Cybersecurity Threat Advisory: Increased Qakbot Use to Bypass Endpoint Protection
Posted on May 12, 2023 by Jason Franks
As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week, a new critical alert requires the mission-critical community’s immediate attention.
Advisory Overview
MCP is monitoring the increased use of Qakbot, a type of malware with backdoor capabilities, to bypass endpoint protection to gain initial access and then achieve a foothold in computer environments. Specifically, Qakbot is leveraging compromised trusted websites of small businesses to bypass email link scanning services to serve the malware after phishing users via email.
Threat Indicators
The phishing scam leads users to download a ZIP file containing JavaScript (.js) or Windows Script Files (.wsf), which then load the Qakbot. We have observed this loader doing the typical injection into wermgr.exe to call out to command and control. After initial access, the same day of initial execution, we observed the cyberattacker then attempting to pivot to other machines using rundll32.exe to call out via cobalt strike beacons on Hypertext Transfer Protocol Secure (HTTPS).
What are the Recommendations?
MCP’s cybersecurity team advises that organizations make end users aware of ZIP archives containing JavaScript or Windows Script Files masquerading as invoices or other documents. They also should block indicators of compromise (IoCs) reported along with their domain name server (DNS) in the firewall.
The following Qakbot servers have been listening for the connection on remote port 65400:
| Internet Protocol (IP) Address | Domain Name Server (DNS) |
| 172.107.98[.]3 | unassigned.psychz[.]net |
| 23.111.114[.]52 | N/A |
| 94.103.85[.]86 | v1785516.hosted-by-vdsina[.]ru |
| 99.228.131[.]116 | cpef02f74c848b8-cm30b7d4b9e4d0.sdns.net.rogers[.]com |
| 47.205.25[.]170 | N/A |
| 79.47.207[.]6 |
host-79-47-207-6.retail.telecomitalia[.]it |
Other potential mitigation tactics include the following:
- Disabling the Windows Script Host (wscript.exe) if not used by software on the machine.
- Blocking outbound communication to remote port 65400 via the firewall.
- Geoblocking via the firewall for outbound connections (however, this may interfere with some software).
If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public safety and justice entities and other critical infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.
Topics: Cybersecurity
