Blog
/

Inside the SOC

/
January 30, 2023

Qakbot Resurgence in the Cyber Landscape

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
30
Jan 2023
Stay informed on the evolving threat Qakbot. Protect yourself from the Qakbot resurgence! Learn more from our Darktrace AI Cybersecurity experts!

In June 2022, Darktrace observed a surge in Qakbot infections across its client base. The detected Qakbot infections, which in some cases led to the delivery of secondary payloads such as Cobalt Strike and Dark VNC, were initiated through novel delivery methods birthed from Microsoft’s default blocking of XL4 and VBA macros in early 2022 [1]/[2]/[3]/[4] and from the public disclosure in May 2022 [5] of the critical Follina vulnerability (CVE-2022-30190) in Microsoft Support Diagnostic Tool (MSDT). Despite the changes made to Qakbot’s delivery methods, Qakbot infections still inevitably resulted in unusual patterns of network activity. In this blog, we will provide details of these network activities, along with Darktrace/Network’s coverage of them. 

Qakbot Background 

Qakbot emerged in 2007 as a banking trojan designed to steal sensitive data such as banking credentials.  Since then, Qakbot has developed into a highly modular triple-threat powerhouse used to not only steal information, but to also drop malicious payloads and to serve as a backdoor. The malware is also versatile, with its delivery methods regularly changing in response to the changing threat landscape.  

Threat actors deliver Qakbot through email-based delivery methods. In the first half of 2022, Microsoft started rolling out versions of Office which block XL4 and VBA macros by default. Prior to this change, Qakbot email campaigns typically consisted in the spreading of deceitful emails with Office attachments containing malicious macros.  Opening these attachments and then enabling the macros within them would lead users’ devices to install Qakbot.  

Actors who deliver Qakbot onto users’ devices may either sell their access to other actors, or they may leverage Qakbot’s capabilities to pursue their own objectives [6]. A common objective of actors that use Qakbot is to drop Cobalt Strike beacons onto infected systems. Actors will then leverage the interactive access provided by Cobalt Strike to conduct extensive reconnaissance and lateral movement activities in preparation for widespread ransomware deployment. Qakbot’s close ties to ransomware activity, along with its modularity and versatility, make the malware a significant threat to organisations’ digital environments.

Activity Details and Qakbot Delivery Methods

During the month of June, variationsof the following pattern of network activity were observed in several client networks:

1.     User’s device contacts an email service such as outlook.office[.]com or mail.google[.]com

2.     User’s device makes an HTTP GET request to 185.234.247[.]119 with an Office user-agent string and a ‘/123.RES' target URI. The request is responded to with an HTML file containing a exploit for the Follina vulnerability (CVE-2022-30190)

3.     User’s device makes an HTTP GET request with a cURL User-Agent string and a target URI ending in ‘.dat’ to an unusual external endpoint. The request is responded to with a Qakbot DLL sample

4.     User’s device contacts Qakbot Command and Control servers over ports such as 443, 995, 2222, and 32101

In some cases, only steps 1 and 4 were seen, and in other cases, only steps 1, 3, and 4 were seen. The different variations of the pattern correspond to different Qakbot delivery methods.

Figure 1: Geographic distribution of Darktrace clients affected by Qakbot

Qakbot is known to be delivered via malicious email attachments [7]. The Qakbot infections observed across Darktrace’s client base during June were likely initiated through HTML smuggling — a method which consists in embedding malicious code into HTML attachments. Based on open-source reporting [8]-[14] and on observed patterns of network traffic, we assess with moderate to high confidence that the Qakbot infections observed across Darktrace’s client base during June 2022 were initiated via one of the following three methods:

  • User opens HTML attachment which drops a ZIP file on their device. ZIP file contains a LNK file, which when opened, causes the user's device to make an external HTTP GET request with a cURL User-Agent string and a '.dat' target URI. If successful, the HTTP GET request is responded to with a Qakbot DLL.
  • User opens HTML attachment which drops a ZIP file on their device. ZIP file contains a docx file, which when opened, causes the user's device to make an HTTP GET request to 185.234.247[.]119 with an Office user-agent string and a ‘/123.RES' target URI. If successful, the HTTP GET request is responded to with an HTML file containing a Follina exploit. The Follina exploit causes the user's device to make an external HTTP GET with a '.dat' target URI. If successful, the HTTP GET request is responded to with a Qakbot DL.
  • User opens HTML attachment which drops a ZIP file on their device. ZIP file contains a Qakbot DLL and a LNK file, which when opened, causes the DLL to run.

