Qbot Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 31 May 2024 00:22:25 +0000 en-US hourly 1 https://wordpress.org/?v=77473 200474804 Qakbot Malware Applies New Distribution Methods https://gridinsoft.com/blogs/new-qakbot-spreading-ways/ https://gridinsoft.com/blogs/new-qakbot-spreading-ways/#respond Wed, 01 Mar 2023 11:53:57 +0000 https://gridinsoft.com/blogs/?p=13532 Today there is an arms race between cybercriminals and antimalware manufacturers. While some release a fix for an existing threat, others must develop new loopholes. Recently, cybersecurity experts noticed that many malware families were using OneNote attachments to infect their victims. Since OneNote is considered a robust application that Microsoft has developed for easy note-taking,… Continue reading Qakbot Malware Applies New Distribution Methods

The post Qakbot Malware Applies New Distribution Methods appeared first on Gridinsoft Blog.

]]>
Today there is an arms race between cybercriminals and antimalware manufacturers. While some release a fix for an existing threat, others must develop new loopholes. Recently, cybersecurity experts noticed that many malware families were using OneNote attachments to infect their victims. Since OneNote is considered a robust application that Microsoft has developed for easy note-taking, hackers couldn’t help but take advantage of it for their nefarious purposes. Next, we will look at some relatively new ways of spreading the known Qakbot banking Trojan.

What is Qbot?

Before moving on to distribution methods, let’s recap QakBot. Qakbot Malware (QuakBot, or QBot) is a banking Trojan designed to steal confidential information from Windows computers. For starters, it is worth mentioning that this type of malware is nothing new, and it appeared in 2007. Since then, it has undergone many changes, primarily aimed at bypassing security features. What has stayed the same, however, is the distribution method. For the most part, it’s email spam. However, after infecting one machine, QakBot can spread to other devices on the network.

Furthermore, it has modular protection. Hence, the operator can fully customize it according to the objectives. For example, it can be network reconnaissance, keylogging, credential theft, botnet deployment, or ransomware. In some cases, botnets under the rule of QakBot were delivering CobaltStrike beacons.

Distribution using OneNote Using Batch & PowerShell

The primary method of spreading Qakbot is through e-mail spamming. Previously, a rogue email contained an MS Office file with a malicious macro hidden inside. However, after Microsoft forcibly disabled the execution of any macros coming from the Internet, Qakbot started attaching the OneNote attachment. Usually, such an email contains something like “RE: DRCP Hire-Success Story…” and attachments are usually masked as legitimate files and named, for example, “Contracts – Copy.one”.

A fake cloud attachment page opens when the victim opens the OneNote attachment. This is done to get the victim to click on the BAT file (let’s call it Open.bat) that is embedded in Contracts – Copy.one. A PowerShell script is started as soon as the user runs this file, which in turn puts a CMD file with the conditional name “i.cmd” into the %temp% folder and runs it. This action is performed in a mode hidden from the user and not displaying any notifications. It then uses a PowerShell script to download a GIF file using the Invoke-Webrequest command. Although this file is saved as a JPG file in %programdata%, it has nothing to do with image files. Instead, it is an executable Qakbot DLL file that Rundll32.exe runs with the “Wind” parameter.

QakBot Delivery Mechanism Using JScript and Batch Script

Distribution Via OneNote Using Jscript (.jse) file

Similarly to the previous point, the initial stage of the infection process occurs via phishing emails, which also contain a OneNote attachment. However, unlike the last end, this attachment includes a JSE file. This file also contains a hidden Bat file, usually disguised as an “Open” button. After the user clicks this button, the batch file is launched. PowerShell script downloads the pseudo-gif file into a Temp system folder. This file is also different from what it looks like. It is an executable Qakbot DLL file which performs the routine unfolding process, same as in any other case scenario.

QakBot Delivery Mechanism Using JScript and Batch Script

Distribution using html Application (.hta) file

At the end of January 2023, Qakbot operators began experimenting with this new distribution method. It is identical to the previous way, except that instead of a JSE file, OneNote files contain an embedded HTML application (HTA file). When the user clicks “open” on the OneNote page, it drops an embedded .hta file executed by mshta.exe in the background. The script in the HTA file uses the legitimate curl.exe application to load the Qakbot DLL file into the C:\ProgramData folder and then run it. The Qakbot payload is injected into the Windows Auxiliary Technology Manager “AtBroker.exe” to hide its presence.

Distribution using Windows Script (.wsf) Files

In this case, the phishing email contains an attachment in the form of a zip file with a random name, e.g., “Shared Document From Cloud 540318.zip”. There may be several files in the archive, including a wsf file. This file contains malicious JScript between digital certificates. Hence when a victim tries to open the .wsf file, it will run code to download the Qakbot DLL file. Usually, it is loaded in the C:\ProgramData directory and run using “Rundll32.exe” with the parameter “Wind”.

Qakbot Delivery Mechanism using wsf file

Distribution using Google Ads

Since Microsoft, by default, blocks macros execution in Office files downloaded from the Internet, attackers are finding ever more sophisticated ways to distribute malware. Thus lately, there has been a significant surge in malicious ads that lead to a fake page of a legitimate program. Thus lately, there has been a significant surge in malicious advertising, which leads to a fake page of a legitimate program. However, instead of the legitimate program, the user receives malware. It may usually be a .exe or .msi file, which contains malware and many empty sections to avoid detection by anti-malware engine, as it overwhelms their file size limit.

