Rewterz Threat Alert – RYUK Ransomware Network Compromise Using BazarLoader
October 13, 2020Rewterz Threat Advisory – VPN Vulnerabilities and ZeroLogon Combined to Attack Networks
October 13, 2020Rewterz Threat Alert – RYUK Ransomware Network Compromise Using BazarLoader
October 13, 2020Rewterz Threat Advisory – VPN Vulnerabilities and ZeroLogon Combined to Attack Networks
October 13, 2020Severity
High
Analysis Summary
The Qbot botnet is using a new template for the distribution of their malware that uses a fake Windows Defender Antivirus theme to trick you into enabling Excel macros. Otherwise known as QakBot or QuakBot, Qbot is a Windows malware that steals bank credentials, Windows domain credentials, and provides remote access to threat actors who install ransomware. Victims usually become infected with Qbot through another malware infection or via phishing campaigns using various lures, including fake invoices, payment and banking information, scanned documents, or invoices.
Attached to these spam emails are malicious Excel (.xls) attachments. When opened, these attachments will prompt a user to ‘Enable Content’ so that malicious macros will run to install the Qbot malware on a victim’s computer. To decrypt the document, users need to click on ‘Enable Editing’ or ‘Enable Content’ to decrypt it using the ‘Microsoft Office Decryption Core.’
Once enable content is clicked, malicious macros will be executed that download and install the Emotet malware on a victim’s computer. When infected, Qbot performs various malicious activities that allow threat actors to gain access to your bank accounts and your network. Earlier, Qbot has been bundled together with Emotet in many infection campaigns. Last week, it has also been found distributed as a second stage payload in an Emotet infection campaign.
Impact
- Credential Theft
- Unauthorized Access
- Theft of banking information
Indicators of Compromise
From Email
- paesano[.]luigi@medicinafutura[.]it
MD5
- d7448b4f4675c09613e88e553a34c482
SHA-256
- 760371e73ef5eaa81fad0c5be19a03853b3b536c3e3713a6b8ef9ece7e04a78f
SHA1
- 4031b2883c532ce7baa20cc2e2fb754b051e5911
Source IP
- 62[.]149[.]128[.]163
Remediation
- Block the threat indicators at their respective controls.
- Do not enable content for attachments downloaded from untrusted emails.
- Block the latest Qbot IoCs listed in the ‘Indicators of Compromise’ section of the following advisories.