A phishing email was intercepted by Fortinet’s FortiGuard Labs as part of a phishing campaign that propagated a new QakBot variant. Since 2007, security experts have discovered and studied QakBot, a banking Trojan horse also known as QBot, QuackBot, or PinkslipBot.

Using the obtained email, A conducted a thorough investigation of this phishing effort and the new QakBot variant. Learn how the included HTML page causes the new QakBot variation to download and run, what activities it performs on the victim’s device, and how it communicates the data it has gathered from the victim’s device to its C2 server through the analysis.

Platforms impacted: Microsoft Windows

Parties impacted: Users of Microsoft Windows

Impact: Takes control of the victim’s device and gathers private data

Level of severity: Critical

Phishing Email and the Attached HTML File

The phishing email used by hackers to trick the recipient into opening the ScannedDocs 1586212494.html attachment is depicted in Figure. Fortinet’s FortiMail has flagged this phishing email as SPAM.

Figure Display of the captured phishing email (Fortinet)
Figure Display of the captured phishing email (Fortinet)

When the receiver opens the HTML file in a web browser, JavaScript code that is present in the file is automatically run. A base64 string that is stored in a local variable is decoded. In order to save the base64-decoded data (a ZIP archive) to a local file with the name “ScannedDocs 1586212494.zip,” it then invokes navigator.msSaveOrOpenBlob(), a built-in function. Figure displays the defined variables along with the name of the ZIP file and a base64 text.

Figure The JavaScript snippet code inside the HTML file (Fortinet)

Downloading and executing QakBot

The contents of the downloaded ZIP package will then be examined. It is called “ScannedDocs 1586212494.lnk” and is a Windows shortcut file. As you may already be aware, commands can be executed by adding them to the Target field of a Windows shortcut file.

A screenshot of this shortcut file’s characteristics may be found in Figure 2.1.

Windows shortcut file and properties (Fortinet)
Figure The Windows shortcut file and properties (Fortinet)

Process Hollowing

Process hollowing is a technique used by malware to insert harmful code or modules into another process.

It does this in order to avoid being seen. QakBot will choose a system process from a process list as the target process for performing process hollowing, depending on the infected machine’s platform (32-bit or 64-bit) and installed anti-virus software. OneDriveSetup.exe, explorer.exe, mobsync.exe, msra.exe, and iexplore.exe are all included in this list for this variation.

It chose “OneDriveSetup.exe” in my testing environment.

In order to create a new process with the creation flag CREATE SUSPENDED so that it is suspended at start, QakBot then invokes the API CreateProcessW().

By invoking API WriteProcessMemory, it can then edit its memory data, such as adding the QakBot core module to the newly generated “OneDriveSetup.exe” process (). The code at the new process’s entry point is then modified to jump to the injected core module. Once the new process has been resumed using the API ResumeThread(), QakBot is then run inside the target process.

Figure displays a process tree with each important process, from “curl.exe” for QakBot Loader through “OneDriveSetup.exe” for installation.

Overview of the process tree for relevant processes (Fortinet)
Figure Overview of the process tree for relevant processes (Fortinet)


With the use of this research, I was able to demonstrate that an HTML file attached is no safer than any other dangerous files (like MS Word, MS Excel, PDF, and so on). When you receive emails with attachments, you need to exercise extra caution.

Then it was described how a piece of JavaScript auto-execution code dropped a ZIP archive from the HTML file. Later, I concentrated on how a phoney Windows shortcut file downloaded the QakBot loader module. Discovered how the loader module deploys and decrypts the QakBot core module in a chosen target process (this time, OneDriveSetup.exe).

Finally, we walked through how QakBot started threads to connect to its C2 server using an IP address and port pair selected from a C2 server list that had been decrypted from its Resource “102”, as well as what sensitive data it extracted from the victim’s device and then submitted to its C2 server.