Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Qakbot. Show all posts
UNC
Basta Ransomware Cyber Attacks CyberCrime Cybersecurity CyberThreat Google Mandiant Investigation Qakbot UNC

Basta Ransomware Culprits Revealed by Mandiant Investigation

 


An extortion campaign begun early this year by an unknown hacking group to extort money has been characterized as using the Basta ransomware to stop victims from unlocking their files. This campaign was discovered by Google Mandiant, which uses the name UNC4393 to track the group. Since the beginning of the year, UNC4393 has been notorious for infecting targets with the Basta ransomware, but in the past 12 months, it has significantly changed how it gains access to its victims.

Before, the threat group essentially relied exclusively on known Qakbot infections to gain initial network access, which was often delivered through phishing emails. In the wake of U.S. law enforcement authorities' takedown of the Qakbot infrastructure last year, the threat group briefly switched from using the DarkGate malware as an initial access loader to set up the backdoor, before finally turning to SilentNight as a backdoor this year's attacks. 

Mandiant noted, "There are hundreds of victims of the Basta ransomware that are listed on the data leak sites, and this appears to be credible, given UNC4393's rapid operational speed," he noted. Another fact to note is that the group takes about 42 hours to ransom a victim at a time. A specialist unit, UNC4393, has demonstrated its ability to conduct reconnaissance quickly, exfiltrate data, and promptly complete objectives. 

Besides Silent Night, some other types of initial access tactics have been employed by the group in addition to Silent Night. During recent campaigns in February, UNC4393 has used stolen credentials as well as brute-force tactics to conduct attacks that attempted to deploy ransomware, extort personal information, and steal data. It also features a plug-in framework that facilitates the delivery of flexible functionality for attacks, such as screenshot capture, keylogging, access to cryptocurrency wallets, and manipulation of web browsers, which might be used to target credentials by attackers. 

Initially, backdoors were discovered in 2019, then, briefly for a few months in 2021, they disappeared again and were not detected until later in the decade. Hacking groups rely on initial access brokers as a means of gaining access to networks worldwide. One of these affiliates is UNC2633 and UNC2500, for example, which Mandiant tracks as UNC2633 and UNC2500, respectively, to compromise networks using phishing emails with QakBot as part of their main scheme of compromising networks. 

As a result of the researchers' analysis of the affiliates' operations, they have determined that the actor is most likely currently linked to the defunct Trickbot and Conti organizations. For the initial access to the network, they started to rely on another malware variant called DarkGate, which was found to be more sophisticated than the malware the FBI and other international law enforcement agencies previously used. 

Changes to UNC4393's initial entry points reveal the long-term effects of the August 2023 takedown of the Qakbot botnet which harmed the access vectors of UNC4393. The takedown of Qakbot has had a wide range of effects across the threat landscape. In some cases, it's been able to remove malware that isn't directly related to Basta (also known as Black Basta), such as Revil and Conti, while in others it's been able to remove malware that was not. 

Chainalysis conducted a research study earlier this year that explored the impact of several disruptions to law enforcement by threat groups, for instance, based on several disruptions to the law enforcement efforts of threat groups. Chainalysis discovered that the Qakbot takedown caused "substantial operational friction" on ransomware groups, but that eventually they were able to adapt to the changes by switching to new malware families. 

The report identified a significant decline in Black Basta ransomware payments coinciding with the Qakbot takedown. Nevertheless, activity resumed after several months, suggesting that the threat groups behind Black Basta adapted to using new malware. Mandiant researchers observed a steady decline in the number of Basta victims between March and July this year, positing that this decrease may reflect challenges in securing a consistent stream of initial access. 

Genevieve Stark, Mandiant's Manager of Cybercrime Analysis for Google Cloud, remarked that the overall professionalization and commoditization of cybercrime within underground communities have fostered resilience, enabling threat actors to seamlessly transition from one service or partner to another. Stark further explained, "Since the August 2023 law enforcement takedown, threat actors previously distributing Qakbot have largely shifted to alternative malware families or ceased operations. 

