Incident Response & Threat Intelligence

B5: If It Qaks Like a Duck: Decoding Qakbot’s Behavior and C2 Messaging

Friday, June 9, 2023 9:30 AM - 10:30 AM

Room 405/406


The Qakbot botnet routinely ranks as one of the 10 most commonly detected botnet malware by Sophos. Spread through an ingenious method of interjecting itself in the middle of email conversations, the bot spreads by sending malicious links to unsuspecting parties in a message thread. Once the victim has been tricked into downloading and running the Qakbot installer, infecting a Windows computer, it acts as a content delivery network for DLLs that extend its capabilities as well as third-party malware payloads, while serving capably as a password stealer. Qakbot has also been directly implicated in several ransomware attacks in recent months, having been the vehicle used to deliver both Cobalt Strike beacons and ransomware payloads. The malware’s versatility and near-ubiquity rank it as dangerous as its better-known compatriots, Trickbot and Emotet. In this presentation, attendees will learn about the myriad ways the bot elaborately protects its own data and configurations, with multiple layers of encryption used to conceal sensitive data like target lists, and how it conceals components of itself as encrypted data in the Windows registry. I will also go into detail about how the bot generates an elaborately detailed profile of its infected hosts, and how it encrypts and decrypts its command-and-control messages, as well as providing a “decoder key” to interpreting the messages the bot sends back to its controllers, and the commands it receives from them.

Learner Objectives

* Recognize common Qakbot network and endpoint behavior * Identify the characteristics of Qakbot-originated malicious email * Decrypt information Qakbot transmits over networks and stores in the Windows Registry