New Qakbot DLL Windows Persistence

Law enforcement dismantled the Qakbot botnet’s servers in 2023’s Operation Duck Hunt, but researchers identified its reemergence with a modified DLL, which utilizes the srtasks.exe process for persistence, ensuring its survival on restarted machines. 

Qakbot continues to spread via phishing campaigns with various lures, including attachments or links that deliver the malware upon user interaction. 

The campaigns have historically used malicious macros, booby-trapped OneNote files, and ISO attachments containing executables and shortcuts. 

Researchers at Microsoft discovered a resurgence of QakBot malware after a law enforcement takedown in August 2023 using IRS-themed phishing emails targeting a limited number of users in the hospitality industry. 

new phishing campaign

The emails likely used the common practice of the IRS contacting taxpayers during tax season, which suggests that QakBot might utilize other prevalent phishing tactics to spread infections as the botnet regains its capabilities.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

QakBot, a versatile piece of malware, employs anti-analysis techniques to hinder investigation, and its code uses functions like IsDebuggerPresent to identify debugging environments. 

Recent variants disguise Adobe Reader installation and create a temporary file to launch srtasks.exe with the “ExecuteScopeRestorePoint” command. 

launching srtasks.exe

The command takes a random number as an argument, suggesting that system restore points are being changed, possibly to avoid being found or future attempts to wipe out the variant since bugs show that it is still being worked on. 

Malware utilizes a new persistence method by abusing the legitimate srtasks.exe process to create a restore point named “Adobe Installation” after infecting the system. 

System Restore

As long as the system makes use of restore points, a hidden rundll32 process will then launch this restore point containing a malicious dll file, allowing QakBot to continue operating silently in the background even after a factory reset. 

launing rundll32.exe

According to BinaryDefense, it also uses a secondary msiexec.exe process to download the dll and further evade detection, which suggests QakBot is becoming a more prevalent initial access method for information gathering or delivering additional payloads. 

The appendix outlines detections for suspicious behaviors potentially linked to the Qakbot malware, focusing on events involving processes spawned by msiexec.exe, the Windows installer. 

The first detection looks for srtasks.exe execution with specific command line arguments by a child process of msiexec.exe, while the second detection refines this by requiring the msiexec.exe parent process also to have the “/V” argument and looks for additional processes with the “.tmp” extension spawned by msiexec.exe with “/V” and using rundll32.exe. 

Registry events searching for specific key modifications under “System\CurrentControlSet\Services\VSS\Diag\SPP” are also included. 

It detects target processes with “.tmp” extensions spawned by another process ending in “.tmp” that use rundll32.exe and potentially try to hide the window. Finally, it searches for a specific file named “KROST.dll” within the user’s AppData roaming folder. 

Secure your emails in a heartbeat! Take Trustifi free 30-second assessment and get matched with your ideal email security vendor - Try Here
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.