by several numbers:
In all cases analysed, the “ZIP” archive contained an Excel file in “xls” format.
It is important to note that it is quite possible that the attackers use other types of archives and other types of files from the Microsoft Office suite.
The Excel file consists of a single Excel sheet simulating a fake DocuSign document:
The single Excel sheet contains the method for the attacker to convince the user to enable code execution in Excel by clicking on the yellow banner:
The simple “click” on this button triggers the execution of the malicious code and compromises the user’s machine with a malware named Qakbot.
Qakbot is classified as a banking Trojan. The malware is very sophisticated as the footprint left on the system is almost zero. This modular malware can perform the following actions:
- Fingerprinting the infected system (user, resource, …)
- Collecting cookies from web browsers
- Use of VNC in the memory to interact with the infected machine
- Retrieving user’s emails
- Modification of user interactions with web browsers
- Recovering the user’s logins and passwords
- Using the infected machine to perform attacks and/or transfer data
Qakbot also allows the injection of other families of malware such as ransomware.
We recommend taking the following preventive actions:
- Raise awareness of the threat among your company’s employees
- Raise awareness of your company’s employees at regular intervals by carrying out phishing simulations
- Have security solutions in place to protect users’ machines (e.g. EDR-type antivirus, multi-factor authentication, hardening of operating systems, etc.)
- Security solutions to protect your company’s perimeter (e.g. firewall, antispam, etc.)