Qakbot Resurfaces with new Playbook

Threat Actors Leveraging DLL-SideLoading to Deliver Malware

During a routine threat-hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher shared new IoCs related to the infamous Qakbot malware.

For initial infection, Qakbot uses an email mass spamming campaign. The Qakbot Threat Actors (TAs) have continuously evolved their infection techniques ever since it was initially identified in the wild.

In this campaign, the spam email contains a password-protected zip file which contains an ISO file. When mounted, this ISO file shows a .lnk file masquerading as a PDF file. If the victim opens the .lnk file, the system is infected with Qakbot malware. The figure below shows the Qakbot’s infection chain.

Figure 1 – Qakbot Execution Flow

Technical Analysis

The initial infection of Qakbot starts with a malicious spam campaign that contains various themes to lure the users into opening the attachments.

In this campaign, the spam email contains an HTML file that has base64 encoded images and a password-protected ZIP file, as shown below.

Figure 2 – Embedded ZIP File in HTML File

After opening the HTML file, it will automatically drop the password-protected zip file in the Downloads location. In our sample, the zip file is named “Report Jul 14” The zip password is mentioned in the HTML, as shown below.

Figure 3 – Contents of Spam HTML File

Upon opening the zip file using the password, it extracts another file from the folder containing an ISO image file named “Report Jul 14 47787.iso”. The ISO file contains four different files:

  • a .lnk file
  • a legitimate calc .exe
  • WindowsCodecs.dll
  • 7533.dll.

The figure below shows the details of extracted files.

Figure 4 – File Details

If the user executes the ISO file, it mounts the ISO to a drive and shows only the .lnk file to the user. In this case, the .lnk file is named “Report Jul 14 4778.lnk” andmasquerades as a PDF file.

The property of the .lnk file shows that it executes calc.exe present in the ISO file. The figure below shows the .lnk file.

Figure 5 – Properties of Shortcut File

DLL Sideloading:

DLL sideloading is a technique used by TAs to execute malicious code using legitimation applications. In this technique, TAs place legitimate applications and malicious .dll files together in a common directory.

The malicious .dll file name is the same as a legitimate file loaded by the application during execution. The attacker leverages this trick and executes the malicious .dll file.

In this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for calc.exe.

Upon executing the calc.exe, it further loads WindowsCodec.dll and executes the final Qakbot payload using regsvr32.exe. The final payload injects its malicious code into explorer.exe and performs all the malicious activities.

Figure 6 – WindowsCodec.dll file Executing 7533.dll using regsvr32.exe

The figure below shows the execution process tree of Qakbot.

Figure 7 – Qakbot Process Tree


The TAs behind Qakbot are highly active and are continuously evolving their methods to increase their efficacy and impact.

Qakbot steals credentials from the victim’s system and uses them for the TA’s financial gain. Apart from the direct financial impact, this can also lead to incidences of fraud, identity theft, and other consequences for any victim of Qakbot malware.

Cyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates promptly.

Our Recommendations 

  • Do not open emails from unknown or irrelevant senders.
  • Avoid downloading pirated software from unverified sites.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Keep updating your passwords after certain intervals.
  • Use reputed anti-virus solutions and internet security software packages on your connected devices, including PCs, laptops, and mobile devices.  
  • Avoid opening untrusted links and email attachments without first verifying their authenticity.   
  • Block URLs that could use to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.  
  • Enable Data Loss Prevention (DLP) Solutions on employees’ systems.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
ExecutionT1204User Execution
Défense EvasionT1574.002Hijack Execution Flow: DLL Side-Loading
Défense EvasionT1055Process Injection

Indicator Of Compromise (IOCs)

IndicatorsIndicator TypeDescription
Report Jul 14 47787.html
Report Jul 14
Report Jul 14 47787.iso

Comments are closed.

Scroll to Top