October 21, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – DangerousPassword APT Group – Active IOCs
November 18, 2022
Rewterz Threat Alert – Hive Ransomware Extorted $100M From Over 1,300 Companies Worldwide – Active IOCs
November 20, 2022
Rewterz Threat Alert – DangerousPassword APT Group – Active IOCs
November 18, 2022
Rewterz Threat Alert – Hive Ransomware Extorted $100M From Over 1,300 Companies Worldwide – Active IOCs
November 20, 2022
Severity
High
Analysis Summary
QBot, often known as QakBot, is modular information malware. It has been operational since 2007. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. Qakbot can propagate to other computers on the same network and allow it to mask its existence and build persistence on infected computers. A malware attachment to a phishing email is commonly used in QakBot attacks. This particular campaign includes an xls file that contains macros. These macros run a script that fetches the Qakbot payload from a list of URLs. To get the victim to activate macros, the attackers employ a common trick, like when the target downloads the file, it is asked to allow changes and then content before viewing the document.
In the last month, it is observed that attackers are employing a number of strategies to avoid detection, using Excel (XLM) 4.0 and ZIP file extensions. They are utilizing sophisticated strategies to evade automated detection and increase the likelihood that their attack will succeed, such as obfuscating code, using numerous URLs to deliver the payload and others. Threat actors are disguising attachments intended to spread malware using a variety of different common file names with typical keywords for finance and business operations
Impact
- Unauthorized Access
- Financial Theft
- Information Theft
Indicators of Compromise
MD5
0cffee80be59c6316a7132446b0da699
7805b0885e64e4ab56bbee1e7a42db0b
1b2fa277b7250a06f5a1217910a91fb6
SHA-256
8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274
c5df8f8328103380943d8ead5345ca9fe8a9d495634db53cf9ea3266e353a3b1
26f5bc698dfec8e771b781dc19941e2d657eb87fe8669e1f75d9e5a1bb4db1db
SHA-1
80f524f04ef866cbc871b55f3d7e5786074671a4
65e523c6adf2957bd898d4c429e70985268e2804
7dec5a8ee273befdf6de5df063bb00f6f3777436
URL
- https://achar724.com/stt/index.php?tu-blaroe=2
- https://ac.net.pe/rmu/index.php?qiu-stlvauop=6
- https://abuhureira.sc.ke/roo/index.php?nude-ivtae=5
- https://a1revenue.com/ut/index.php?otid-urosmnt=3
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.