• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Malicious URLs – Covid-19
June 1, 2020
Rewterz Threat Alert – African Banking Sector Targeted via Phishing Emails
June 2, 2020

Rewterz Threat Alert – Qakbot Spreads through VBS Files

June 2, 2020

Severity

Medium

Analysis Summary

Researchers observed increased usage of a specific Qakbot variant across campaigns occurring this year. The variant’s initial infection vector is emails appearing to be replies to relevant business-related messages in which the the recipient is requested to click on a link in order to download an attachment. This link points to a malicious file hosted on a compromised website. Specifically, a ZIP archive containing a VBS file is downloaded. The VBS file is responsible for downloading an executable file, which is the final Qakbot payload. After anti-analysis and anti-VM checks are performed, persistence is established via a Registry Run key and a scheduled task. Additionally, it creates copies of itself on the filesystem and injects itself into multiple processes to remain memory resident. For C2 communication, it leverages both domain generation algorithms (DGA) and hardcoded C2 addresses. The researcher notes that, like with older Qakbot samples, code exists suggesting additional routines that can be loaded through another component, such as a PowerShell routine to download other payloads.

Impact

  • Information theft
  • Exposure of sensitive data

Indicators of Compromise

SHA-256

  • 166442aca7750b45d10cdbdb372dd336a730a3033933a2a0b142d91462017fd2
  • b8b7b5df48840b90393a702c994c6fb47b7e40cfe3552533693149d9537eaef5

URL

  • hxxps[:]//besthack[.]co/differ/50160153/50160153[.]zip
  • hxxps[:]//besthack[.]co/differ/886927[.]zip

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment. 
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/ attachments sent by unknown senders
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.