CB TAU Threat Intelligence Notification: Qbot/Qakbot Attempts to Evade Detection By Overwriting Itself

Qbot, or Qakbot, is a banking trojan that has been seen in the wild for at least 10 years. Recent campaigns have been often delivered by exploit kits and weaponized documents delivered via context-aware phishing campaigns. Qbot has also been suspected of delivering MegaCortex ransomware. Many recent samples are observed to conduct worm-like behavior to spread across network shares or via SMB, and contain multiple levels of anti-analysis controls such as VM awareness and lengthy execution delays.

Behavioral Summary

The TTPs for this particular sample discussed in this report are displayed within CB Defense as shown below.

![Screen Shot 2019-09-09 at 10.34.48 AM.png](upload://1saRS5ftVhLpkCBju2dkMEXMRWO.png "Screen Shot 2019-09-09 at 10.34.48 AM.png")

Details

Upon execution, the malware attempts to evade detection by overwriting itself with the legitimate Windows executable calc.exe using the following command:

Command line: "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > “<Path to malware executable>”

After performing multiple VM checks, the malware checks its file name against two hardcoded values, myapp.exe and self.exe, then sleeps for a randomized amount of time to delay execution. When it finally executes the malware creates a directory in the user’s roaming profile directory and copies itself to this directory with a randomized name such as the following: c:\users\<user>\appdata\roaming\microsoft\xyupi\iizuk.exe The malware then injects into explorer.exe and creates both a scheduled task and registry entry HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random> for persistence. Finally, it also modifies the following registry entries for Windows Defender to exclude its location from the scanner:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\<random>   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent

The sample analyzed also has the ability to spread across the network via SMB using credentials obtained from the infected host system as well as attempting brute-force logins using a list of common passwords hardcoded in the binary. As a banking trojan, some samples of Qbot also possess the ability to inject into web pages on the infected system to collect credential information from targeted websites.

The CB Defense process diagram below shows the initial process activity.

![Screen Shot 2019-09-09 at 10.33.36 AM.png](upload://15Oeu9vsc1j3Q05PzAXuvxQ11I8.png "Screen Shot 2019-09-09 at 10.33.36 AM.png")

If you are a Carbon Black customer looking to learn how to defend against this attack, click here. 

Remediation:

MITRE ATT&CK TIDs

TID Tactic Description
T1053 Execution Scheduled Task
T1064 Execution Scripting
T1053 Persistence Scheduled Task
T1060 Persistence Registry Run Keys
T1112 Defense Evasion Modify Registry
T1055 Defense Evasion Process Injection
T1045 Defense Evasion Software Packing
T1497 Defense Evasion Virtualization/Sandbox Evasion
T1089 Defense Evasion Disabling Security Tools
T1497 Discovery Virtualization/Sandbox Evasion
T1124 Discovery System Time Discovery
T1057 Discovery Process Discovery
T1110 Credential Access Brute Force
T1187 Credential Access Forced Authentication
T1135 Lateral Movement Network Share Discovery

Indicators of Compromise (IOCs)

Indicator Type Context
bd582c5310d7eddc8adb4649b7223f877802f78d71044b24b3225f7a7e321c9e SHA256 Qbot sample
37c27f69e643203587064068088ca2b8c1f8bc508612e2fd2f6ed6fd3e300ee5 SHA256 Qbot sample
6d0f5953b6a2234e00e720b297cdfa12a4d9074a92b85e9e5c508938b5907a0a SHA256 Qbot sample
68b9de2981e3d74fbc83b3e26a45eda5611fd1791362d775e12b6db5f1f5f646 SHA256 Qbot sample

The post CB TAU Threat Intelligence Notification: Qbot/Qakbot Attempts to Evade Detection By Overwriting Itself appeared first on Carbon Black.

Article Link: https://www.carbonblack.com/2019/09/26/cb-tau-threat-intelligence-notification-qbot-qakbot-attempts-to-evade-detection-by-overwriting-itself/