Rewterz Threat Alert – DarkyLock Ransomware – Active IOCs

December 29, 2022

Rewterz Threat Alert – LockBit Ransomware – Active IOCs

December 30, 2022

Rewterz Threat Alert – Qakbot (Qbot) Malware – Active IOCs

December 29, 2022

Severity

Medium

Analysis Summary

QBot, often known as QakBot, is modular information malware. It has been operational since 2007. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. Qakbot can propagate to other computers on the same network and allow it to mask its existence and build persistence on infected computers. A malware attachment to a phishing email is commonly used in QakBot attacks. This particular campaign includes an xls file that contains macros. These macros run a script that fetches the Qakbot payload from a list of URLs. To get the victim to activate macros, the attackers employ a common trick, like when the target downloads the file, it is asked to allow changes and then content before viewing the document.

During the past months, it is observed that attackers are employing a number of strategies to avoid detection, using Excel (XLM) 4.0 and ZIP file extensions. They are utilizing sophisticated strategies to evade automated detection and increase the likelihood that their attack will succeed, such as obfuscating code, using numerous URLs to deliver the payload and others. Threat actors are disguising attachments intended to spread malware using a variety of different common file names with typical keywords for finance and business operations

Impact

Unauthorized Access
Financial Theft
Information Theft

Indicators of Compromise

MD5

9b7f8b669ecd18b15834748a20d725ea
9e71752eea18941530acb27d3f524e00
0fc0ad5e2c8e73f0cf77c485ebc15a04
771f5adae94bb304277e7d0fdac188aa
78b27ff8645595c946b912d86ef3d923
2f2ee8fe7d11f76d79f4b97cc218b564
6dec8fd67c76cde2374f2a92e22c901f
a27b65f0864607f3b740897e7bf566f1
f2679924f80a184f0ca31cbf46a4986f
b221805727a1871f1993a8b20a19a630

SHA-256

363b0f5ec5145b61c83931f27d56629dbe3061928206aab984458da444125acf
f4019adba2381d0b6ab15def46f35b13712d8ee8da56ff2cc2fb66c425a39e62
aff207d9f26a8f68e2e002cbd7da86d500a7cb1f462e47f6b65e47a009c5b442
90bfd42d8d47c0fa15df36b022fa78e0ea5b1ac1a22e55715a630f5a244882ac
62226bd429144b54fd4f522ba4e22cc1ab013e0fef4becb3b946aad99ccb1904
e9dbc6768220adc1a63397cbd0bd3d4ae2f15fcb84c18639d45616a34d9e9a90
824f581068da6e58a8c71adb2437e4a64c9b7f70b98d3700a53a2c68ac569565
c9a2389de1fa6bf8fdc7de042b5fbfa6c00e7336b153306c9a7f766f036e5629
baf28f7801ca273c80b8406819cb16e1fbb2a46475a00911a0c264c757ee616e
9c4a05cdd18b7371ea16dc9b2d54f6fb11225943b71ed9c5aa31a0bdca6721d2

SHA-1

b879d36b5340f8eb8c5ebacc1703ffead5f1d25a
fde78df91b00224f6d450d414cdd34aba6fe7569
391e497f0dde64d2b11a1ee14973a81b97807329
667384ac9c0f66bd5083f764ec122a3286e2db92
f658beabb1024ce324484cc198089908e3a68ee6
b2d59d56e4de17e553eb13799fc5b6e37c29443a
1052a5235be2fea02e189bd05caba0c2ae435b44
04a1e32837b93678698e275d6d1723341a9eb4c4
3d0b02b4826518395cc1896bd43f615518b967bb
225a521120d7ab3e6c8d394dec860a8b868f7c44

Remediation

Block the threat indicators at their respective controls.
Search for IOCs in your environment.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us