• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – RYUK Ransomware Network Compromise Using BazarLoader
October 13, 2020
Rewterz Threat Advisory – VPN Vulnerabilities and ZeroLogon Combined to Attack Networks
October 13, 2020

Rewterz Threat Alert – QBot Using Windows Defender Antivirus as Phishing Bait

October 13, 2020

Severity

High

Analysis Summary

The Qbot botnet is using a new template for the distribution of their malware that uses a fake Windows Defender Antivirus theme to trick you into enabling Excel macros. Otherwise known as QakBot or QuakBot, Qbot is a Windows malware that steals bank credentials, Windows domain credentials, and provides remote access to threat actors who install ransomware. Victims usually become infected with Qbot through another malware infection or via phishing campaigns using various lures, including fake invoices, payment and banking information, scanned documents, or invoices.

Example Qbot spam email

Attached to these spam emails are malicious Excel (.xls) attachments. When opened, these attachments will prompt a user to ‘Enable Content’ so that malicious macros will run to install the Qbot malware on a victim’s computer. To decrypt the document, users need to click on ‘Enable Editing’ or ‘Enable Content’ to decrypt it using the ‘Microsoft Office Decryption Core.’

New 'Windows Defender Antivirus' Qbot attachment

Once enable content is clicked, malicious macros will be executed that download and install the Emotet malware on a victim’s computer. When infected, Qbot performs various malicious activities that allow threat actors to gain access to your bank accounts and your network. Earlier, Qbot has been bundled together with Emotet in many infection campaigns. Last week, it has also been found distributed as a second stage payload in an Emotet infection campaign. 

Impact

  • Credential Theft
  • Unauthorized Access
  • Theft of banking information

Indicators of Compromise

From Email

  • paesano[.]luigi@medicinafutura[.]it

MD5

  • d7448b4f4675c09613e88e553a34c482

SHA-256

  • 760371e73ef5eaa81fad0c5be19a03853b3b536c3e3713a6b8ef9ece7e04a78f

SHA1

  • 4031b2883c532ce7baa20cc2e2fb754b051e5911

Source IP

  • 62[.]149[.]128[.]163

Remediation

  • Block the threat indicators at their respective controls.
  • Do not enable content for attachments downloaded from untrusted emails.
  • Block the latest Qbot IoCs listed in the ‘Indicators of Compromise’ section of the following advisories.
Rewterz Threat Alert – Qakbot (Qbot) Active Campaign – IoCs
Rewterz Threat Alert – Latest Attack Techniques From Qbot
Rewterz Threat Alert – Emotet Phishing Uses Political Lures
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.