Rewterz Threat Alert – QBot and Cobalt Strike strike using Zerologon Vulnerability – Active IOCs

Severity

High

Analysis Summary

QBot, often known as QakBot, is a modular information malware. It has been operational since 2007. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. Qakbot can propagate to other computers on the same network and allow it to mask its existence and build persistence on infected computers.

A malware attachment to a phishing email is commonly used in QakBot attacks. This particular campaign includes an xls file that contains macros. These macros run a script that fetches the Qakbot payload from a list of URLs. To get the victim to activate macros, the attackers employ a common trick, like when the target downloads the file, it is asked to allow changes and then content before viewing the document.

Cobalt Strike first appeared in 2012 in response to alleged flaws in the Metasploit Framework, an existing red team (penetration testing) tool. Cobalt Strike 3.0 was released in 2015 as a stand-alone opponent emulation platform. However, researchers began observing threat actors using Cobalt Strike by 2016. Cobalt Strike’s use in hostile activities was previously connected with huge cybercriminal operations like TA3546 and APT40.  Cobalt Strike is a legitimate Pen test (penetration testing) toolkit that deploys “beacons” on infected devices to perform malicious behaviors. It is commonly used in ransomware attacks. 

Cobalt Strike allows the attacker to install a Beacon agent on the victim’s PC, which gives them access to a variety of tools, including command execution, file transfer,  keylogging, mimikatz, port scanning, and privilege escalation. Cobalt Strike includes a toolkit called Artifact Kit that is used to create shellcode loaders.

CVE-2020-1472

Microsoft Windows could allow a remote attacker to gain elevated privileges on the system, caused by an error when establishing a vulnerable Netlogon secure channel connection to a domain controller. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.

In this new attack method, a malicious DLL was downloaded and executed on a Windows workstation. QBot activity started quickly after the DLL was executed and information on file shares/privileges, group member information, and network topologies of infected users were snatched. QBot dropped another malicious DLL that automated task to run Cobalt Strike. 

Impact

• Privilege Escalation
• Information Theft
• Financial Theft
• Unauthorized Access

Indicators of Compromise

Domain Name

• dxabt[.]com
• avlhestito[.]us
• xrhm[.]info

IP

• 24[.]229[.]150[.]54
• 41[.]228[.]22[.]180
• 5[.]255[.]98[.]144

MD5

• 53510e20efb161d5b71c4ce2800c1a8d
• 59e7f22d2c290336826700f05531bd30

SHA-256

• e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987
• f63e17ff2d3cfe75cf3bb9cf644a2a00e50aaffe45c1adf2de02d5bd0ae35b02

SHA-1

• 2268178851d0d0debb9ab457d73af8a5e50af168
• 3b2a0d2cb8993764a042e8e6a89cbbf8a29d47d1

Remediation

• Logging – Log your eCommerce environment’s network activity and web server activity.
• Passwords – Implement strong passwords. Enable two-factor authentication.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
• not publicly accessible.
• WAF -Set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely.