ioc[.]one - OSINT Cyber Threat Intelligence Database

QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature

Tags

cmtmf-attack-pattern:	Application Layer Protocol Command And Scripting Interpreter Obfuscated Files Or Information Process Injection Scheduled Task/Job
country:	Ukraine
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Application Layer Protocol - T1437 Command And Scripting Interpreter - T1623 Dynamic Api Resolution - T1027.007 Javascript - T1059.007 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 System Information Discovery - T1426 Phishing - T1660 Phishing - T1566 Process Hollowing - T1055.012 Process Injection - T1631 Regsvr32 - T1218.010 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Software - T1592.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 System Checks - T1633.001 System Checks - T1497.001 Web Protocols - T1071.001 Web Protocols - T1437.001 Virtualization/Sandbox Evasion - T1497 Tool - T1588.002 Vulnerabilities - T1588.006 Virtualization/Sandbox Evasion - T1633 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Obfuscated Files Or Information - T1027 Process Hollowing - T1093 Process Injection - T1055 Regsvr32 - T1117 Scheduled Task - T1053 Signed Binary Proxy Execution - T1218 Spearphishing Link - T1192 System Information Discovery - T1082 Windows Management Instrumentation - T1047 User Execution - T1204 User Execution

Show in Graph

Common Information

Type	Value
UUID	73cb1d2c-f8f0-4cae-9ad4-ea30616ade4b
Fingerprint	8f89d88daf13fc
Analysis status	DONE
Considered CTI value	2
Text language
Published	Jan. 17, 2023, midnight
Added to db	Feb. 14, 2023, 4:02 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
Title	QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
Detected Hints/Tags/Attributes	100/4/43

Source URLs

	Redirection	Url
Details	Source	https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature

URL Provider

Details	Provider	Source level domain
Details	eclecticiq.com	blog.eclecticiq.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	32	✔	EclecticIQ Blog	https://blog.eclecticiq.com/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	7	cve-2022-41049
Details	CVE	22	cve-2022-41091
Details	CVE	31	cve-2022-44698
Details	Domain	49	eclecticiq.com
Details	Domain	18	cti.eclecticiq.com
Details	Domain	189	asec.ahnlab.com
Details	Domain	32	lolbas-project.github.io
Details	Domain	96	malpedia.caad.fkie.fraunhofer.de
Details	Domain	1373	twitter.com
Details	Domain	452	msrc.microsoft.com
Details	Email	47	research@eclecticiq.com
Details	File	3	ww.js
Details	File	459	regsvr32.exe
Details	File	376	wscript.exe
Details	File	51	wermgr.exe
Details	File	2	resemblance.tmp
Details	sha256	2	8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274
Details	sha256	2	26f5bc698dfec8e771b781dc19941e2d657eb87fe8669e1f75d9e5a1bb4db1db
Details	sha256	2	c5df8f8328103380943d8ead5345ca9fe8a9d495634db53cf9ea3266e353a3b1
Details	sha256	1	6fb41b33304b65e6e35f04e8cc70f7a24cd36e29bbb97266de68afcf113f9a5f
Details	MITRE ATT&CK Techniques	106	T1204.001
Details	MITRE ATT&CK Techniques	44	T1218.010
Details	MITRE ATT&CK Techniques	93	T1059.007
Details	MITRE ATT&CK Techniques	183	T1566.002
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	86	T1055.012
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	28	T1027.007
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	97	T1497.001
Details	MITRE ATT&CK Techniques	310	T1047
Details	Url	5	https://cti.eclecticiq.com/taxii/discovery
Details	Url	1	https://asec.ahnlab.com/en/41889
Details	Url	1	https://lolbas-project.github.io/lolbas/binaries/regsvr32
Details	Url	1	https://lolbas-project.github.io/lolbas/binaries/wscript
Details	Url	1	https://www.darkreading.com/threat-intelligence/black-basta-gang-deploys-qakbot-malware-cyber-campaign
Details	Url	4	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
Details	Url	1	https://twitter.com/wdormann/status/1588020965271035904
Details	Url	2	https://msrc.microsoft.com/update-guide/vulnerability/cve-2022-41091
Details	Url	2	https://msrc.microsoft.com/update-guide/en-us/vulnerability/cve-2022-44698
Details	Url	1	https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-security-bypass-zero-day-to-drop-malware
Details	Url	1	https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings