Woman looking at screen

CISO Advisory: Bridewell CTI Uncovers "SODA" Qakbot Campaign Targeting UK Organisations

  1. Home
  2. Insights
  3. News
  4. CISO Advisory: Bridewell CTI Uncovers "SODA" Qakbot Campaign Targeting UK Organisations
Published 31 March 2023

Introduction

In an ever-evolving cybersecurity landscape, CISOs must remain vigilant and informed about the latest threats targeting their organisation's networks. Bridewell Cyber Threat Intelligence (CTI) has recently uncovered a new Qakbot malware campaign dubbed "SODA" targeting UK organisations. This campaign is particularly concerning due to its connection with Black Basta ransomware. As a CISO, it is crucial to understand the risks associated with this campaign and implement appropriate mitigation strategies to protect your organisation's sensitive data.

The Qakbot Threat

Qakbot is a sophisticated malware distributed through phishing emails and malicious websites, the malware connects to an attacker-controlled command-and-control (C2) server once installed, facilitating data theft and remote command execution. Qakbot is linked to the Black Basta ransomware, posing a serious threat to any UK organisation.

Black Basta Ransomware

Black Basta has emerged as a novel ransomware variant, employing encryption to lock down an affected system's files and subsequently demanding a ransom in cryptocurrency. This ransomware has showcased an advancement in its strategies and methodologies, such as the manipulation of Microsoft OneNote attachments. Notably, Black Basta has been detected targeting a diverse array of industries, encompassing finance, utilities, aviation, and critical infrastructure sectors. Given its association with the Qakbot malware and the current "SODA" campaign, Black Basta poses a significant threat to organisations within the UK.

The "SODA" Campaign - Qakbot > Cobalt Strike > Black Basta

The "SODA" campaign, beginning in early March, employs phishing emails disguised as legitimate correspondence containing a malicious Onenote attachment. The filename mimics a document from the recipient's "Documents" folder, such as DocumentsFolder_168032(Feb03).one. When opened, a malicious script installs Qakbot malware onto the victim's machine, potentially leading to a Black Basta ransomware infection.

In our in-depth analysis of the Qakbot-Black Basta attack chain, our team of intelligence analysts discovered several previously unidentified Cobalt Strike Servers. Notably, these servers are situated in Russia and share a significant connection with the same Autonomous System Number (ASN) AS207651. To establish their domains, the threat actors use Namecheap and designate Reykjavik, Iceland, as the administrative location. For increased security, they implement Let's Encrypt SSL certificates featuring 256-bit public-key encryption. Moreover, the infrastructure incorporates ns* subdomains as a key component.

Qakbot plays a crucial role in collecting essential information and transmitting it to the C2 server, which subsequently facilitates the intrusion of Cobalt Strike. These sophisticated frameworks provide cybercriminals with the means to exert control over the compromised system, carrying out a range of nefarious activities such as credential harvesting, lateral system infiltration, and the exfiltration of sensitive data

Bridewell CTI's Analysis

Bridewell CTI conducted an in-depth analysis of the C2 infrastructure and identified a list of IP addresses and hashes associated with the Qakbot malware. These indicators, available in the appendix, can help UK organisations bolster their defences against this threat. Additionally, Bridewell CTI analysed the phishing lures utilised in this campaign, revealing the filenames' deceptive nature, designed to trick victims into opening the attachments.

Mitigation Strategies

To safeguard your organisation against the "SODA" campaign and similar threats, it is essential to:

  1. Educate employees about the risks of opening attachments from unknown or suspicious senders.
  2. Ensure that your organisation utilises updated antivirus software and firewalls to detect and prevent Qakbot and Blackbasta infections.
  3. Search for the Indicators of Compromise (IoCs) listed in the appendix and set up reference sets for detection within your organisation's security tools.
  4. Be aware that a successful Qakbot infection can lead to Cobalt Strike being deployed on the network. If your organisation requires further information on detecting Cobalt Strike, please contact Bridewell directly.
  5. Implement a Managed Detection and Response (MDR) service to proactively monitor, detect, and respond to threats targeting your organisation.
  6. Leverage a Vulnerability Management service to identify and remediate security weaknesses within your organisation's network and systems.
  7. Incorporate a Cyber Threat Intelligence (CTI) services to stay informed of emerging threats and obtain tailored intelligence to enhance your organisation's cybersecurity posture.

Conclusion

The "SODA" Qakbot campaign, linked to Black Basta ransomware and potentially leading to Cobalt Strike deployment, poses a significant risk to UK organisations. CISOs must remain vigilant and take proactive measures to protect their networks against this evolving threat. By implementing robust cybersecurity measures, leveraging MSSP services, and staying informed of emerging threats, you can help ensure your organisation's data remains secure from cybercriminals.

Cobalt Strike:

212[.]118[.]55[.]225

ns3[.]fllrnd[.]com
fllrnd[.]com
ns1[.]fllrnd[.]com
ns4[.]fllrnd[.]com

212[.]118[.]42[.]219

ns4[.]peiploersea[.]com
ns1[.]peiploersea[.]com
ns3[.]peiploersea[.]com
ns2[.]peiploersea[.]com

46[.]149[.]73[.]157

ns2[.]seestatreading[.]com
ns3[.]seestatreading[.]com
seestatreading[.]com
ns4[.]seestatreading[.]com

Qakbot C2s:

77[.]91[.]100[.]65
94[.]131[.]117[.]111
51[.]38[.]158[.]119
46[.]246[.]97[.]157
137[.]74[.]39[.]237
141[.]94[.]86[.]90
199[.]247[.]30[.]203
85[.]239[.]41[.]205
198[.]44[.]140[.]75
154[.]7[.]253[.]203
87[.]236[.]146[.]162
208[.]123[.]119[.]204
185[.]205[.]187[.]235
51[.]79[.]224[.]43
142[.]44[.]218[.]199
66[.]135[.]3[.]172
87[.]236[.]146[.]160
79[.]141[.]165[.]222
77[.]83[.]198[.]142
45[.]159[.]251[.]147
154[.]29[.]74[.]133
45[.]155[.]37[.]142
46[.]246[.]98[.]156
79[.]141[.]166[.]135
174[.]139[.]150[.]139
15[.]204[.]49[.]247
94[.]131[.]104[.]128
45[.]76[.]141[.]242
185[.]106[.]102[.]73
138[.]199[.]46[.]15
91[.]199[.]147[.]206
15[.]204[.]49[.]226
45[.]86[.]231[.]23
79[.]141[.]174[.]48
87[.]236[.]146[.]124
45[.]8[.]191[.]141
154[.]7[.]253[.]191
45[.]155[.]37[.]136
216[.]146[.]25[.]57
172[.]96[.]137[.]149
94[.]131[.]97[.]232
98[.]142[.]254[.]181
104[.]225[.]129[.]101
185[.]231[.]205[.]246
216[.]238[.]76[.]210
51[.]195[.]49[.]210
159[.]27[.]228[.]193
159[.]27[.]13[.]161
159[.]27[.]237[.]87
52[.]131[.]223[.]156
40[.]73[.]66[.]90
51[.]195[.]49[.]210

Bridewell avatar logo
Author
Bridewell
Cyber Threat Intelligence Team

Bridewell's Cyber Threat Intelligence team specialised in C2 malware hunting. Uncovering & neutralising cyber threats before they strike.