The usage of these delivery methods illustrate how threat actors are adopting to a post-macro world [4], with their malware delivery techniques shifting from usage of macros-embedding Office documents to usage of container files, Windows Shortcut (LNK) files, and exploits for novel vulnerabilities. 

The Qakbot infections observed across Darktrace’s client base did not only vary in terms of their delivery methods — they also differed in terms of their follow-up activities. In some cases, no follow-up activities were observed. In other cases, however, actors were seen leveraging Qakbot to exfiltrate data and to deliver follow-up payloads such as Cobalt Strike and Dark VNC.  These follow-up activities were likely preparation for the deployment of ransomware. Darktrace’s early detection of Qakbot activity within client environments enabled security teams to take actions which likely prevented the deployment of ransomware. 

Darktrace Coverage 

Users’ interactions with malicious email attachments typically resulted in their devices making cURL HTTP GET requests with empty Host headers and target URIs ending in ‘.dat’ (such as as ‘/24736.dat’ and ‘/noFindThem.dat’) to rare, external endpoints. In cases where the Follina vulnerability is believed to have been exploited, users’ devices were seen making HTTP GET requests to 185.234.247[.]119 with a Microsoft Office User-Agent string before making cURL HTTP GET requests. The following Darktrace DETECT/Network models typically breached as a result of these HTTP activities:

  • Device / New User Agent
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Device / New User Agent and New IP
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Numeric Exe Download 

These DETECT models were able to capture the unusual usage of Office and cURL User-Agent strings on affected devices, as well as the downloads of the Qakbot DLL from rare external endpoints. These models look for unusual activity that falls outside a device’s usual pattern of behavior rather than for activity involving User-Agent strings, URIs, files, and external IPs which are known to be malicious.

When enabled, Darktrace RESPOND/Network autonomously intervened, taking actions such as ‘Enforce group pattern of life’ and ‘Block connections’ to quickly intercept connections to Qakbot infrastructure. 

Figure 2: This ‘New User Agent to IP Without Hostname’ model breach highlights an example of Darktrace’s detection of a device attempting to download a file containing a Follina exploit
Figure 3: This ‘New User Agent to IP Without Hostname’ model breach highlights an example of Darktrace’s detection of a device attempting to download Qakbot
Figure 4: The Event Log for an infected device highlights the moment a connection to the endpoint outlook.office365[.]com was made. This was followed by an executable file transfer detection and use of a new User-Agent, curl/7.9.1

After installing Qakbot, users’ devices started making connections to Command and Control (C2) endpoints over ports such as 443, 22, 990, 995, 1194, 2222, 2078, 32101. Cobalt Strike and Dark VNC may have been delivered over some of these C2 connections, as evidenced by subsequent connections to endpoints associated with Cobalt Strike and Dark VNC. These C2 activities typically caused the following Darktrace DETECT/Network models to breach: 

  • Anomalous Connection / Application Protocol on Uncommon Port
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • Compromise / Suspicious Beaconing Behavior
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Large Number of Suspicious Successful Connections
  • Compromise / Sustained SSL or HTTP Increase
  • Compromise / SSL or HTTP Beacon
  • Anomalous Connection / Rare External SSL Self-Signed
  • Anomalous Connection / Anomalous SSL without SNI to New External
  • Compromise / SSL Beaconing to Rare Destination
  • Compromise / Suspicious TLS Beaconing To Rare External
  • Compromise / Slow Beaconing Activity To External Rare
Figure 5: This Device Event Log illustrates the Command and Control activity displayed by a Qakbot-infected device

The Darktrace DETECT/Network models which detected these C2 activities do not look for devices making connections to known, malicious endpoints. Rather, they look for devices deviating from their ordinary patterns of activity, making connections to external endpoints which internal devices do not usually connect to, over ports which devices do not normally connect over. 

In some cases, actors were seen exfiltrating data from Qakbot-infected systems and dropping Cobalt Strike in order to conduct extensive discovery. These exfiltration activities typically caused the following models to breach:

  • Anomalous Connection / Data Sent to Rare Domain
  • Unusual Activity / Enhanced Unusual External Data Transfer
  • Anomalous Connection / Uncommon 1 GiB Outbound
  • Anomalous Connection / Low and Slow Exfiltration to IP
  • Unusual Activity / Unusual External Data to New Endpoints

The reconnaissance and brute-force activities carried out by actors typically resulted in breaches of the following models:

