Qakbot Malware Attacks on the Rise: Cyber Threat Intelligence Roundup
An aggressive Qakbot/Black Basta campaign that’s targeting US organizations, the US ban on Huawei, Hikvision, ZTE, and Dahua equipment, and a new report that links Chrome, Defender, and Firefox exploitation frameworks to a Spanish IT firm
First up is a look at reports of a significant uptick in aggressive and fast Qakbot malware attacks, which often result in the deployment of ransomware (Black Basta, to be specific). Next, CTI presents an overview of the Federal Communications Commission’s (FCC) ban on the import and U.S. sales of devices manufactured by Chinese vendors Huawei, Hikvision, ZTE, and Dahua. Finally, we wrap things up with a summary of a recent Google Threat Analysis Group (TAG) report, which ties the discovery of three malware frameworks (designed to facilitate the exploitation of zero-day vulnerabilities in Chrome, Microsoft Defender, and Firefox) to a commercial IT vendor based in Spain.
1. Aggressive Qakbot/Black Basta campaign targeting US organizations
A recent post on Cybereason’s blog sheds light on the widely-reported increase in Qakbot infections in customer environments belonging primarily to U.S.-based companies, which researchers believe is a “potentially widespread ransomware campaign run by Black Basta.”
Who is Black Basta?
Black Basta is a relatively new ransomware group, having first emerged in April of 2022.
Black Basta has displayed an affinity for targeting organizations in the U.S., Canada, United Kingdom, Australia, and New Zealand. Of note, these are the countries that comprise the “Five Eyes” (FVEY) intelligence alliance. Along with just about every other ransomware gang worth its salt, Black Basta is a proponent of the “double-extortion” tactic.
In its latest campaign, Black Basta leverages Qakbot to gain a beachhead — or an initial point of entry — and move laterally within targeted networks.
Qakbot (aka QBot), like most malware of its caliber, started out as a banking trojan designed to steal financial data, mostly via the capturing of credentials and other sensitive information contained in browser data, keystrokes, etc. Once QakBot successfully infects an environment, the malware installs a backdoor allowing the threat actor to drop additional malware — often in the form of ransomware.
In an example of an attack observed by Cybereason, a Qakbot infection resulted in various essential systems loading Cobalt Strike, which ultimately led to the global deployment of Black Basta ransomware. To hinder recovery efforts, the threat actors locked victims out of the network by disabling DNS services (a tactic observed by GSOC researchers in multiple attacks).
- Threat actor moves extremely fast. In the different cases of compromise, Cybereason identified, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.
- High severity. The Cybereason GSOC assesses the threat level as HIGH given the potentially widespread campaign being run by Black Basta.
- Widespread QBot campaign targeting U.S.-based companies. Threat actors leveraging the Qakbot loader casted a large net, targeting mainly U.S.-based companies, and acted quickly on any spear phishing victims they successfully compromised. In the last two weeks, Cybereason observed more than 10 different customers affected by this recent campaign.
- Network lockout. Among the many Qakbot infections identified, two allowed the threat actor to deploy ransomware and then lock the victim out of its network by disabling the victim’s DNS service, making the recovery even more complex.
- Black Basta deployment. The particularly fast compromises Cybereason observed led to the deployment of Black Basta ransomware.
- Qakbot deployment. Cybereason is not the only cybersecurity research organization to have recorded an uptick in aggressive Qakbot campaigns. Red Canary’s observations on trending threats for October 2022 notes that “October’s top 10 includes threats that are no stranger to our trending threat list. Qbot claimed the number 1 spot for the second consecutive month.”
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“Partnerships between Black Basta ransomware and top-tier malware families are not novel in and of themselves. The important callout here is that we appear to be experiencing one of Qakbot’s cycles of increased activity — and that the activity is, for the most part, restricted to the targeting of entities based in the U.S. and the countries belonging to some of its strongest allies.”
2. US bans sales of Huawei, Hikvision, ZTE, and Dahua equipment
The U.S. government has banned the sale of equipment from Chinese telecommunications and video surveillance vendors Huawei, ZTE, Hytera, Hikvision, and Dahua as a result of alleged “unacceptable risks to national security” presented by devices created and distributed by the manufacturers in question.
The FCC characterizes the action as the latest step in the Commission’s efforts to assist in securing the nation’s communications networks.
The following items consist of notable takeaways based on the information that has been released to the public at the time of reporting:
- The impact. The communications companies deemed worthy of inclusion on the FCC’s list of banned vendors are prohibited from importing and selling their technology (along with any third-party vendors) or maintaining a presence in the US market.
- The whole family is in the crosshairs. The ban covers not only the parent companies named above, but their subsidiaries and affiliates as well.
- The act targets technology that poses an unacceptable risk. The vague term “unacceptable risk,” when used in this context, is the label that the FCC will apply to any Chinese vendor suspected by the U.S. government of stealing intellectual property, research and development data, planting backdoors in their products that would potentially allow the Beijing government run espionage operations or engaging in some other combination of nefarious activity. If this sounds familiar, that’s because it’s exactly what the Feds previously accused telecom vendor Huawei of in 2019, according to a January 28, 2019 DoJ indictment.
- An ongoing issue. Telecommunications technology from both Huawei (5G in particular) and ZTE have been banned or excluded over the past years in multiple countries, including Australia, New Zealand, India, Japan, the US., Canada, Romania, and the U.K.
- The act is unanimous. All four FCC members, who have different political orientations, voted unanimously to adopt the new measures against the five Chinese tech firms.
- It’s not retroactive. Although the companies were previously prohibited from supplying U.S. government systems and the private sector was strongly discouraged from using their equipment, the ban is not retroactive, so theoretically the companies can go ahead with previously authorized sales in the US. However, the FCC has left the door open to the possibility it could revoke previous authorizations.
So – exactly who and what is covered?
According to Section 1.50002 of the Commission’s rules, the Public Safety and Homeland Security Bureau have been directed to publish a list of communications equipment and services that are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.
Here is the list, as it stands:
- Telecommunications equipment produced by Huawei Technologies Company, including telecommunications or video surveillance services provided by such entity or using such equipment. As of March 12, 2021
- Telecommunications equipment produced by ZTE Corporation, including telecommunications or video surveillance services provided by such entity or using such equipment. As of March 12, 2021
- Video surveillance and telecommunications equipment produced by Hytera Communications Corporation, to the extent it is used for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, including telecommunications or video surveillance services provided by such entity or using such equipment. As of March 12, 2021
- Video surveillance and telecommunications equipment produced by Hangzhou Hikvision Digital Technology Company, to the extent it is used for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, including telecommunications or video surveillance services provided by such entity or using such equipment. As of March 12, 2021
- Video surveillance and telecommunications equipment produced by Dahua Technology Company, to the extent it is used for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, including telecommunications or video surveillance services provided by such entity or using such equipment. As of March 25, 2022
- Information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates. As of March 25, 2022
- International telecommunications services provided by China Mobile International USA Inc. subject to section 214 of the Communications Act of 1934. As of March 25, 2022
- Telecommunications services provided by China Telecom (Americas) Corp. subject to section 214 of the Communications Act of 1934. As of March 12, 2021
- International telecommunications services provided by Pacific Network Corp and its wholly-owned subsidiary ComNet (USA) LLC subject to section 214 of the Communications Act of 1934. As of September 20, 2022
- International telecommunications services provided by China Unicom (Americas) Operations Limited subject to section 214 of the Communications Act of 1934. As of September 20, 2022
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“To our readers who have maintained some degree of awareness of the various controversies surrounding the delicate geopolitical balance between the US and China — particularly when it comes to technology and data privacy — the FCC’s announcement will likely be less than shocking.”
“The news comes on the heels of reports that Chinese-owned TikTok, a social media platform plagued by concerns about the privacy of personal data belonging to U.S. citizens, was recently subjected to an internal risk assessment – the results of which all but confirmed Washington’s greatest fears.”
3. Frameworks designed to exploit Chrome, Defender, and Firefox 0-days linked to commercial IT firm in Spain
Google’s Threat Analysis Group (TAG) has linked a Barcelona, Spain-based IT company, called Variston IT, to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox, and Windows Defender.
According to a recent Ars Technica blog post, Variston “bills itself as a provider of tailor-made Information security solutions, including technology for embedded SCADA (supervisory control and data acquisition) and Internet of Things integrators, custom security patches for proprietary systems, tools for data discovery, security training, and the development of secure protocols for embedded devices.”
However, the company reportedly sells another product that researchers or potential customers won’t find listed on the firm’s website: software frameworks that provide customers with everything they could possibly need to inconspicuously install malware on devices they intend to gather sensitive information from.
Google’s TAG report focuses primarily on one specific example, which is the Heliconia framework.
About the Heliconia framework
TAG discovered the Heliconia framework because of an anonymous submission to Google’s Chrome bug reporting program. The submitter reportedly submitted three bugs, each accompanied by its own instructions and an archive containing source code.
Upon analysis, the TAG researchers were able to reveal the existence of frameworks designed to facilitate the deployment of exploits in the wild. It was a script in the source code that pointed analysts toward the framework’s likely developer: Variston IT.
Google’s researchers characterize Variston IT’s Heliconia exploitation framework as a solution designed to enable users to easily facilitate the exploitation of 0-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. Heliconia provides all the tools required to successfully deploy malicious payloads to devices of the user’s choosing.
Google TAG’s research concedes that the frameworks exploited vulnerabilities that Google, Microsoft, and Firefox fixed at various points between 2021 and 2022.
TAG’s researchers paint a convincing picture of a cyber threat landscape featuring a market for exploits that has grown increasingly chaotic, with a worrisome lack of organization and no regulating hierarchy to speak of. Variston is just the latest in a long list of vendors who strive to maintain a veneer of legitimacy while they peddle less savory wares just beneath the surface to the highest bidders — a rogue’s gallery of customers which often includes state-backed entities engaged in physical conflict with one another. The list of vendors involved in this shady business is comprised of familiar names like the NSO Group, Hacking Team, Accuvant, and Candiru.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“ArsTechnica really hit the nail on the head:
‘TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe. Commercial spyware puts advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents.’
“Not only does this type of product wind up in the hands of some of the world’s less-savory regimes, but commercial spyware purveyors have also turned technology, which was once primarily the domain of well-resourced governments, into a commodity that even less sophisticated (and less discrete) threat actors can access and brandish at will. It goes without saying that such a circumstance presents a serious risk to online safety.”
For more threat intelligence, check out our library of cyber threat intelligence roundups here.