QBot, often known as QakBot, is a modular information malware. It has been operational since 2007. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. Qakbot can propagate to other computers on the same network and allow it to mask its existence and build persistence on infected computers.
A malware attachment to a phishing email is commonly used in QakBot attacks. This particular campaign includes an xls file that contains macros. These macros run a script that fetches the Qakbot payload from a list of URLs. To get the victim to activate macros, the attackers employ a common trick, like when the target downloads the file, it is asked to allow changes and then content before viewing the document.
Cobalt Strike first appeared in 2012 in response to alleged flaws in the Metasploit Framework, an existing red team (penetration testing) tool. Cobalt Strike 3.0 was released in 2015 as a stand-alone opponent emulation platform. However, researchers began observing threat actors using Cobalt Strike by 2016. Cobalt Strike’s use in hostile activities was previously connected with huge cybercriminal operations like TA3546 and APT40. Cobalt Strike is a legitimate Pen test (penetration testing) toolkit that deploys “beacons” on infected devices to perform malicious behaviors. It is commonly used in ransomware attacks.
Cobalt Strike allows the attacker to install a Beacon agent on the victim’s PC, which gives them access to a variety of tools, including command execution, file transfer, keylogging, mimikatz, port scanning, and privilege escalation. Cobalt Strike includes a toolkit called Artifact Kit that is used to create shellcode loaders.
Microsoft Windows could allow a remote attacker to gain elevated privileges on the system, caused by an error when establishing a vulnerable Netlogon secure channel connection to a domain controller. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
In this new attack method, a malicious DLL was downloaded and executed on a Windows workstation. QBot activity started quickly after the DLL was executed and information on file shares/privileges, group member information, and network topologies of infected users were snatched. QBot dropped another malicious DLL that automated task to run Cobalt Strike.