Qbot, or Qakbot, is a banking trojan that has been seen in the wild for at least 10 years. Recent campaigns have been often delivered by exploit kits and weaponized documents delivered via context-aware phishing campaigns. Qbot has also been suspected of delivering MegaCortex ransomware. Many recent samples are observed to conduct worm-like behavior to spread across network shares or via SMB, and contain multiple levels of anti-analysis controls such as VM awareness and lengthy execution delays.
Behavioral Summary
The TTPs for this particular sample discussed in this report are displayed within CB Defense as shown below.
![Screen Shot 2019-09-09 at 10.34.48 AM.png](upload://1saRS5ftVhLpkCBju2dkMEXMRWO.png "Screen Shot 2019-09-09 at 10.34.48 AM.png")
Details
Upon execution, the malware attempts to evade detection by overwriting itself with the legitimate Windows executable calc.exe using the following command:
Command line: "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > “<Path to malware executable>”
After performing multiple VM checks, the malware checks its file name against two hardcoded values, myapp.exe and self.exe, then sleeps for a randomized amount of time to delay execution. When it finally executes the malware creates a directory in the user’s roaming profile directory and copies itself to this directory with a randomized name such as the following: c:\users\<user>\appdata\roaming\microsoft\xyupi\iizuk.exe
The malware then injects into explorer.exe and creates both a scheduled task and registry entry HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random> for persistence. Finally, it also modifies the following registry entries for Windows Defender to exclude its location from the scanner:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\<random> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent
The sample analyzed also has the ability to spread across the network via SMB using credentials obtained from the infected host system as well as attempting brute-force logins using a list of common passwords hardcoded in the binary. As a banking trojan, some samples of Qbot also possess the ability to inject into web pages on the infected system to collect credential information from targeted websites.
The CB Defense process diagram below shows the initial process activity.
![Screen Shot 2019-09-09 at 10.33.36 AM.png](upload://15Oeu9vsc1j3Q05PzAXuvxQ11I8.png "Screen Shot 2019-09-09 at 10.33.36 AM.png")
If you are a Carbon Black customer looking to learn how to defend against this attack, click here.
Remediation:
MITRE ATT&CK TIDs
TID | Tactic | Description |
---|---|---|
T1053 | Execution | Scheduled Task |
T1064 | Execution | Scripting |
T1053 | Persistence | Scheduled Task |
T1060 | Persistence | Registry Run Keys |
T1112 | Defense Evasion | Modify Registry |
T1055 | Defense Evasion | Process Injection |
T1045 | Defense Evasion | Software Packing |
T1497 | Defense Evasion | Virtualization/Sandbox Evasion |
T1089 | Defense Evasion | Disabling Security Tools |
T1497 | Discovery | Virtualization/Sandbox Evasion |
T1124 | Discovery | System Time Discovery |
T1057 | Discovery | Process Discovery |
T1110 | Credential Access | Brute Force |
T1187 | Credential Access | Forced Authentication |
T1135 | Lateral Movement | Network Share Discovery |
Indicators of Compromise (IOCs)
Indicator | Type | Context |
---|---|---|
bd582c5310d7eddc8adb4649b7223f877802f78d71044b24b3225f7a7e321c9e | SHA256 | Qbot sample |
37c27f69e643203587064068088ca2b8c1f8bc508612e2fd2f6ed6fd3e300ee5 | SHA256 | Qbot sample |
6d0f5953b6a2234e00e720b297cdfa12a4d9074a92b85e9e5c508938b5907a0a | SHA256 | Qbot sample |
68b9de2981e3d74fbc83b3e26a45eda5611fd1791362d775e12b6db5f1f5f646 | SHA256 | Qbot sample |
The post CB TAU Threat Intelligence Notification: Qbot/Qakbot Attempts to Evade Detection By Overwriting Itself appeared first on Carbon Black.