QuakBot Trojan
What is QuakBot?
QuakBot is a malware that is around since 2007. Often declared as one of the leading banking trojans of the world. The term banking
trojan refers to a malware that steals financial information from infected system. Altough this historical description is no longer
correct. QuakBot is a fully fledged, fileless information stealer not only focussed on banking information.
I have described some interesting functions of the QuakBot loader (second stage) here.
Timestamp
The timestamp value 0x2A425E19 in the IMAGE_FILE_HEADER corresponds to 19 June 1992 22:22:17. Seems an old Trojan.
Binaries compiled with Delphi compilers before Version 2007 have all the same old date. The present malware was written in Delphi.
Load module
QuakBot tries to load a locale-specific DLL for the application by opening the following registry keys in sequence:
0x80000001 = HKEY_CURRENT_USER
0x80000002 = HKEY_LOCAL_MACHINE
If none of the entries exists, the default locale is selected. LoadLibraryExA loads the file into the virtual adress space of the
calling process as a datafile (flag 0x2). If this value is used nothing is done to execute the mapped file.
Therefore functions can not be called.
The .rsrc section of the module contains there encrypted resources that are decrypted in memory at runtime.
Resource 111 contains the IP-adresses and port-number of the C2C servers.
Set Windows Hook
QuakBot installs a windows hook associated with the current thread. The hook monitors messages to the message queue. Every time
the application calls the function PeekMessage the hook procedure is executed. Usually this technique is used to inject the malware
into another process.
Keylogger functions
The malware continuously checks the status of each of the 256 virtual keys with the GetKeyboardState function in order to determine
which key was pressed.
Make Screenshots
QuakBot can take screenshots of the infected system. These screenshots are then stored as BMP files. First the malware creates a
memory device context with the CreateCompatibleDC function. Then it creates a compatible bitmap for the device context with
CreateCompatibleBitmap and selects the bitmap into the device context with SelectObject.
The function BitBlt performs then a bit block transfer of data from the source bitmap into a destination bitmap. After that, the
image has been stored in memory. Then the created bitmap is copied from memory into a buffer for further use.
Create window
It creates a popup window at the bottom right with CreateWindowExA. The window class name is set to "TPUtilWindow" with an empty
window name. The extended windows style is 0x80 which means it is a tool window. A tool window does not appear in the taskbar or
when pressing ALT+TAB. Hidden windows are used by threat actors in order to conceal malicious activity from the user.
Discovery tactics
Discovery tactics are used in order to determine if the malware runs in a real system or in a sandbox.
After setting the hook a new thread is created into the adress space of the calling process with CreateThread.
This thread retrieves the following information:
- the mouse cursor position with GetCursorPos
- the window that contains the mouse cursor with WindowFromPoint
- the parent of this window
- the thread identifier of the thread that created the parent window
The malware retrieves the handle of the last active popup window with GetLastActivePopup and the handle of the foreground window
with GetForegroundWindow. If the the last pupup window was not called by the foreground window it brings the owner window in the
foreground.
It gets the numbers of miliseconds elapsed since the system was started with the first GetTickCount call. A check is then made to
see if there are other threads waiting to be executed (Sleep with flag 0). If there are no other threads waiting the function
returns immediately. If the time elapsed between the two GetTick count is less then 1 second, the function continues looping.
If there is a thread waiting the thread is executed and the function proceeds.
Data Exfiltration
Every collected information is encrypted an then transferred to a C2C server.