The trusted leader in cybersecurity for enterprise and government.
Schedule a Demo
#1 proactive
cyber defense
solution
Schedule a Demo
The trusted leader in cybersecurity for enterprise and government.
Schedule a Demo
#1 proactive cyber defense solution
Schedule a Demo

There’s a Reason the Most Important Data on Earth is protected by Fidelis

5

of the 6 US Military Branches Defended

7

of the 10 Largest US Government Agencies Protected

6.7M

Year-to-Date High Severity Malware Threats Identified

16K

Year-to-Date Critical Vulnerability Exploitations Attempts Detected

Protecting the leading enterprises and government agencies worldwide for over 20 years.

  • 7 of the 10 largest US government agencies.
  • 5 of the 6 branches of the US military
  • #1 largest cellphone manufacturer in the world
  • #1 largest pharmacy chain in the world
  • #1 largest mobile service provider in the US
  • #1 largest defense contractor in the world
  • #1 largest pharmaceutical company in the world
  • #1 largest convenience store chain in the world

Why is Fidelis winning against its competitors?

Our customers detect post-breach attacks over 9x faster.

The Fidelis Challenge.

No one sees what we see and we'll prove it

Run Fidelis Elevate in your enterprise environment for 30 days. We guarantee we will find threats your current provider has never even seen. If we are wrong, we will pay you $50,000 or donate $50,000 to a children’s charity of your choice.

Products

Discover Our Product

No one sees what we see and we'll prove it

Our customers detect post-breach attacks over 9x faster.

Take the Fidelis Challenge: 
Run Fidelis in your environment for 30 days. We guarantee we will find threats your current provider has never even seen. If we are wrong, we will write you a check for $25,000 or donate to a charity of your choice.

Integrations

Testimonials

What Our Client Say About Us

Lyell Immunopharma DevSecOps Engineer

Policy assignments work surprisingly well. I can just set policies for our assets and servers, and those policies apply to any new instances that we spin up.

Lauda Director of Information Technology

I know it’s unlikely to ever be 100% secure, but QGroup and Fidelis give me confidence that our security is at the highest possible level.

Merit Awards Executive Director

Fidelis achieves Gold in Cybersecurity from Merit Awards: “...a reflection of the innovations and technology advancements the industry has made over the last year.”

Lyell Immunopharma DevSecOps Engineer

Policy assignments work surprisingly well. I can just set policies for our assets and servers, and those policies apply to any new instances that we spin up.

Lauda Director of Information Technology

I know it’s unlikely to ever be 100% secure, but QGroup and Fidelis give me confidence that our security is at the highest possible level.

Merit Awards Executive Director

Fidelis achieves Gold in Cybersecurity from Merit Awards: “...a reflection of the innovations and technology advancements the industry has made over the last year.”

Resources

Check Out Our Recent Content

October 2022 Threat Intelligence Summary

The Fidelis Cybersecurity Threat Intelligence Summary highlights the most critical emerging vulnerabilities and malware. Inside this report, you’ll find a sampling of recent government reporting that highlights the tools and tactics currently in use by Advanced Persistent Threat (APT) actors. We also present some of the most exploited vulnerabilities throughout October 2022, and provide insight into the most pervasive malware threats so you’ll know what to look for as you fortify your own cyber defenses.

November 2022 Threat Intelligence Summary

The Fidelis Cybersecurity Threat Intelligence Summary highlights the most critical emerging vulnerabilities and malware. The November 2022 report outlines CISA’s new strategy. It also examines the return of an old botnet, supply chain attacks leveraged against news organizations, ongoing data breaches, and more. And it presents updated metrics on the most prevalent and urgent vulnerabilities and malware threats affecting the global cyber community.

New Variants of Qakbot Banking Trojan

Qakbot (aka Qbot or Pinkslipbot) is a banking trojan first discovered in 2008. It is a self-propagating virus designed to steal sensitive data on target networks. Qakbot also provides remote code execution (RCE) capabilities, allowing attackers to manually achieve secondary objectives, such as scanning the compromised network or injecting ransomware. Qakbot’s modules allow automated targeting of financial data, locally stored emails, system passwords or password hashes, website passwords, and cookies from web browser caches. Attackers can also use Qakbot to steal credentials by logging keystrokes. 

This blog post analyzes two new distribution vectors Qakbot uses for initial infection of targeted systems. From 2020 through 2022, Qakbot has leveraged a variety of infection vectors that originate in malware phishing campaigns (Figure 1). However, in recent months, Qakbot has successfully infected networks via Microsoft OneNote files (.one file extension) and HTML application files (.hta file extension).  


Figure 1: Qakbot Distribution Vectors

Qakbot Detection Challenges

 Qakbot routinely defies antivirus (AV) systems, making its presence difficult to spot. The malware persists in a local system environment and will not decrypt its payload or execute in some scenarios, such as when it detects virtualization, certain security products, or specific Windows Registry keys. This allows Qakbot to conceal itself and prevents security researchers from discovering and analyzing the payload. Another Qakbot stealth strategy is injecting itself (or piggybacking) into legitimate application processes.  

One potential indictor of a Qakbot compromise is an unauthorized run key in the Windows Registry. Registry run keys facilitate automatic program execution upon user log-in or system start-up. Qakbot leverages that functionality to auto-start itself, which facilitates persistence on a system. However, Qakbot routinely receives updates in response to published security research so that it can mask its known indicators of compromise (IOCs) and make it difficult for security teams to hunt for this threat with confidence.  

Latest Distribution Techniques

The most effective way to track Qakbot is to keep up with the latest attack vectors. This section outlines two new distribution techniques seen in the wild as of March, 2023. 

