Rewterz Threat Alert – Ursnif Banking Trojan – Active IOCs
October 26, 2021Rewterz Threat Alert – APT-C-38 ZooPark – Active IOCs
October 26, 2021Rewterz Threat Alert – Ursnif Banking Trojan – Active IOCs
October 26, 2021Rewterz Threat Alert – APT-C-38 ZooPark – Active IOCs
October 26, 2021Severity
Medium
Analysis Summary
A massive maldoc campaign delivering the QakBot/QBot banking trojan is detected. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word or Excel documents attached to the spam email. This particular campaign features an xls file that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. The attackers use a common tactic to lure the victim to enable macros: when the target downloads the file, it asks the target to enable editing and then enable content in order to view the document.
Impact
- Unauthorized Access
- Financial Theft
- Information theft
Indicators of Compromise
SHA-256
- 388617639552d69bb04cbbba6b8ca945c8ad8068719263a466d64724533b43f4
- 5e0fc31caffdfa334bfa048df6e5af03b563432d032c5da6b3d961bd637362d0
- a22b42a96d30b3451db682f6e415a57ece8d136ce386945cca0cbd098716ff7f
- f553b58e1a17cdb63ba36983a3f2949656b2f76c275430fc3ca273a13eafc134
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.