For instance, while limited UNC2500 Qakbot activity was observed in early 2024, this threat actor has predominantly deployed Pikabot. It is also possible that UNC2500 is diversifying its operations, as evidenced by May campaigns leading to credential phishing sites and February activities designed to harvest NTLMv2 hashes. Although UNC2500 remains active, its overall activity volume has decreased. Additionally, UNC2633, a Qakbot distribution cluster closely affiliated with UNC2500, has seemingly been inactive since the takedown." 

After achieving initial access, UNC4393 employs several open-source attack mapping tools, including BloodHound, AdFind, and PSnmap, to analyze the victim's network. The attackers utilize credentials and brute-forcing methods to authenticate externally facing network appliances or servers. Initially, the group manually deployed Basta, but it later adopted Knotrock, a custom .NET-based utility, to deliver Basta. 

Knotrock provides capabilities such as rapid encryption during large-scale attacks. In one instance, researchers observed the group using SilentNight, a malware variant inactive since 2023, to gain persistence and bypass security detection. The recent surge in SilentNight activity, starting earlier this year, has primarily been delivered via malvertising, marking a notable shift away from phishing as UNC4393's sole method of initial access. 

Beyond shifts in initial access, UNC4393's changes to its tactics, techniques, and procedures (TTPs) this year demonstrate the group's adaptability to the cybercrime landscape. The group has increasingly turned towards custom malware development rather than relying on publicly available tools. Mandiant researchers reported responding to over 40 separate UNC4393 intrusions across 20 industry verticals since 2022. However, this number is relatively small compared to the overall victim count of 500 that the ransomware group claims on its leak site. 

The researchers noted, "While UNC4393's TTPs and monetization methods remain relatively consistent with previous operations, the group appears to be diversifying its initial access sources. Its evolution from opportunistic Qakbot infections to strategic partnerships with initial access brokers underscores a willingness to diversify and optimize its operations."
Read more »
QBot
Cofense DarkGate malware Phishing Campaign PikaBot Qakbot QBot

After Qakbot, DarkGate and Pikabot Emerge as the New Notorious Malware


The PikaBot malware has been added to the already complicated phishing campaign that is transmitting the darkGate malware infections, making it the most sophisticated campaign since the Qakbot operation was taken down.

The phishing email campaign began in September 2023, right after the FBI took down the Qbot (Qakbot) infrastructure. 

In a report recently published by Cofense, researchers explain that the DarkGate and Pikabot operations employ strategies and methods that are reminiscent of earlier Qakbot attacks, suggesting that the threat actors behind Qbot have now shifted to more recent malware botnets.

"This campaign is undoubtedly a high-level threat due to the tactics, techniques, and procedures (TTPs) that enable the phishing emails to reach intended targets as well as the advanced capabilities of the malware being delivered," the report reads. 

This presents a serious risk to the organization because DarkGate and Pikabot are modular malware loaders that have many of the same features as Qbot, and Qbot was one of the most widely used malware botnets that were spread by malicious email.

Threat actors would likely utilize the new malware loaders, like Qbot, to get initial access to networks and carry out ransomware, espionage, and data theft assaults.

The DarkGate and Pikabot Campaign

Earlier this year, there had been a dramatic surge in malicious emails promoting the DarkGate ransomware. Starting in October 2023, threat actors have begun using Pikabot as the main payload.

This phishing attack takes place by sending an email – that is a reply or forward of a stolen discussion threat – to the targeted victims, who trust the fraudulent communications. 

After clicking on the embedded URL, users are prompted to download a ZIP file containing a malware dropper that retrieves the final payload from a remote location. These tests ensure that the users are legitimate targets.

According to Cofense, the attackers tested a number of early malware droppers to see which one worked best, including:

  • JavaScript dropper for downloading and executing PEs or DLLs. 
  • Excel-DNA loader based on an open-source project used in developing XLL files, exploited here for installing and running malware. 
  • VBS (Virtual Basic Script) downloaders that can execute malware via .vbs files in Microsoft Office documents or invoke command-line executables. 
  • LNK downloaders that exploit Microsoft shortcut files (.lnk) to download and execute malware.
  • As of September 2023, the DarkGate malware served as the ultimate payload for these attacks. In October 2023, PikaBot took its place.

