Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
September 30, 2021Rewterz Threat Alert – ServHelper Backdoor – Active IOCs
September 30, 2021Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
September 30, 2021Rewterz Threat Alert – ServHelper Backdoor – Active IOCs
September 30, 2021Severity
High
Analysis Summary
A massive maldoc campaign delivering the QakBot/QBot banking trojan is detected. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word or excel documents attached to the spam email. This particular campaign features an xls file that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. The attackers use a common tactic to lure the victim to enable macros: when the target downloads the file, it asks the target to enable editing and then enable content in order to view the document.
Impact
- Unauthorized Access
- Financial Theft
- Information theft
Indicators of Compromise
MD5
- ebec2f5ac1e5f9d51d12ff7131795c35
SHA-256
- 405e8907b3775351b266445fae051055a10d97fb89ed926b5fa083f32028f5d4
SHA-1
- 2c07ee3f23fd2a62373412d67ddbca312445d29e
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.