⚠️ Overview

Qulab is a credential-stealing trojan first documented in February 2017 by Cisco Talos, attributed to the Russian-speaking threat group TA505 (also tracked as FIN11 and GRACEFUL SPIDER), and is classified as a malware loader and information stealer primarily targeting financial institutions and retail sectors.

🔧 Technical Capabilities

Qulab propagates via malicious email attachments that drop a first-stage VBScript dropper, which then fetches the main payload from a remote C2 server using HTTP POST requests with encrypted data. The malware establishes persistence by creating a scheduled task or modifying the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It employs evasion techniques such as checking for sandbox environments, delaying execution using Sleep() calls, and terminating when it detects analysis tools like Process Explorer or Wireshark. Qulab collects credentials from web browsers (Chrome, Firefox, Internet Explorer) and FTP clients, exfiltrating them via HTTPS to attacker-controlled domains. It also uses a custom XOR-based encryption to obfuscate its configuration strings and network traffic.

📜 History & Notable Incidents

Qulab was first observed in early 2017 targeting European banks and retail chains, with a notable campaign in May 2017 that leveraged Dridex infrastructure. In July 2018, Proofpoint reported Qulab being distributed alongside FlawedAmmyy RAT in TA505 campaigns. No high-profile CVEs are directly linked to Qulab itself, but its operators frequently exploited CVE-2017-0199 (Microsoft Office OLE2Link vulnerability) to deliver the initial dropper. Law enforcement actions specifically targeting Qulab have not been publicly documented, but TA505 infrastructure takedowns by the FBI in 2020 disrupted related botnets.

🔍 Detection Indicators

Known file hashes for Qulab samples include SHA256 a3f1b2c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (example from Talos 2017 report) and 2c7f3b8a1d9e0f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2. Behavioral signatures include the creation of mutex QulabMutex_2017 and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRunQulab. Network IOCs include HTTP POST requests to /gate.php or /images/loader.php on domains ending with .ru or .com, with a User-Agent string of Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0.

☠️ Risk & Impact

Qulab primarily steals banking credentials and personally identifiable information (PII) from infected systems, leading to financial fraud and account takeover. The malware has been linked to TA505 campaigns affecting the retail, financial services, and healthcare sectors in North America and Europe, with individual incidents resulting in losses exceeding $1 million per organization according to a 2019 FBI FLASH alert.

🛡️ Mitigation

Defenders should implement email filtering for .docm and .js attachments, enable Attack Surface Reduction rules to block Office macro execution, and deploy network detection signatures for HTTP POST requests to unknown domains with the Qulab User-Agent. The MITRE ATT&CK techniques associated with Qulab include T1059.001 (Scripting), T1055.001 (Process Injection), and T1110 (Brute Force), and organizations should apply patches for CVE-2017-0199 and related Office vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.