DarkGate and PikaBot

DarkGate first came to light in 2017, however only became available to the threat actors past summer. As a result, its contribution to conducting phishing attacks and malvertising increases.

This sophisticated modular malware may perform a wide range of malicious actions, such as keylogging, bitcoin mining, reverse shelling, hVNC remote access, clipboard theft, and information (files, browser data) theft.

PikaBot, on the other hand, was discovered much recently in 2023. It consists of a loader and a core module, slotting in extensive anti-debugging, anti-VM, and anti-emulation mechanisms.

The malware profiles targeted systems and transfers the data to its command and control (C2) infrastructure, awaiting additional instructions.

The C2 delivers the commands to the malware that order it to download and run modules in the form of DLL or PE files, shellcode, or command-line commands.

Cofense has further cautioned that PikaBot and DarkGarw campaigns are being conducted by threat actors who are conversant with what they are doing and that their capabilities are top-of-the-line. Thus, organizations must be thoroughly introduced to the TTPs for this phishing campaign.  

Read more »
Qakbot
Cyber Security Cyber Threats Data Theft Qakbot

FBI Duck Hunt Operation Against Qakbot Resurgence

 

Last week, a pernicious and multifunctional malware was silenced as a result of Operation "Duck Hunt," a collaborative effort led by the FBI. This operation successfully extracted the malicious code from 700,000 compromised systems, forcibly severing their connection to the Qakbot botnet. Additionally, the FBI took control of 52 servers and recovered $8.6 million in stolen cryptocurrency, vowing to return these funds to the rightful victims. 

Renowned for affording cybercriminals an initial entry point into a victim's network, Qakbot stands as a notorious banking trojan. This malevolent tool has enabled hackers to purchase access and deploy their own malware, including ransomware. According to U.S. authorities, Qakbot's involvement has played a role in over 40 ransomware incidents within the last year and a half, resulting in a staggering $58 million in ransom payments. 

Among Qakbot's ransomware targets were an engineering firm based in Illinois, financial service entities located in Alabama and Kansas, as well as a defense manufacturer in Maryland and a food distribution company in Southern California, as stated by Estrada. The FBI's operation involved rerouting the botnet's traffic to government-controlled servers, effectively giving them control. 

Leveraging this access, the FBI directed Qakbot-infected devices globally to download an uninstaller developed by the agency. This liberated the victim's computer from the botnet, putting a halt to any future malware installations via Qakbot. Qakbot strategically maintains a presence, ensuring persistence within the system. 

This enables other threat actors to gain access for purposes like deploying ransomware, cryptocurrency mining, or causing post-exploitation effects. This insight comes from John Hammond, a senior security researcher at Huntress. Noteworthy ransomware groups employing this tactic encompass Black Basta, Conti, Egregor, MegaCortex, ProLock, and REvil. 

Various malicious groups are operating from Russia, where citizens are not extradited, and many cybercrime service providers pose a significant challenge to apprehend. Unless these criminal hackers travel abroad, it becomes difficult to reach them. With these wrongdoers evading capture, there is little to hinder them from modifying the core code of their malware and botnet command-and-control structure, making it more resilient to disruption. This situation paves the way for the potential emergence of an enhanced version of Qakbot.
Read more »
Window-based Trojan
Department of Justice FBI malware Qakbot QakBot Botnet Ransomware Window-based Trojan

FBI Operation: Quakbot Botnet Dismantled, Preventing Severe Ransomware Attacks


A global law enforcement operation executed by US investigators reportedly took down and dismantled the Qakbot botnet, preventing the severe blow of a ransomware scourge. 

On August 29, the Justice Department and FBI confirmed to had taken down Qakbot by issuing a search warrant to essentially take over the servers that ran the botnet. The critical malware Qakbot was then forcibly removed from hundreds of computers by the botnet after being distributed to them by federal agents.

In the investigations, the agencies found that Quakbot had access to over 700,000 infected computers, 200,000 of which were based in the US. 

Qakbot Botnet

Qakbot, aka Qbot, initially commenced its operations in the year 2008, as a Windows-based Trojan designed to acquire access to targeted users’ bank account credentials. It was conventionally spread as malware attachments in phishing emails. 

The malware was also designed to develop a botnet, that would follow the commands of a hacker-controlled server. As a result, the Qakbot developers were able to charge other cybercriminal organizations for access to their hacked systems.

The cybercrime organizations might then unleash ransomware on the affected systems or steal data from them. Qakbot has been connected to a number of ransomware gangs, including Conti, Black Basta, Royal, Revil, and Lockbit, among others, by US authorities and security researchers. The unidentified Qakbot operators received fees related to victim ransom payments totalling around $58 million in return. The botnet's operations are anticipated to have caused hundreds of millions of dollars in total victim losses. 

The Operation 

The application for the operation’s seizure warrant describes that the FBI gained access to the servers operating the Qakbot botnet infrastructure, which was hosted by an anonymous web hosting company, which also included systems used by the Qakbot operators. 

The application further noted that, “Through its investigation, the FBI has gained a comprehensive understanding of the structure and function of the Qakbot botnet[…]Based on that knowledge, the FBI has developed a means to identify infected computers, collect information from them about the infection, disconnect them from the Qakbot botnet and prevent the Qakbot administrators from further communicating with those infected computers.”

Reportedly, Qakbots uses a network in three Tiers in order to control the malware installed on the infected computers.

According to the FBI, Tier 1 systems are regular home or business computers that are infected with Qakbot and also include an additional "supernode" module, making them a part of the botnet's global command and control network. Many of these machines are situated in the United States. In order to hide the primary Tier 3 command and control server, which the administrators use to send encrypted commands to its hundreds of thousands of infected workstations, Tier 1 computers communicate with Tier 2 systems, which act as a proxy for network traffic.

By gaining access to these systems and Qackbot’s encryption keys, the FBI could decode and get a better understanding of the encrypted commands. Moreover, with access to the encryption keys, the FBI can command the Tier 1 “supermode” computers to swap and replace the supernode module with those developed by the FBI, which contains new encryption keys, snatching access to Qakbot from their own administrators. 

“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” US Attorney Martin Estrada said in the announcement. 

The US is yet to provide further details on the issue. However, the Justice Department noted that “The FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware.”  

Read more »
TTPs
Cyber Security Emotet HTML ICedID ISO files Proofpoint Qakbot TTPs

Microsoft: Hackers Exploring New Attack Techniques

Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).

Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."

The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.

New tactics 

Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.

The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.

Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.

Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.

According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.

Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.

Read more »
RaaS
Conti Ransomware Cyber Attacks Dark Web Emotet Encrypted Files Microsoft Qakbot RaaS

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.
Read more »
TrickBot
Banking Trojan Botnets Conti Emotet Trojan IP Address malware Qakbot RSA TrickBot

The Emotet Malware is Alive and Using TrickBot to Rebuild its Botnet

 

The malicious Emotet botnet, which made a comeback in November 2021 after a 10-month break, is showing indications of steady expansion once again, collecting a colony of over 100,000 infected hosts to carry out its destructive actions. 

In a new round of attacks, Emotet, a Banking Trojan which has evolved into a formidable modular threat, has reappeared with improved features. It has infected devices to carry out additional spam campaigns and install various payloads like the QakBot (Qbot) and Trickbot malware. These payloads would subsequently be utilized to give threat actors, such as Ryuk, Conti, ProLock, Egregor, and others, early access to deploy ransomware. 

"While Emotet has not yet reached the same magnitude as before, the botnet is displaying a strong resurrection with a total of around 130,000 unique bots scattered over 179 countries since November 2021," Lumen's Black Lotus Labs researchers wrote in a report. On April 25th, 2021, German law enforcement used the network to send an Emotet module that removed the malware from afflicted devices. 

The TrickBot malware has begun to dump an Emotet loader on affected devices, according to Emotet research group Cryptolaemus, GData, and Advanced Intel. While Emotet used to deploy TrickBot, the threat actors now use a mechanism called "Operation Reacharound" by the Cryptolaemus group, which rebuilds the botnet utilizing TrickBot's current infrastructure. 

