Rewterz Threat Advisory – CVE-2020-6507 – Google Chrome V8 code execution
June 16, 2020Rewterz Threat Advisory – Adobe Multiple Security Vulnerabilities
June 17, 2020Rewterz Threat Advisory – CVE-2020-6507 – Google Chrome V8 code execution
June 16, 2020Rewterz Threat Advisory – Adobe Multiple Security Vulnerabilities
June 17, 2020Severity
High
Analysis Summary
QBot, aka QakBot, is financial malware and has been active for some ten years is recently active and targeting different users in different regions. QBot variant which was delivered through a malicious Word document., while the of delivery method of the document is unknown, typically such malicious Word files are delivered using email. If a victim opens the document, they will be asked to enable macros which are required to initiate the infection process. The locations from which the malware is downloaded are located in Base64-encoded strings within the code. Once the download has been completed, the downloaded file will be executed. The payload is packed to help avoid detection and when executed will load QBot into memory. Several checks are then carried out to determine if the malware is running in a virtual machine or sandbox, if certain analysis tools are running, and it also checks CPU information. During analysis, QBot was frequently upgrading its payload file.
Impact
- Information theft
- Exposure of sensitive data
- Financial loss
Indicators of Compromise
SHA-256
- 432B6D767539FD5065593B160128AA7DCE271799AD2088A82A16542E37AD92B0
URL
- hxxp[:]//pickap[.]io/wp-content/uploads/2020/04/evolving/888888[.]png
- hxxp[:]//decons[.]vn/wp-content/uploads/2020/04/evolving/888888[.]png
- hxxp[:]//econspiracy[.]se/evolving/888888[.]png
- hxxp[:]//enlightened-education[.]com/wp-content/uploads/2020/04/evolving/888888[.]png
- hxxp[:]//kslanrung[.]com/evolving/888888[.]png
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your existing environment.