Nov 29, 2021
Quakbot
Prolouge:
From mid September the rise of Qbot is high, Quakbot hitting with all new set of skills and tricks. Chances of cobalt strike post exploitation activities, deploying cobalt strike beacons which allowed them to launch human-operation activities.
Quakbot Overview:
Quakbot is a windows banking trojan, mainly targeting to get web banking credentials, financial data and personal information. Quakbot is seen since 2007 and since then upgrading to new levels when its targeting.
The delivery of this malware is mainly through phishing mails, targeting sectors mentioned above. The switching of malware payload is seen from EXE to DLL and execution the singed binary proxy execution through the lolbin’s Rundll32 or regsvr32 but recently threat actors used .ocx file exetensions[Renamed DLL’s].
Recently, An organization hit with cyber attack targeting employees with internal phishing. Threat actors used compromised emails from an organization & business partners, confirmed by Beepingcomputer.
Recent Quakbot analysis:
An email(Phishing mail) sent from compromised emails which consists of URL’s when user visits these urls, a browser will redirected to download the zip file, this zip file contains excel document. The excel file seen in users download folder.
C:\users\<userPII>\Downloads\<filename>.xlsm
When the document is opened it tells user to enable content. Immediately multi-stage malicious actions include command-and-control(C2) connection, downloaded malware files.The downloaded file extension is OCX(OCX files are renamed DLLs and are executed using the regsvr32.exe command to install the malware payload). Recent IOC’s besta.ocx, bestb.ocx, bestc.ocx, Further this malware payload executed via rundll32 or regsvr32.
rundll32.exe ..\[filename].ocx
Further, this lead to scheduled Task, this is to configured to execute whether or not the user is logged on. The Quakbot used lateral movement techniques to the malware campaign. Also, cobalt strike execution by creating a backdoor, process injection by creating a remote thread.
The named pipe, appears in shell code contains “\\.\pipe\mojo.5688.805…..”- this represents the cobalt strike beacon pipe inter-process(IPC).
Thus to conclude this bit information, Quakbot continuously evolving and developing new skills to steal information, further leading to ransom attack. Reference of the articles related to Quakbot.
Reference:
https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/ — Recent Qbot cyber attack
https://attack.mitre.org/software/S0650/
https://redcanary.com/threat-detection-report/threats/qbot/
https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/