Apart from command-and-control (C2) lists and RSA keys, which change from version to version, Emotet's main payload hasn't changed much, but the list of phrases used to establish a process name for its bot has been renewed. Along with new binaries, words like engine, finish, magnify, resapi, query, skip, and many more are utilized and modified. Researchers may be able to construct signatures to detect Emotet infections on machines once these lists have been secured, but signature-based detection is more challenging if the list changes. 

Abuse.ch has published a list of the new Emotet botnet's command and control servers and strongly advises network administrators to ban the linked IP addresses. Another new feature is the ability to collect extra system information from compromised workstations in addition to a list of running processes. The number of bots and associated dispersion are crucial indicators of Emotet's success in reconstructing its once-vast infrastructure.
Read more »
Trojan
Credential stealing malware Microsoft Microsoft 365 Qakbot Ransomware Sensitive data TrickBot Trojan

This Decade-old Malware has Picked Some Nasty New Tactics

 

Qakbot, a popular trojan for stealing bank credentials, has recently started delivering ransomware, making it more difficult for network defenders to identify what is and isn't a Qakbot attack. 

Qakbot is a particularly versatile piece of malware that has been active for over a decade and has survived despite Microsoft and other security firms' multi-year attempts to eliminate it. In 2017, Qakbot adopted WannaCry's lateral movement techniques, such as infecting all network shares and drives, brute-forcing Active Directory accounts, and creating copies of itself using the SMB file-sharing protocol. 

According to Kaspersky's new investigation of Qakbot, it is unlikely to go away very soon. As per its detection statistics for Qakbot, it infected 65 per cent more PCs between January and July 2021 than it did the previous year. As a result, it is becoming increasingly dangerous. 

Qakbot is modular, as per Microsoft, allowing it to masquerade as unique attacks on each device on a network, making it tough to identify, prevent, and remove by defenders and security tools. 

The Microsoft 365 Defender Threat Intelligence Team stated in its report, "Due to Qakbot's high likelihood of transitioning to human-operated attack behaviours including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely." 

Given the difficulty in identifying a common Qakbot campaign, the Microsoft team has profiled the malware's approaches and behaviours to aid security analysts in detecting it. Emailed attachments, links, or embedded images are the most common distribution methods. It is also known to attack machines using Visual Basic for Applications (VBA) macros and legacy Excel 4.0 macros. In July, TrendMicro examined a significant Qakbot campaign that employed this tactic. 

Qakbot hides harmful processes using process injection, creates scheduled activities that stay on the machine, and manipulates the Windows registry. Once installed on an infected system, it uses a variety of lateral movement techniques, as well as the Cobalt Strike penetration-testing framework and ransomware. 

Last year, the FBI warned that Qakbot trojans were spreading ProLock, a type of "human-operated ransomware." It was a concerning discovery since machines infected with Qakbot on a network must be separated because they act as a ransomware attack's bridge. Microsoft noted that Qakbot has used MSRA.exe and Mobsync.exe for process injection to conduct various network 'discovery' commands and steal Windows credentials and browser data. 

Other criminal groups can use Qakbot's Cobalt Strike module to deploy their own payloads, such as ransomware. As per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021).

"Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads," Microsoft noted. 

"Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor." 

Activating Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning on Windows Antimalware Scan Interface (AMSI) is among Microsoft's recommended mitigations to reduce Qakbot's impact. Microsoft Defender antivirus and other third-party antivirus vendors support AMSI. AMSI support for Excel 4.0 macros was added in March, so it's still a new feature.
Read more »
Trojan Attacks
Banking Trojan Cyber Security Evasive Techniques Phishing email Qakbot Trojan Attacks

QakBot (QBot) Campaign: A thorough Analysis



Trojan-Banker QakBot, also known by the names - QBot, QuackBot, and Pinkslipbot, is a modular information stealer that has been active for almost 14 years. With the key agenda of stealing banking credentials, QakBot employs various tools to evade detection and hamper manual analysis. The authors have developed the trojan with an aggressive sophistication that allows its variants to essentially deploy additional malware, create a backdoor to infected systems, and log user keystrokes. 

