Rewterz Threat Alert – Malicious URLs – Covid-19
June 1, 2020Rewterz Threat Alert – African Banking Sector Targeted via Phishing Emails
June 2, 2020Severity
Medium
Analysis Summary
Researchers observed increased usage of a specific Qakbot variant across campaigns occurring this year. The variant’s initial infection vector is emails appearing to be replies to relevant business-related messages in which the the recipient is requested to click on a link in order to download an attachment. This link points to a malicious file hosted on a compromised website. Specifically, a ZIP archive containing a VBS file is downloaded. The VBS file is responsible for downloading an executable file, which is the final Qakbot payload. After anti-analysis and anti-VM checks are performed, persistence is established via a Registry Run key and a scheduled task. Additionally, it creates copies of itself on the filesystem and injects itself into multiple processes to remain memory resident. For C2 communication, it leverages both domain generation algorithms (DGA) and hardcoded C2 addresses. The researcher notes that, like with older Qakbot samples, code exists suggesting additional routines that can be loaded through another component, such as a PowerShell routine to download other payloads.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
SHA-256
- 166442aca7750b45d10cdbdb372dd336a730a3033933a2a0b142d91462017fd2
- b8b7b5df48840b90393a702c994c6fb47b7e40cfe3552533693149d9537eaef5
URL
- hxxps[:]//besthack[.]co/differ/50160153/50160153[.]zip
- hxxps[:]//besthack[.]co/differ/886927[.]zip
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/ attachments sent by unknown senders