Unmasking QakBot: A Deep Dive into Osquery for Enhanced Detection and Response

QakBot, a notorious banking Trojan, has been compromising systems and stealing sensitive data since 2007. This advanced malware has evolved, gaining the ability to propagate, evade detection, and deploy additional payloads.  

As a cybersecurity professional, you need a powerful tool to help you uncover and combat the elusive QakBot. Enter osquery, an open-source, Facebook-developed tool that allows you to query your operating system as if it were a database.  

In this article, we'll delve into the technical aspects of osquery, exploring how it can enhance your QakBot detection and response capabilities with supporting queries based on known indicators of compromise (IOCs).

Inside QakBot

QakBot has been observed acting as a dropper for other types of malware, including ransomware, and it has been linked to the delivery of the ProLock and Egregor ransomware families.  

In these cases, QakBot first compromises a system and establishes persistence. Then, it downloads and installs the ransomware, which proceeds to encrypt the victim's files and demands a ransom payment for the decryption key.

This ability to deliver other malware, including ransomware, makes QakBot an even greater threat to organizations. It is crucial for cybersecurity professionals to stay vigilant and up to date on the latest tactics, techniques, and procedures employed by QakBot and other similar threats.  

Employing tools like osquery to detect and respond to QakBot infections can help organizations prevent the potential delivery of ransomware and limit the damage caused by such threats.

Understanding Osquery's Role in Cybersecurity:

Osquery acts as a versatile and powerful asset in any cybersecurity toolkit, providing invaluable insights to investigate potential threats and vulnerabilities within your systems. By utilizing osquery to gather detailed information about processes, files, network connections, registry changes, and scheduled tasks, you can uncover the telltale signs of a QakBot infection lurking in the shadows. Osquery is platform-agnostic, making it an ideal choice for heterogeneous environments.

Process Monitoring with Osquery:

Detect suspicious processes associated with QakBot by using queries that target specific command-line arguments or processes with unexpected parent-child relationships.

Example Query:

SELECT p.pid, p.name, p.cmdline, p.parent, p.cwd

FROM processes p

WHERE p.cmdline LIKE '%qbot%' OR p.cmdline LIKE '%qakbot%';

Scheduled Task Analysis:

Monitor and analyze scheduled tasks for signs of QakBot by crafting queries targeting tasks with specific names or tasks that execute from unusual file paths.  

‍Example Query:

SELECT t.path, t.name, t.cmdline

FROM scheduled_tasks t

WHERE t.name LIKE 'Updater%' OR t.cmdline LIKE '%qbot%';

File System Monitoring:

Detect new or modified files associated with QakBot by monitoring for files that match known QakBot file patterns, files created or modified in unusual locations, or files that exhibit abnormal access patterns.  

Example Query:

SELECT f.path, f.filename, f.uid, f.gid, f.mode

FROM file_events f

WHERE f.filename LIKE 'qbot_%' OR f.path LIKE 'C:\Users\%\AppData\Roaming\qbot%';

Registry Change Detection:

Monitor registry changes and analyze them for potential QakBot-related modifications by crafting queries that track specific registry keys and values.  

Example Query:

SELECT r.key, r.path, r.name, r.type, r.mtime

FROM registry_changes r

WHERE r.path LIKE 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Updater%';

These queries are based on known IOCs associated with QakBot. QakBot's tactics, techniques, and procedures (TTPs) may evolve over time, and it's essential to adapt these queries and continuously update your knowledge of QakBot's behavior to ensure effective detection capabilities.

Takeaway

Osquery's versatility and technical prowess make it a powerful tool for detecting and responding to QakBot infections. By using osquery with queries tailored to known IOCs, you can expose potential threats and take decisive action to protect your organization's digital assets.  

As QakBot continues to adapt and challenge our defenses, embracing innovative tools and techniques like osquery is essential for staying one step ahead in the ever-evolving world of cybersecurity.‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile Q2 2023 (PDF).