  • Device / ICMP Address Scan
  • Device / Network Scan
  • Anomalous Connection / SMB Enumeration
  • Device / New or Uncommon WMI Activity
  •  Unusual Activity / Possible RPC Recon Activity
  • Device / Possible SMB/NTLM Reconnaissance
  •  Device / SMB Lateral Movement
  •  Device / Increase in New RPC Services
  •  Device / Spike in LDAP Activity
  • Device / Possible SMB/NTLM Brute Force
  • Device / SMB Session Brute Force (Non-Admin)
  • Device / SMB Session Brute Force (Admin)
  • Device / Anomalous NTLM Brute Force

Conclusion

June 2022 saw Qakbot swiftly mould itself in response to Microsoft's default blocking of macros and the public disclosure of the Follina vulnerability. The evolution of the threat landscape in the first half of 2022 caused Qakbot to undergo changes in its delivery methods, shifting from delivery via macros-based methods to delivery via HTML smuggling methods. The effectiveness of these novel delivery methods where highlighted in Darktrace's client base, where large volumes of Qakbot infections were seen during June 2022. Leveraging Self-Learning AI, Darktrace DETECT/Network was able to detect the unusual network behaviors which inevitably resulted from these novel Qakbot infections. Given that the actors behind these Qakbot infections were likely seeking to deploy ransomware, these detections, along with Darktrace RESPOND/Network’s autonomous interventions, ultimately helped to protect affected Darktrace clients from significant business disruption.  

Appendices

List of IOCs

References

[1] https://techcommunity.microsoft.com/t5/excel-blog/excel-4-0-xlm-macros-now-restricted-by-default-for-customer/ba-p/3057905

[2] https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805

[3] https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked

[4] https://www.proofpoint.com/uk/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world

[5] https://twitter.com/nao_sec/status/1530196847679401984

[6] https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/

[7] https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques

[8] https://www.esentire.com/blog/resurgence-in-qakbot-malware-activity

[9] https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails

[10] https://twitter.com/pr0xylife/status/1539320429281615872

[11] https://twitter.com/max_mal_/status/1534220832242819072

[12] https://twitter.com/1zrr4h/status/1534259727059787783?lang=en

[13] https://isc.sans.edu/diary/rss/28728

[14] https://www.fortiguard.com/threat-signal-report/4616/qakbot-delivered-through-cve-2022-30190-follina

Credit to:  Hanah Darley, Cambridge Analyst Team Lead and Head of Threat Research and Sam Lister, Senior Cyber Analyst

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Nahisha Nobregas
SOC Analyst
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

January 28, 2025

/

Inside the SOC

Bytesize Security: Insider Threats in Google Workspace

Default blog imageDefault blog image

What is an insider threat?

An insider threat is a cyber risk originating from within an organization. These threats can involve actions such as an employee inadvertently clicking on a malicious link (e.g., a phishing email) or an employee with malicious intent conducting data exfiltration for corporate sabotage.

Insiders often exploit their knowledge and access to legitimate corporate tools, presenting a continuous risk to organizations. Defenders must protect their digital estate against threats from both within and outside the organization.

For example, in the summer of 2024, Darktrace / IDENTITY successfully detected a user in a customer environment attempting to steal sensitive data from a trusted Google Workspace service. Despite the use of a legitimate and compliant corporate tool, Darktrace identified anomalies in the user’s behavior that indicated malicious intent.

Attack overview: Insider threat

In June 2024, Darktrace detected unusual activity involving the Software-as-a-Service (SaaS) account of a former employee from a customer organization. This individual, who had recently left the company, was observed downloading a significant amount of data in the form of a “.INDD” file (an Adobe InDesign document typically used to create page layouts [1]) from Google Drive.

While the use of Google Drive and other Google Workspace platforms was not unexpected for this employee, Darktrace identified that the user had logged in from an unfamiliar and suspicious IPv6 address before initiating the download. This anomaly triggered a model alert in Darktrace / IDENTITY, flagging the activity as potentially malicious.

A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.
Figure 1: A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.

Following this detection, the customer reached out to Darktrace’s Security Operations Center (SOC) team via the Security Operations Support service for assistance in triaging and investigating the incident further. Darktrace’s SOC team conducted an in-depth investigation, enabling the customer to identify the exact moment of the file download, as well as the contents of the stolen documents. The customer later confirmed that the downloaded files contained sensitive corporate data, including customer details and payment information, likely intended for reuse or sharing with a new employer.

In this particular instance, Darktrace’s Autonomous Response capability was not active, allowing the malicious insider to successfully exfiltrate the files. If Autonomous Response had been enabled, Darktrace would have immediately acted upon detecting the login from an unusual (in this case 100% rare) location by logging out and disabling the SaaS user. This would have provided the customer with the necessary time to review the activity and verify whether the user was authorized to access their SaaS environments.

