Rewterz Threat Alert – Latest Attack Techniques From Qbot

Severity

High

Analysis Summary

Researchers have examined the new techniques that a decade old banking Trojan called Qbot (aka Qakbot and Pinkslipbot) is exhibiting. The malware is capable of stealing information such as passwords, emails, credit card information, and more. It can also be used as a downloader for other malware, including ransomware packages. Commands from the bot controller can cause Qbot, on the infected system, to connect and make financial transactions with the victim’s credentials. Additionally, Qbot can use stolen emails to send replies to other potential victims, making such replies appear legitimate. observed an Emotet campaign that dropped a newer copy of Qbot on victims’ systems. August saw a new malspam campaign distributing Qbot. The majority of the victims in this campaign resided in the US and Europe, with government, military, and manufacturing industries being the most targeted. The infection vector is an email, possibly an email thread stolen from a previous victim, with a malicious attachment or URL. A Visual Basic Script (VBS) stored in a malicious archive is used to start the infection process. Using VBS as a standalone script is relatively new (since April 2020) for malware. Normally, VBS is used as the macro in a weaponized Word document for installation. The VBS file is padded with NULL bytes to make it larger than 35 megabytes, a figure most sandboxes ignore. Once activated, the script sleeps for a period of time, also in an attempt to bypass sandbox environments. Obfuscation is used, as well as a number of anti-virtual machine and anti-debugging techniques, to avoid detection. Persistence is gained through registry keys and a scheduled task.

Impact

• Credential theft
• Information theft

Indicators of Compromise

MD5

• a58a2f4276ad7692cd1d01beecc7eed0
• 14c29c6a94f9b6aa43bbcf586dec1fb9
• 93d6d599c37d1858cc86c0d8fe8fb8d4
• d51f374590072996140b93287cb7cdc9
• 34cf62f367b9da050939245695390c42
• a59a669a40ecdfdf9d3ae0c3f2b2db34
• f696de6ab66d885d1e0c20ccae7f1857
• c08a6f53d33dd343590ba158340e2318
• 82cf18a1649a148eb97b8b3437d18cd3
• d8d46ba41c915d45d955a2394996c07f
• 1e586ea1d4544d3429ca0c49b33ff67e

SHA-256

• 965f1386d1a049a03fc25945c0d2834d7e0abd9c3a9ade5e8bc8a7bad9f13889
• 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca
• c8810d5eaaea95b36bbb529a2b9be5c5e6dda10f95992e7c35ac8bbf9f3a8f71
• ebbbaa3d2982d7bae07da73bc6691955752838cab06962a99f1d3864f5bfc5fa
• fe45094da4fcac7856914d138ba9210c786c753fffdda5a5c484a53b7c5fda4d
• 7fc3f5e06bbaad459af71d3c0d28c51b7802546984f886f14a1b12a779fff6f8
• 985fdf90defa2f38c71006c522b6b55081b4b39fcd413f9ef3b7308fad4df42c
• 5b237261c3360c96fc8a5bbbe97bdc9d01ef4a64b8f977ccd65e894820df5f8c
• e1d2fd3474c4c3f40fce7b882bd9135a584483d8540881d17e1f54527a0939a7
• 19c17f78595ad6d4ac16b790231337a01992709b530d95d19d1d247078aa212d
• 80eb5b91bdeeaea456de77e716942bc666ed4c152f5274c4317cd6740dcda8e8

SHA1

• 9001DF2C853B4BA118433DD83C17617E7AA368B1
• 449F2B10320115E98B182204A4376DDC669E1369
• F85A63CB462B8FD60DA35807C63CD13226907901
• B4BC69FF502AECB4BBC2FB9A3DFC0CA8CF99BA9E
• 1AAA14A50C3C3F65269265C30D8AA05AD8695B1B
• 577522512506487C63A372BBDA77BE966C23CBD1
• 75107AEE398EED78532652B462B77AE6FB576198
• 674685F3EC24C72458EDC11CF4F135E445B4185B
• BECD8F2D6289B51981F07D5FF52916104D764DD5
• 18E8971B2DE8EA3F8BB7E1462E414DA936425D4E
• 4C96D2BCE0E12F8591999D4E00498BCDB8A116DE

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.