Malware Qakbot — March 2022 Compromises
In recent weeks, consistent with previously documented activity (background), we have observed a general increase in compromise activity across monitored environments.
Criminal groups deploy malware for multiple objectives: Ransomware execution, sensitive data exfiltration, and credential harvesting. Qakbot — documented in detail under MITRE ATT&CK S0650 — is consistently used for all three.
Unlike previous campaigns, this wave shows deliberate investment in lure quality. Operators insert themselves into existing email threads, then reply to all recipients with a generic download request. The attachment is a password-protected .zip archive containing an Excel XLSB file. The thread-hijacking technique — T1534 (Internal Spearphishing) — significantly reduces victim suspicion.
To verify exposure against this campaign, apply the Indicators of Compromise listed at the end of this article.
Contents
Email Analysis
To maximise compromise probability, the operator exploits the “Reply All” function, inserting a generic document download request into the existing thread body. This mechanism makes it significantly harder for recipients to identify anomalies — consistent with T1534 (Internal Spearphishing).
XLSB File Analysis
The link in the email triggers the download of a zip archive containing the XLSB file oermlrdmroeu.xlsb. On opening, the user is prompted to enable macros — this action initiates the compromise chain (T1137 — Office Application Startup, T1059.001 — PowerShell).
| NAME | Oermlrdmroeu.xlsb |
| MD5 | C2A6F0DEAD1AE3B86C0361D483AE0967 |
| SHA1 | 400602F0A71899BF4CFDB028AFEB2F31DB4DE1FF |
| SHA256 | 72B0B629C772BF3FCE97CDBB589DC12B516484851D48FFA132BE2E2EA56B24AA |
rvr1.ocx Analysis
Macro activation initiates a callback to ksindesign.com[.]br (IP 108.179.252[.]104) to download rvr1.ocx to path C:\Xnvr
vr1.ocx.
This file is a dynamic library executed via regsvr32 (T1218.010 — Regsvr32). Execution launches OneDriveSetup.exe and triggers the download and creation of ghdddhopnqk.dll inside AppData\Roaming\Microsoft\Kleqaiwaulq.
| NAME | Rvr1.ocx |
| MD5 | cb94f597357fca51e3ac47187193730e |
| SHA1 | d22380908f9bcb95d875696f857646f701fd9a0c |
| SHA256 | cf00a86bfe97ad6975122ed5b53af40d96d505b7e3caed80cc1f6f9010927692 |
Qakbot Malware — ghdddhopnqk.dll Analysis
Dynamic analysis of Qakbot allowed us to map interactions between the malware and the victim system. Below are the key operations observed during the compromise.
Defense Evasion & Privilege Escalation
The malicious DLL is written to AppData\Roaming\Microsoft\Kleqaiwaulq via the OneDriveSetup process. regsvr32 is then invoked to load it.
Immediately after execution, the DLL is injected into the OneDriveSetup process (T1055 — Process Injection). This achieves privilege escalation — likely via Token Impersonation (T1134.001) — spawning an elevated process that enables the subsequent data collection and exfiltration stages.
Credential Access
Qakbot harvests victim credentials from two sources (T1555.003 — Credentials from Web Browsers, T1003.001 — LSASS Memory):
- credentials stored in browser profiles,
- passwords managed by Windows Credential Manager (lsass).
In this sample, the process attempting to access Credential Manager did not hold sufficient privileges to complete the operation (high-confidence observation based on dynamic analysis).
Exfiltration — Command & Control
During execution, an SSH connection (port 22) is established to 72.12.115[.]90, and an HTTPS connection (port 443) to 102.65.38[.]67 — an address associated with Qakbot C2 infrastructure (T1071.001 — Application Layer Protocol: Web Protocols).
Indicators of Compromise
| XLSB FILE HASHES | |
C2A6F0DEAD1AE3B86C0361D483AE0967 | |
334fcb9c5b1d79dd9d8959cfede1772d | |
73186b922d42e153b2bd828571784656 | |
eaaa834e6736ee29894c7f5751f8859e | |
fa9aec61e273625eec2b591ea6b7b491 |
| ZIP FILE HASHES | |
6B3FFD489F59D6952302A18FFC36B56A | |
16b6cb76eb9e377e7ef2f0ec2f6253de | |
38b2443c9c5e34f4148856f5333bc435 | |
c388ed56f887b2bde94a2fab698eabc4 | |
e5492cb8abff84556c652d3ea02b57b2 |
| PAYLOAD DOWNLOAD DOMAINS | |
ksindesign.com[.]br | |
tradicaodaroca[.]net | |
gpsadvanceconsulting[.]com | |
perfectbreezencool[.]com |
| QAKBOT C2s | |
http://72.12.115.90:22 | |
https://102.65.38.67:442 | |
http://89.211.187.185:2222 | |
http://176.67.56.24:443 | |
http://208.101.87.127:443 | |
http://172.114.160.106:995 | |
http://139.64.13.107:995 | |
http://173.21.10.39:2222 | |
http://136.143.11.80:443 | |
http://47.180.172.31:50010 | |
http://105.186.127.92:995 | |
http://47.156.191.199:443 | |
http://86.184.85.167:443 | |
http://24.43.99.59:443 | |
http://203.212.24.122:995 | |
http://40.134.247.111:995 | |
http://90.74.16.202:6881 | |
http://144.202.2.83:995 | |
http://201.42.65.134:995 | |
http://45.241.221.89:995 | |
http://86.97.209.174:1194 | |
http://24.55.67.19:443 | |
http://197.89.108.186:443 | |
http://140.82.49.132:443 | |
http://75.99.168.90:61201 | |
http://80.14.188.21:2222 | |
http://86.98.11.218:443 | |
http://108.60.213.191:443 | |
http://121.74.187.113:995 | |
http://70.51.139.5:2222 |
Qakbot campaigns consistently exploit the trust established by existing email threads — any detection strategy that does not account for thread context will fail to surface this initial access vector.