Technique 1: Distribution Via a OneNote File

A .one file is a notebook created by the Microsoft OneNote office productivity application. These files contain one or more sections, each containing pages of notes. OneNote files may contain text, digitized handwriting, and objects pasted from other applications, such as images, drawings, and audio or video clips. 

Qakbot campaigns using the OneNote attack vector originate as phishing emails. In this technique, the malware masquerades as a .one file attachment. User interaction with the attachment begins the infection process. The malware drops its executable payload (a randomly named .dat file) at a targeted path through execution of Windows command line and PowerShell scripts. The Qakbot PowerShell also disables Windows Defender’s real-time detection capabilities. Upon successful launch of the payload file, the Qakbot infection communicates back to its command and control (C2) server to exchange stolen data and establish further infection capabilities. 

Figure 2: PowerShell Dropper Component 

 

Figure 3: Qakbot Infection Chain Via OneNote Files 

Technique 2: Distribution Via an HTML Application File 

The .hta file extension is a file format used in HTML applications. HTML applications can contain hypertext code, Visual Basic scripts, or JavaScript code, depending on the program setup. Since .hta files are treated as stand-alone programs, they can execute outside of the confines of a browser’s security context. Because of this, they are treated as trusted applications. The text format of .hta makes them editable by any program that can edit plain text. The default file-association for the .hta extension is the Microsoft HTML Application Host (mshta.exe). These files store executable code that can be run from an HTML document.  

As with the majority of malware, Qakbot’s initial infection vector relies upon spam emails and unsuspecting user interaction. Once the user opens the .hta file attachment, the embedded, malicious JavaScript serves as a loader to drop an executable payload (again, a randomly named .dat file) to its targeted file path. Upon launching the payload file, the Qakbot infection communicates with its C2 server. 

 

Figure 4: Qakbot Infection Chain Via HTML Application Files

Follow-on Actions 

Once the malicious .dat file is executed it communicates back to the command-and-control server located at (in this case) 139.99.117.17. As shown in Figure 5, this is a well-known malicious host. 

Figure 5: Command and Control Server

Once the system is infected, Qakbot will: 

  • Collect information about the compromised host 
  • Create scheduled tasks to escalate privileges and establish persistence 
  • Harvest credentials 
  • Dump credentials (.exe access)  
  • Steal passwords from browser history and cookies 
  • Target web banking links with web injects 
  • Perform brute-force password guessing 
  • Manipulate Windows Registries to maintain persistence 
  • Self-replicate 
  • Perform process injection to conceal its operations 

MITRE ATT&CK Tactics & Techniques: 

ID  Tactic  Technique 
TA0001  Initial Access  T1566.001 – Spearphishing Attachment 
TA0002  Execution  T1027 – Obfuscated Files or Information 

T1204.001 – Links via OneNote/.hta file 

T1204.002 – Attachment file via OneNote/.hta file 

TA0003  Persistence  T1053.005 – Scheduled Task 

T1547.001 – Registry Run Keys / Startup Folder 

TA0004  Privilege Escalation  T1053.005 – Scheduled Task 
TA0005  Defense Evasion  T1027.002 – Software Packing 

T1055 – Process Injection 

T1218.005 – Onenote spawns MSHTA to execute embedded .hta file. 

T1497.001 – System Checks 

TA0006  Credential Access  T1003 – OS Credential Dumping 

T1110.001 – Password Guessing 

T1555.003 – Credentials from Web Browsers 

TA0007  Discovery  T1016 – System Network Configuration Discovery 
TA0011  Command and Control Server  T1071.001 – Web Protocols 

T1090 – Proxy 

T1090.002 – External Proxy 

Fidelis Elevate detects Qakbot Banking Trojan automatically as part of the curated and in-house intelligence feeds that provide insight into the most pressing threats. Additionally, Fidelis Network’s active threat detection can help narrow the search by providing insight into the exact MITRE ATT&CK TTPs that are present in customer environments. 

Stay Up to Date with the Monthly Threat intelligence Summary 

Every month, the Fidelis Cybersecurity Threat Research Team analyzes the latest cyber security news, threats, vulnerabilities, and exploits. These findings are published in the Threat Intelligence Summary, along with useful links and analysis so that you can stay ahead of threats. Be sure to read the latest report. Also, subscribe to the Threat Geek blog for timely information that matters most to cyber security professions. 

May 2023 Threat Intelligence Summary

The Fidelis Cybersecurity Threat Intelligence Summary highlights the most critical emerging vulnerabilities and malware. The May 2023 report details significant ransomware activity from several different groups, including a shift in tactics for BianLian, Google announced the launch of new consumer security features, and new vulnerabilities, exploits, and attacks targeted both government and private organizations worldwide. The report also provides analysis of highly significant and emerging vulnerabilities and seismic malware activity from our sandbox environment and open reporting sources.

May 2022 Threat Summary

The Fidelis Cybersecurity Threat Research Team’s latest report shows a shifting threat landscape that includes the resurgence of familiar adversaries, alongside new state-sponsored attacks, high severity malware, and critical vulnerability exploitation attempts. Fidelis Cybersecurity provides continued coverage and vigilance on the most menacing threats and vulnerabilities so you protect against current threats and stay ahead of whatever comes next.

Mastering Active Directory Security

Active Directory (AD) is the gateway to an estimated 90% of networks worldwide, making it a primary attack vector. Reclaim your advantage over your adversary by becoming a master of AD defense.

Threat Geek

Recent Posts

Blog

Our Recent Blog