SweetOrange ExploitKit and Qakbot
The Dell SonicWALL Threats Research Team has recently encountered an example of the Qakbot malware family. This long lived malware family was seen being dropped by a SweetOrange Exploit Kit. This bot has many features and capabilities and is a danger to sensitive networks and data.
This sample of Qakbot is self contained and, besides log and config files, only drops identical copies of itself to disk. Multiple stages of unpacking are required to reveal the full capabilities of the sample. After the initial execution, the original file is deleted with a typical invocation of cmd.exe: [cmd /c ping -n 10 localhost && del "C:windowstempfile.exe"]
Once the original file is melted via cmd.exe and the malware is unpacked in memory, it injects into numerous processes, particularly applications that stay resident in the system tray.
In this case, the main injection target was Skype process that was then used to beacon out to a command and control server.
This C&C traffic is very simple and serves as a beacon to let the attackers know that a new machine has been infected. The IP address of the infected machine and the malware-generated host identifier are the primary contents.
In addition to the beacon traffic, this malware also sends a record of the user's browsing behavior in real time.
The data is only URL-escaped and can be easily decoded to show the true nature of the HTTP traffic:
Indicators of Compromise
In order to persist upon reboot, the malware creates multiple run keys. Our analysis included one that uses the malware's "/c" flag to execute and inject a target application.
The following randomized mutexes were seen during analysis and are used to prevent unnecessary reinfection and to manage the different infection threads.
Overall, the purpose of this malware is to gain control of and gather information from the target machine. Qakbot has a variety of functionality and will steal banking information and other personal data and credentials. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signature:
- GAV: Qbot.BH