• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-3566 – Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability
August 30, 2020
Rewterz Threat Alert – Wacatac Spreads Its Attacks Using Archive Attachments
August 31, 2020

Rewterz Threat Alert – Latest Attack Techniques From Qbot

August 31, 2020

Severity

High

Analysis Summary

Researchers have examined the new techniques that a decade old banking Trojan called Qbot (aka Qakbot and Pinkslipbot) is exhibiting. The malware is capable of stealing information such as passwords, emails, credit card information, and more. It can also be used as a downloader for other malware, including ransomware packages. Commands from the bot controller can cause Qbot, on the infected system, to connect and make financial transactions with the victim’s credentials. Additionally, Qbot can use stolen emails to send replies to other potential victims, making such replies appear legitimate. observed an Emotet campaign that dropped a newer copy of Qbot on victims’ systems. August saw a new malspam campaign distributing Qbot. The majority of the victims in this campaign resided in the US and Europe, with government, military, and manufacturing industries being the most targeted. The infection vector is an email, possibly an email thread stolen from a previous victim, with a malicious attachment or URL. A Visual Basic Script (VBS) stored in a malicious archive is used to start the infection process. Using VBS as a standalone script is relatively new (since April 2020) for malware. Normally, VBS is used as the macro in a weaponized Word document for installation. The VBS file is padded with NULL bytes to make it larger than 35 megabytes, a figure most sandboxes ignore. Once activated, the script sleeps for a period of time, also in an attempt to bypass sandbox environments. Obfuscation is used, as well as a number of anti-virtual machine and anti-debugging techniques, to avoid detection. Persistence is gained through registry keys and a scheduled task.

Impact

  • Credential theft
  • Information theft

Indicators of Compromise

MD5

  • a58a2f4276ad7692cd1d01beecc7eed0
  • 14c29c6a94f9b6aa43bbcf586dec1fb9
  • 93d6d599c37d1858cc86c0d8fe8fb8d4
  • d51f374590072996140b93287cb7cdc9
  • 34cf62f367b9da050939245695390c42
  • a59a669a40ecdfdf9d3ae0c3f2b2db34
  • f696de6ab66d885d1e0c20ccae7f1857
  • c08a6f53d33dd343590ba158340e2318
  • 82cf18a1649a148eb97b8b3437d18cd3
  • d8d46ba41c915d45d955a2394996c07f
  • 1e586ea1d4544d3429ca0c49b33ff67e

SHA-256

  • 965f1386d1a049a03fc25945c0d2834d7e0abd9c3a9ade5e8bc8a7bad9f13889
  • 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca
  • c8810d5eaaea95b36bbb529a2b9be5c5e6dda10f95992e7c35ac8bbf9f3a8f71
  • ebbbaa3d2982d7bae07da73bc6691955752838cab06962a99f1d3864f5bfc5fa
  • fe45094da4fcac7856914d138ba9210c786c753fffdda5a5c484a53b7c5fda4d
  • 7fc3f5e06bbaad459af71d3c0d28c51b7802546984f886f14a1b12a779fff6f8
  • 985fdf90defa2f38c71006c522b6b55081b4b39fcd413f9ef3b7308fad4df42c
  • 5b237261c3360c96fc8a5bbbe97bdc9d01ef4a64b8f977ccd65e894820df5f8c
  • e1d2fd3474c4c3f40fce7b882bd9135a584483d8540881d17e1f54527a0939a7
  • 19c17f78595ad6d4ac16b790231337a01992709b530d95d19d1d247078aa212d
  • 80eb5b91bdeeaea456de77e716942bc666ed4c152f5274c4317cd6740dcda8e8

SHA1

  • 9001DF2C853B4BA118433DD83C17617E7AA368B1
  • 449F2B10320115E98B182204A4376DDC669E1369
  • F85A63CB462B8FD60DA35807C63CD13226907901
  • B4BC69FF502AECB4BBC2FB9A3DFC0CA8CF99BA9E
  • 1AAA14A50C3C3F65269265C30D8AA05AD8695B1B
  • 577522512506487C63A372BBDA77BE966C23CBD1
  • 75107AEE398EED78532652B462B77AE6FB576198
  • 674685F3EC24C72458EDC11CF4F135E445B4185B
  • BECD8F2D6289B51981F07D5FF52916104D764DD5
  • 18E8971B2DE8EA3F8BB7E1462E414DA936425D4E
  • 4C96D2BCE0E12F8591999D4E00498BCDB8A116DE

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.