Fake Libreoffice ad
Fake LibreOffice ad that tries to mimic the original site’s URL

How to avoid Qakbot Malware infection

To minimize the risk of Qakbot Malware infection, we recommend following cyber hygiene practices and the recommendations below:

Conclusion

The Qakbot malware provides a prime example of how the threat landscape is changing. Its complex structure, impact, and distribution underscore the importance of maintaining cybersecurity vigilance. Moreover, as discussed at the outset, attackers using Qakbot consistently adapt their methods, using innovative attack vectors such as OneNote and Google Ads attachments to avoid detection, reinforcing the need for proactive and robust security measures.

The post Qakbot Malware Applies New Distribution Methods appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-qakbot-spreading-ways/feed/ 0 13532
Trojan Qbot Took Advantage of the Famous Follina Vulnerability https://gridinsoft.com/blogs/qbot-and-the-follina-vulnerability/ https://gridinsoft.com/blogs/qbot-and-the-follina-vulnerability/#respond Sat, 11 Jun 2022 10:03:46 +0000 https://gridinsoft.com/blogs/?p=8495 The researchers warned that the Qbot malware is already exploiting an unpatched zero-day vulnerability in Windows MSDT called Follina. Let me remind you that the discovery of Follina became known at the end of May, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem. The… Continue reading Trojan Qbot Took Advantage of the Famous Follina Vulnerability

The post Trojan Qbot Took Advantage of the Famous Follina Vulnerability appeared first on Gridinsoft Blog.

]]>
The researchers warned that the Qbot malware is already exploiting an unpatched zero-day vulnerability in Windows MSDT called Follina.

Let me remind you that the discovery of Follina became known at the end of May, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem.

The vulnerability has been tracked under the identifier CVE-2022-30190 and is known to be exploitable to execute arbitrary code through the normal opening of a Word document or preview in File Explorer, resorting to executing malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT).

The bug affects all versions of Windows that receive security updates, that is, Windows 7 and later, as well as Server 2008 and later.

Let me remind you that we wrote that Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster.

Previously, experts have already warned that the vulnerability is exploited by Chinese hackers, and it is also being used to attack European governments and municipal authorities in the United States. Now, Proofpoint experts write that even the Qbot malware has begun using malicious Microsoft Office documents (.docx) to abuse CVE-2022-30190 and infect recipients of such phishing emails.

To attack, hackers use emails with HTML attachments that download ZIP archives containing images in IMG format. Inside such an image, the victim will find a DLL file, Word, and a shortcut.

Qbot and the Follina vulnerability

Whereas the shortcut file directly downloads the Qbot DLL already present in the image, the empty .docx document contacts an external server to download an HTML file that exploits the Follina vulnerability to run PowerShell code, which in turn downloads and executes another Qbot DLL payload.

Indicators of Compromise related to this campaign can be found here.

The researchers believe that the use of two different infection methods indicates that hackers are conducting an A/B testing campaign to evaluate which tactics will give the best results.

The post Trojan Qbot Took Advantage of the Famous Follina Vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/qbot-and-the-follina-vulnerability/feed/ 0 8495
Emotet now installs Cobalt Strike beacons https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/ https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/#respond Thu, 09 Dec 2021 19:44:50 +0000 https://gridinsoft.com/blogs/?p=6637 The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks. Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already… Continue reading Emotet now installs Cobalt Strike beacons

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

]]>
The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks.

Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already deploys Cobalt Strike and performs other malicious actions. Now, the Cryptolaemus research group has warned that Emotet skips the installation of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices.

Cryptolaemus is a group of more than 20 information security specialists from all over the world, who united back in 2018 for a common goal – to fight against Emotet malware.

This information was confirmed to the journalists of Bleeping Computer by the specialists of the information security company Cofense.

Some of the infected computers were instructed to install Cobalt Strike, a popular post-exploitation tool. Emotet itself collects a limited amount of information about the infected machine, but Cobalt Strike can be used to evaluate a broader network or domain assessment, looking for suitable victims for further infection, such as ransomware.experts say.

While Cobalt Strike was trying to contact the lartmana[.]сom domain, and shortly thereafter, Emotet was deleting the Cobalt Strike executable.”

In fact, this means that attackers now have immediate access to the network for lateral movement, data theft, and rapid ransomware deployment. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware on compromised networks as well.

It is very serious. Usually, Emotet will reset the TrickBot or QakBot, which in turn will reset the CobaltStrike. In a normal situation, you have about a month between the first infection and the extortion. With Emotet dropping CS directly, this delay is likely to be much shorter.security specialist Markus Hutchins warns on Twitter.

Cofense experts, in turn, report that it is not yet clear whether what is happening is a test of the Emotet operators themselves, or if it is part of a chain of attacks by another malware that cooperates with the botnet.

We do not yet know if the Emotet operators intend to collect the data for their own use, or if it is part of a chain of attacks belonging to one of the other families of malware. Given the quick removal, it could have been a test, or even an accident.the experts summarize, promising to continue monitoring further.

Let me remind you that I also reported that Trojan Emotet is trying to spread through available Wi-Fi networks.

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/feed/ 0 6637