Conclusion

Insider threats pose a significant challenge for traditional security tools as they involve internal users who are expected to access SaaS platforms. These insiders have preexisting knowledge of the environment, sensitive data, and how to make their activities appear normal, as seen in this case with the use of Google Workspace. This familiarity allows them to avoid having to use more easily detectable intrusion methods like phishing campaigns.

Darktrace’s anomaly detection capabilities, which focus on identifying unusual activity rather than relying on specific rules and signatures, enable it to effectively detect deviations from a user’s expected behavior. For instance, an unusual login from a new location, as in this example, can be flagged even if the subsequent malicious activity appears innocuous due to the use of a trusted application like Google Drive.

Credit to Vivek Rajan (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

SaaS / Resource::Unusual Download Of Externally Shared Google Workspace File

References

[1]https://www.adobe.com/creativecloud/file-types/image/vector/indd-file.html

MITRE ATT&CK Mapping

Technqiue – Tactic – ID

Data from Cloud Storage Object – COLLECTION -T1530

Continue reading
About the author
Vivek Rajan
Cyber Analyst

Blog

/

January 28, 2025

/
No items found.

Reimagining Your SOC: How to Achieve Proactive Network Security

Default blog imageDefault blog image

Introduction: Challenges and solutions to SOC efficiency

For Security Operation Centers (SOCs), reliance on signature or rule-based tools – solutions that are always chasing the latest update to prevent only what is already known – creates an excess of false positives. SOC analysts are therefore overwhelmed by a high volume of context-lacking alerts, with human analysts able to address only about 10% due to time and resource constraints. This forces many teams to accept the risks of addressing only a fraction of the alerts while novel threats go completely missed.

74% of practitioners are already grappling with the impact of an AI-powered threat landscape, which amplifies challenges like tool sprawl, alert fatigue, and burnout. Thus, achieving a resilient network, where SOC teams can spend most of their time getting proactive and stopping threats before they occur, feels like an unrealistic goal as attacks are growing more frequent.

Despite advancements in security technology (advanced detection systems with AI, XDR tools, SIEM aggregators, etc...), practitioners are still facing the same issues of inefficiency in their SOC, stopping them from becoming proactive. How can they select security solutions that help them achieve a proactive state without dedicating more human hours and resources to managing and triaging alerts, tuning rules, investigating false positives, and creating reports?

To overcome these obstacles, organizations must leverage security technology that is able to augment and support their teams. This can happen in the following ways:

  1. Full visibility across the modern network expanding into hybrid environments
  2. Have tools that identifies and stops novel threats autonomously, without causing downtime
  3. Apply AI-led analysis to reduce time spent on manual triage and investigation

Your current solutions might be holding you back

Traditional cybersecurity point solutions are reliant on using global threat intelligence to pattern match, determine signatures, and consequently are chasing the latest update to prevent only what is known. This means that unknown threats will evade detection until a patient zero is identified. This legacy approach to threat detection means that at least one organization needs to be ‘patient zero’, or the first victim of a novel attack before it is formally identified.

Even the point solutions that claim to use AI to enhance threat detection rely on a combination of supervised machine learning, deep learning, and transformers to

train and inform their systems. This entails shipping your company’s data out to a large data lake housed somewhere in the cloud where it gets blended with attack data from thousands of other organizations. The resulting homogenized dataset gets used to train AI systems — yours and everyone else’s — to recognize patterns of attack based on previously encountered threats.

While using AI in this way reduces the workload of security teams who would traditionally input this data by hand, it emanates the same risk – namely, that AI systems trained on known threats cannot deal with the threats of tomorrow. Ultimately, it is the unknown threats that bring down an organization.

The promise and pitfalls of XDR in today's threat landscape

Enter Extended Detection and Response (XDR): a platform approach aimed at unifying threat detection across the digital environment. XDR was developed to address the limitations of traditional, fragmented tools by stitching together data across domains, providing SOC teams with a more cohesive, enterprise-wide view of threats. This unified approach allows for improved detection of suspicious activities that might otherwise be missed in siloed systems.

However, XDR solutions still face key challenges: they often depend heavily on human validation, which can aggravate the already alarmingly high alert fatigue security analysts experience, and they remain largely reactive, focusing on detecting and responding to threats rather than helping prevent them. Additionally, XDR frequently lacks full domain coverage, relying on EDR as a foundation and are insufficient in providing native NDR capabilities and visibility, leaving critical gaps that attackers can exploit. This is reflected in the current security market, with 57% of organizations reporting that they plan to integrate network security products into their current XDR toolset[1].

