Qakbot and Emotet Infections Represent Phishing Campaigns Uptick

Calyptix Security last week sent out a technical advisory warning its community of an uptick in Qakbot and Emotet infections. In light of the increase in phishing campaigns in recent weeks, it’s a good idea to review best practices. Help prevent compromise from phishing campaigns with the top strategies addressed in this article.

Calyptix’s N’dia Thomas, Cyber Threat and Incident Response Analyst, released an advisory March 10 warning of “an uptick in the volume of outbound botnet and command and control server (C2) activity as well as Emotet and Qakbot infections in the past few weeks. This activity correlates to updated malicious email campaigns detected in the past two months.”

Both Emotet and Qakbot have been around for years. Yet threat actors continuously update malware to improve efficiency. Take the case of Qakbot, aka Qbot Quakbot, Pinkslipbot. The malware has been known since 2007. Yet in October 2021, the DFIR Report found, it now takes the malware only 30 minutes to steal credentials.

How does Qakbot work?

Emotet and Qakbot email campaigns use social engineering to trick users into opening a malicious link or macro-enabled document that leads to the compromise of the device, and possibly even the network as the malware spreads laterally.

Qakbot is a modular banking Trojan that steals data and credentials from infected devices. It initially accesses systems through email campaigns used to deliver a malicious link, an embedded image, or a malicious attachment – typically a macro-enabled document.

When the macro is enabled, the Qakbot loader is saved to the disk, and infection begins by injecting into processes and elevating itself to have SYSTEM privileges. It can evade detection by modifying the Windows Defender Exclusions list to exclude its process.

Within thirty minutes, Qakbot can collect and exfiltrate credentials from memory, browser data, and emails from Outlook. Within 50 minutes, it can move laterally to other workstations in the network, repeating the infection process – and in some cases, can drop Cobalt Strike that leads to ransomware.

How does Emotet work?

Emotet, first observed in 2014, is another modular Trojan. It is primarily used to distribute other malware such as ransomware, TrickBot, and other banking Trojans. It is similar to Qakbot in that it utilizes email campaigns to deliver a malicious link or attachment that convinces users to enable macros to start infection.

Like Qakbot, Emotet email campaigns use stolen reply-chain emails. However, Emotet also hijacks existing email chains and take advantage of current events such as COVID-19 and the Russia/Ukraine conflict to lure recipients to download and open malicious attachments.

Emotet differs from Qakbot in that it can go through the contact list of a user’s email client and send itself to their coworkers, clients, family, and friends. The recipients of such emails are more likely to trust the email since they know the sender. It has multiple methods to maintain persistence and avoid detection and can spread laterally through brute-force attacks.

What Calyptix is doing

Calyptix has deployed Community Shield on AccessEnforcer (version 5.0.3), which includes multiple threat feeds consisting of IP addresses for known C2 servers and botnets to block inbound and outbound traffic.
Any outbound alerts generated by these known IPs are detailed on an Outbound Activity Notification Report sent to our users’ designated alert contact via email.

Additionally, we have recently implemented a new alerting system to notify us of any attempts to connect to these known IPs within 30 minutes to facilitate faster notification of potential infections.

What you can do

Follow these best practices for phishing campaigns to prevent falling victim to these or other similar malware attacks.

  • Install antivirus and keep all devices up to date
  • Remove any infected devices from the network and isolate them to reduce lateral movement
  • Where possible, use Windows Group Policy to completely prevent users from enabling macros
  • Configure Windows Firewall to prevent user computers from communicating with each other within a subnet to help prevent lateral movement.
  • Ensure your AccessEnforcer is on the current version (version 5.0.3)
  • Activate LAN Lockdown™ to isolate subnets and minimize lateral movement among subnets.

Educate users about what to look for

It will also help to educate users to be aware of the social engineering tactics employed by these phishing campaigns. Encourage your users to look out for:

  • Brief and vague lures to open a file or link such as:
  1. “Please see attached”
  2. “Click here to view a file”
  3. “I have attached this file for your review”
  4. “Your Invoice”
  5. “Payment Details”
  • Links that require the user to copy and paste the link in a web browser
  • Email campaigns using stolen subject lines and messages from previous infections to make the email feel expected and compel users to open the link or attachment
  • Communications that encourage them to enable macros
  • Embedded images in the message body designed to look like an actual message that instructs you to type a URL into a browser to download a malicious Excel spreadsheet. An example of this method is a message that appears to come from Craigslist.

What to do about phishing messages

An overall good rule of thumb is to be wary of every link and attachment sent in an email. This is especially true if it came from an external source and you don’t know the sender.

If you receive a suspicious message:

  1. Do not click on the link or open any attachments.
  2. If you do, do not enable macros or ‘Enable Content’
  3. Report the email to the IT team or your MSP or IT team
  4. Delete the email

Any MSPs who do receive these types of reports can also let us know. Calyptix works diligently to fortify the online community for all our customers with shared information via Community Shield. Learn more today!

Written by Calyptix

 - March 14, 2022

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram