{"id":4386,"date":"2022-03-14T18:42:24","date_gmt":"2022-03-14T18:42:24","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4386"},"modified":"2026-06-08T09:42:27","modified_gmt":"2026-06-08T09:42:27","slug":"malware-qakbot-marzo-22","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/malware-qakbot-marzo-22\/","title":{"rendered":"Malware Qakbot \u2014 March 2022 Compromises"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In recent weeks, consistent with previously documented activity (<a href=\"https:\/\/fortgale.com\/news\/2022\/02\/25\/russia-ucraina-attacchi-informatici\/\" target=\"_blank\" rel=\"noreferrer noopener\">background<\/a>), we have observed a general increase in compromise activity across monitored environments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Criminal groups deploy malware for multiple objectives: Ransomware execution, sensitive data exfiltration, and credential harvesting. <strong>Qakbot<\/strong> \u2014 documented in detail under <a href=\"https:\/\/attack.mitre.org\/software\/S0650\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE ATT&amp;CK S0650<\/a> \u2014 is consistently used for all three.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike previous campaigns, this wave shows deliberate investment in lure quality. Operators insert themselves into existing email threads, then reply to all recipients with a generic download request. The attachment is a <strong>password-protected .zip archive containing an Excel XLSB file<\/strong>. The thread-hijacking technique \u2014 <code>T1534<\/code> (Internal Spearphishing) \u2014 significantly reduces victim suspicion.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To verify exposure against this campaign, apply the Indicators of Compromise listed at the end of this article.<\/p>\n\n\n\n<div class=\"wp-block-yoast-seo-table-of-contents yoast-table-of-contents\"><h2>Contents<\/h2><ul><li><a href=\"#h-email-analysis\" data-level=\"2\">Email Analysis<\/a><\/li><li><a href=\"#h-xlsb-file-analysis\" data-level=\"2\">XLSB File Analysis<\/a><\/li><li><a href=\"#h-rvr1-ocx-analysis\" data-level=\"2\">rvr1.ocx Analysis<\/a><\/li><li><a href=\"#h-qakbot-malware-ghdddhopnqk-dll-analysis\" data-level=\"2\">Qakbot Malware \u2014 ghdddhopnqk.dll Analysis<\/a><ul><li><a href=\"#h-defense-evasion-privilege-escalation\" data-level=\"3\">Defense Evasion &amp; Privilege Escalation<\/a><\/li><li><a href=\"#h-credential-access\" data-level=\"3\">Credential Access<\/a><\/li><li><a href=\"#h-exfiltration-command-control\" data-level=\"3\">Exfiltration \u2014 Command &amp; Control<\/a><\/li><\/ul><\/li><li><a href=\"#h-indicators-of-compromise\" data-level=\"2\">Indicators of Compromise<\/a><\/li><\/ul><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\" id=\"Campagna-Malware-Qakbot\"><img decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/03\/Qakbot-malware-email-1024x576.png\" alt=\"Qakbot Malware Campaign \u2014 March 2022\" class=\"wp-image-4405\" title=\"Qakbot Malware Campaign \u2014 March 2022\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/Qakbot-malware-email-1024x576.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/Qakbot-malware-email-300x169.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/Qakbot-malware-email-768x432.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/Qakbot-malware-email-1536x864.png 1536w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/Qakbot-malware-email.png 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-email-analysis\">Email Analysis<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"676\" height=\"568\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/03\/image-9.png\" alt=\"\" class=\"wp-image-4411\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/image-9.png 676w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/image-9-300x252.png 300w\" sizes=\"(max-width: 676px) 100vw, 676px\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">To maximise compromise probability, the operator exploits the &#8220;Reply All&#8221; function, inserting a generic document download request into the existing thread body. This mechanism makes it significantly harder for recipients to identify anomalies \u2014 consistent with <code>T1534<\/code> (Internal Spearphishing).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-xlsb-file-analysis\">XLSB File Analysis<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The link in the email triggers the download of a zip archive containing the XLSB file <strong><code>oermlrdmroeu.xlsb<\/code><\/strong>. On opening, the user is prompted to enable macros \u2014 this action initiates the compromise chain (<code>T1137<\/code> \u2014 Office Application Startup, <code>T1059.001<\/code> \u2014 PowerShell).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"811\" height=\"525\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/03\/image-1.png\" alt=\"\" class=\"wp-image-4389\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/image-1.png 811w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/image-1-300x194.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/image-1-768x497.png 768w\" sizes=\"(max-width: 811px) 100vw, 811px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">XLSB file content<\/figcaption><\/figure>\n<\/div>\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>NAME<\/strong><\/td><td><code>Oermlrdmroeu.xlsb<\/code><\/td><\/tr><tr><td><strong>MD5<\/strong><\/td><td><code>C2A6F0DEAD1AE3B86C0361D483AE0967<\/code><\/td><\/tr><tr><td><strong>SHA1<\/strong><\/td><td><code>400602F0A71899BF4CFDB028AFEB2F31DB4DE1FF<\/code><\/td><\/tr><tr><td><strong>SHA256<\/strong><\/td><td><code>72B0B629C772BF3FCE97CDBB589DC12B516484851D48FFA132BE2E2EA56B24AA<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-rvr1-ocx-analysis\">rvr1.ocx Analysis<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Macro activation initiates a callback to <strong><code>ksindesign.com[.]br<\/code><\/strong> (IP <strong><code>108.179.252[.]104<\/code><\/strong>) to download <strong><code>rvr1.ocx<\/code><\/strong> to path <code>C:\\Xnvr\rvr1.ocx<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This file is a dynamic library executed via <strong><code>regsvr32<\/code><\/strong> (<code>T1218.010<\/code> \u2014 Regsvr32). Execution launches <strong><code>OneDriveSetup.exe<\/code><\/strong> and triggers the download and creation of <strong><code>ghdddhopnqk.dll<\/code><\/strong> inside <code>AppData\\Roaming\\Microsoft\\Kleqaiwaulq<\/code>.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>NAME<\/strong><\/td><td><code>Rvr1.ocx<\/code><\/td><\/tr><tr><td><strong>MD5<\/strong><\/td><td><code>cb94f597357fca51e3ac47187193730e<\/code><\/td><\/tr><tr><td><strong>SHA1<\/strong><\/td><td><code>d22380908f9bcb95d875696f857646f701fd9a0c<\/code><\/td><\/tr><tr><td><strong>SHA256<\/strong><\/td><td><code>cf00a86bfe97ad6975122ed5b53af40d96d505b7e3caed80cc1f6f9010927692<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-qakbot-malware-ghdddhopnqk-dll-analysis\">Qakbot Malware \u2014 ghdddhopnqk.dll Analysis<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dynamic analysis of Qakbot allowed us to map interactions between the malware and the victim system. Below are the key operations observed during the compromise.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-defense-evasion-privilege-escalation\">Defense Evasion &amp; Privilege Escalation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The malicious DLL is written to <code>AppData\\Roaming\\Microsoft\\Kleqaiwaulq<\/code> via the <strong>OneDriveSetup<\/strong> process. <strong><code>regsvr32<\/code><\/strong> is then invoked to load it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Immediately after execution, the DLL is injected into the <strong>OneDriveSetup<\/strong> process (<code>T1055<\/code> \u2014 Process Injection). This achieves privilege escalation \u2014 likely via <strong>Token Impersonation<\/strong> (<code>T1134.001<\/code>) \u2014 spawning an elevated process that enables the subsequent data collection and exfiltration stages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-credential-access\">Credential Access<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Qakbot harvests victim credentials from two sources (<code>T1555.003<\/code> \u2014 Credentials from Web Browsers, <code>T1003.001<\/code> \u2014 LSASS Memory):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>credentials stored in browser profiles,<\/li>\n\n\n<li>passwords managed by Windows Credential Manager (lsass).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In this sample, the process attempting to access Credential Manager did not hold sufficient privileges to complete the operation (high-confidence observation based on dynamic analysis).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-exfiltration-command-control\">Exfiltration \u2014 Command &amp; Control<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">During execution, an SSH connection (port <code>22<\/code>) is established to <strong><code>72.12.115[.]90<\/code><\/strong>, and an HTTPS connection (port <code>443<\/code>) to <strong><code>102.65.38[.]67<\/code><\/strong> \u2014 an address associated with Qakbot C2 infrastructure (<code>T1071.001<\/code> \u2014 Application Layer Protocol: Web Protocols).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-indicators-of-compromise\">Indicators of Compromise<\/h2>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>XLSB FILE HASHES<\/strong><\/td><\/tr><tr><td><\/td><td><code>C2A6F0DEAD1AE3B86C0361D483AE0967<\/code><\/td><\/tr><tr><td><\/td><td><code>334fcb9c5b1d79dd9d8959cfede1772d<\/code><\/td><\/tr><tr><td><\/td><td><code>73186b922d42e153b2bd828571784656<\/code><\/td><\/tr><tr><td><\/td><td><code>eaaa834e6736ee29894c7f5751f8859e<\/code><\/td><\/tr><tr><td><\/td><td><code>fa9aec61e273625eec2b591ea6b7b491<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>ZIP FILE HASHES<\/strong><\/td><\/tr><tr><td><\/td><td><code>6B3FFD489F59D6952302A18FFC36B56A<\/code><\/td><\/tr><tr><td><\/td><td><code>16b6cb76eb9e377e7ef2f0ec2f6253de<\/code><\/td><\/tr><tr><td><\/td><td><code>38b2443c9c5e34f4148856f5333bc435<\/code><\/td><\/tr><tr><td><\/td><td><code>c388ed56f887b2bde94a2fab698eabc4<\/code><\/td><\/tr><tr><td><\/td><td><code>e5492cb8abff84556c652d3ea02b57b2<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>PAYLOAD DOWNLOAD DOMAINS<\/strong><\/td><\/tr><tr><td><\/td><td><code>ksindesign.com[.]br<\/code><\/td><\/tr><tr><td><\/td><td><code>tradicaodaroca[.]net<\/code><\/td><\/tr><tr><td><\/td><td><code>gpsadvanceconsulting[.]com<\/code><\/td><\/tr><tr><td><\/td><td><code>perfectbreezencool[.]com<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>QAKBOT C2s<\/strong><\/td><\/tr><tr><td><\/td><td><code>http:\/\/72.12.115.90:22<\/code><\/td><\/tr><tr><td><\/td><td><code>https:\/\/102.65.38.67:442<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/89.211.187.185:2222<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/176.67.56.24:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/208.101.87.127:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/172.114.160.106:995<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/139.64.13.107:995<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/173.21.10.39:2222<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/136.143.11.80:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/47.180.172.31:50010<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/105.186.127.92:995<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/47.156.191.199:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/86.184.85.167:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/24.43.99.59:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/203.212.24.122:995<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/40.134.247.111:995<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/90.74.16.202:6881<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/144.202.2.83:995<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/201.42.65.134:995<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/45.241.221.89:995<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/86.97.209.174:1194<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/24.55.67.19:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/197.89.108.186:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/140.82.49.132:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/75.99.168.90:61201<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/80.14.188.21:2222<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/86.98.11.218:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/108.60.213.191:443<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/121.74.187.113:995<\/code><\/td><\/tr><tr><td><\/td><td><code>http:\/\/70.51.139.5:2222<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Qakbot campaigns consistently exploit the trust established by existing email threads \u2014 any detection strategy that does not account for thread context will fail to surface this initial access vector.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In recent weeks, consistent with previously documented activity (background), we have observed a general increase in compromise activity across monitored environments. Criminal groups deploy malware for multiple objectives: Ransomware execution, sensitive data exfiltration, and credential harvesting. Qakbot \u2014 documented in detail under MITRE ATT&amp;CK S0650 \u2014 is consistently used for all three. Unlike previous campaigns, &#8230; <a title=\"Malware Qakbot \u2014 March 2022 Compromises\" class=\"read-more\" href=\"https:\/\/fortgale.com\/blog\/emerging-threats\/malware-qakbot-marzo-22\/\" aria-label=\"Read more about Malware Qakbot \u2014 March 2022 Compromises\">Read more<\/a><\/p>\n","protected":false},"author":7,"featured_media":4405,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3094,3093,3092,185,1439,3095,3096,430,283,3091],"class_list":["post-4386","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-credential-theft","tag-dll-injection","tag-excel-macro","tag-ioc","tag-malware-it","tag-march-2022","tag-mitre-attck","tag-qakbot","tag-ransomware","tag-thread-hijacking"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=4386"}],"version-history":[{"count":25,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4386\/revisions"}],"predecessor-version":[{"id":9812,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4386\/revisions\/9812"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4405"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=4386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=4386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=4386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}