Why settling is risky and how to unlock SOC efficiency

The result of these shortcomings within the security solutions market is an acceptance of inevitable risk. From false positives driving the barrage of alerts, to the siloed tooling that requires manual integration, and the lack of multi-domain visibility requiring human intervention for business context, security teams have accepted that not all alerts can be triaged or investigated.

While prioritization and processes have improved, the SOC is operating under a model that is overrun with alerts that lack context, meaning that not all of them can be investigated because there is simply too much for humans to parse through. Thus, teams accept the risk of leaving many alerts uninvestigated, rather than finding a solution to eliminate that risk altogether.

Darktrace / NETWORK is designed for your Security Operations Center to eliminate alert triage with AI-led investigations , and rapidly detect and respond to known and unknown threats. This includes the ability to scale into other environments in your infrastructure including cloud, OT, and more.

Beyond global threat intelligence: Self-Learning AI enables novel threat detection & response

Darktrace does not rely on known malware signatures, external threat intelligence, historical attack data, nor does it rely on threat trained machine learning to identify threats.

Darktrace’s unique Self-learning AI deeply understands your business environment by analyzing trillions of real-time events that understands your normal ‘pattern of life’, unique to your business. By connecting isolated incidents across your business, including third party alerts and telemetry, Darktrace / NETWORK uses anomaly chains to identify deviations from normal activity.

The benefit to this is that when we are not predefining what we are looking for, we can spot new threats, allowing end users to identify both known threats and subtle, never-before-seen indicators of malicious activity that traditional solutions may miss if they are only looking at historical attack data.

AI-led investigations empower your SOC to prioritize what matters

Anomaly detection is often criticized for yielding high false positives, as it flags deviations from expected patterns that may not necessarily indicate a real threat or issues. However, Darktrace applies an investigation engine to automate alert triage and address alert fatigue.

Darktrace’s Cyber AI Analyst revolutionizes security operations by conducting continuous, full investigations across Darktrace and third-party alerts, transforming the alert triage process. Instead of addressing only a fraction of the thousands of daily alerts, Cyber AI Analyst automatically investigates every relevant alert, freeing up your team to focus on high-priority incidents and close security gaps.

Powered by advanced machine-learning techniques, including unsupervised learning, models trained by expert analysts, and tailored security language models, Cyber AI Analyst emulates human investigation skills, testing hypotheses, analyzing data, and drawing conclusions. According to Darktrace Internal Research, Cyber AI Analyst typically provides a SOC with up to  50,000 additional hours of Level 2 analysis and written reporting annually, enriching security operations by producing high level incident alerts with full details so that human analysts can focus on Level 3 tasks.

Containing threats with Autonomous Response

Simply quarantining a device is rarely the best course of action - organizations need to be able to maintain normal operations in the face of threats and choose the right course of action. Different organizations also require tailored response functions because they have different standards and protocols across a variety of unique devices. Ultimately, a ‘one size fits all’ approach to automated response actions puts organizations at risk of disrupting business operations.

Darktrace’s Autonomous Response tailors its actions to contain abnormal behavior across users and digital assets by understanding what is normal and stopping only what is not. Unlike blanket quarantines, it delivers a bespoke approach, blocking malicious activities that deviate from regular patterns while ensuring legitimate business operations remain uninterrupted.

Darktrace offers fully customizable response actions, seamlessly integrating with your workflows through hundreds of native integrations and an open API. It eliminates the need for costly development, natively disarming threats in seconds while extending capabilities with third-party tools like firewalls, EDR, SOAR, and ITSM solutions.

Unlocking a proactive state of security

Securing the network isn’t just about responding to incidents — it’s about being proactive, adaptive, and prepared for the unexpected. The NIST Cybersecurity Framework (CSF 2.0) emphasizes this by highlighting the need for focused risk management, continuous incident response (IR) refinement, and seamless integration of these processes with your detection and response capabilities.

Despite advancements in security technology, achieving a proactive posture is still a challenge to overcome because SOC teams face inefficiencies from reliance on pattern-matching tools, which generate excessive false positives and leave many alerts unaddressed, while novel threats go undetected. If SOC teams are spending all their time investigating alerts then there is no time spent getting ahead of attacks.

Achieving proactive network resilience — a state where organizations can confidently address challenges at every stage of their security posture — requires strategically aligned solutions that work seamlessly together across the attack lifecycle.

References

1.       Market Guide for Extended Detection and Response, Gartner, 17thAugust 2023 - ID G00761828

Continue reading
About the author
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Your data. Our AI.
Elevate your network security with Darktrace AI