Typically, QakBot attacks contain MS Office Word documents that are deployed via phishing emails constructed to trick the user into accessing it. However, in 2020, some of the QakBot campaigns featured ZIP attachments that contained macros within the word document enclosed in the ZIP file. These macros are configured to trigger the execution of a PowerShell script that further downloads the QBot payload from selected internet addresses. 

Spoofing the Victim: Opening the QBot Infected Word Doc 

The word document which carries a malicious macro, once accessed by the victim, leads him to the Word Program on his system wherein he is asked to click on "Enable Content" shown in a yellow-colored dialogue box appearing right below the header. It reads "Security Warning" in bold letters. Once the user clicks onto it, it spoofs him into believing that it is taking its time to load data as another gray-colored dialogue box appears, reading "Loading data. Please wait..."

However, behind the scenes, the malicious Macro is being executed. As a part of the process, the Macro creates a folder in which it attempts to download the QakBot payload; it's placed in 5 different places. Referencing from the 5 corresponding URLs, it could be easily concluded that they all were constructed with the same website builder, which possibly has an exploit that lets EXE files being uploaded onto it with a PNG extension.

In one of its previous campaigns, upon running, QBot replaced the original binary with a duplicate 'Windows Calculator app: calc.exe'. Then, it scanned the installed programs, compared process names to a blacklist, examined registry entries, and inspected hardware details to eventually look for a virtualization software like VMware or VirtualBox. If QBot fails to detect a virtualization software, it copies the legitimate executable into a folder; it disguises itself as a signed valid certificate. After setting the executable in place, QBot schedules a task to run the executable every 5 hours. Once the execution is completed, an explorer.exe process is launched by QBot, the code of the same is injected into the process' memory. QBot can also execute additional processes employing double process mechanisms. 

In order to safeguard against the ever-evolving threat of QakBot, experts recommend organizations provide training to their employees who could come up with alternative solutions when automated intrusion-detectors fail.
Read more »
User Security
Banking Trojan malware phishing Qakbot User Security

Qakbot Malware is Targeting the Users Via Malicious Email Campaign

 

Qakbot, also known as QBot or Pinkslipbot, is a banking trojan that has been active since 2007. It has been primarily used by financially motivated actors, initially it was known as a banking Trojan and a loader using C2 servers for payload delivery; however, over time as the scope widened, its use also expanded beyond strictly being a banking trojan. 

Security researchers at Alien Labs have noticed a newly emerged campaign in which victims are targeted with malicious email lures that appear to be in response to, or modified versions of, legitimate business communications between two parties. 

The use of an existing legitimate email, aside from making the lure appear far more convincing to a recipient recognizing their own message and possibly the purported sender, is consistent with previously identified Qakbot behavior in which email accounts are compromised and message threads hijacked. This tactic effectively creates a 'snowball effect' in which more and more organizations can be targeted with lures derived from legitimate email messages obtained from previously compromised victims.

The malicious Office document, when opened, it poses as a DocuSign file – a popular software for signing digital documents. The malicious documents take advantage of Excel 4.0 macros (XML macros) stored in hidden sheets that download the QakBot 2nd stage payload from the Internet – malicious servers compromised by criminals. 

Before executing the main payload, the QakBot loader will first test the infected system to see if it is a good candidate for infection. The QakBot loader is responsible for checking its environment to include whether it is running on a Virtual Machine, identifying any installed and running security and monitoring tools such as Antivirus products or common security researcher tools. 

To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. The hallmarks of a QakBot infection chain consist of a phishing lure (T1566) delivered via email chain hijacking or spoofed emails that contain context-aware information such as shipping, work orders, urgent requests, invoices, claims, etc. The phishing emails alternate between file attachments (T1566.001) and links (T1566.002). QakBot is often used as a gateway entry, similar to TrickBot or Emotet, that leads to post-exploitation operations leveraging frameworks such as Cobalt Strike as well as delivering Ransomware.
Read more »
Subscribe to: Posts (Atom)