Search This Blog

Showing posts with label Banking Trojan. Show all posts

Qakbot Malware is Targeting the Users Via Malicious Email Campaign


Qakbot, also known as QBot or Pinkslipbot, is a banking trojan that has been active since 2007. It has been primarily used by financially motivated actors, initially it was known as a banking Trojan and a loader using C2 servers for payload delivery; however, over time as the scope widened, its use also expanded beyond strictly being a banking trojan. 

Security researchers at Alien Labs have noticed a newly emerged campaign in which victims are targeted with malicious email lures that appear to be in response to, or modified versions of, legitimate business communications between two parties. 

The use of an existing legitimate email, aside from making the lure appear far more convincing to a recipient recognizing their own message and possibly the purported sender, is consistent with previously identified Qakbot behavior in which email accounts are compromised and message threads hijacked. This tactic effectively creates a 'snowball effect' in which more and more organizations can be targeted with lures derived from legitimate email messages obtained from previously compromised victims.

The malicious Office document, when opened, it poses as a DocuSign file – a popular software for signing digital documents. The malicious documents take advantage of Excel 4.0 macros (XML macros) stored in hidden sheets that download the QakBot 2nd stage payload from the Internet – malicious servers compromised by criminals. 

Before executing the main payload, the QakBot loader will first test the infected system to see if it is a good candidate for infection. The QakBot loader is responsible for checking its environment to include whether it is running on a Virtual Machine, identifying any installed and running security and monitoring tools such as Antivirus products or common security researcher tools. 

To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. The hallmarks of a QakBot infection chain consist of a phishing lure (T1566) delivered via email chain hijacking or spoofed emails that contain context-aware information such as shipping, work orders, urgent requests, invoices, claims, etc. The phishing emails alternate between file attachments (T1566.001) and links (T1566.002). QakBot is often used as a gateway entry, similar to TrickBot or Emotet, that leads to post-exploitation operations leveraging frameworks such as Cobalt Strike as well as delivering Ransomware.

QBot Malware Replaces IcedID in Malspam Campaigns


QBot malware is making a comeback replacing IcedID in Malspam campaigns. Security researchers have noticed that malware distributors are once again rotating the payload, switching between Trojans which is an intermediary stage in a long transition chain. In one case, Tango appears to be with QBot and IcedID, two banking Trojans that are often seen delivering various ransomware strains as the final payload in an attack.

In February, IcedID was a new malware coming from URLs that served QBot. Brad Duncan of Palo Alto Networks spotted the changes and noted in his analysis at the time: “HTTPS URL ends with /ds/2202.gif, generated by Excel macro, which would normally distribute cacobet, but today it delivered IcedID”. 

James Quinn, a threat researcher at Binary Defense also makes the same observation in a blog post in March, as the company unearthed a new IcedID/BokBot variant while tracking a malicious spam campaign from a QakBot distributor.

IcedID was first discovered as a banking trojan in 2017 and soon adjusted its functionality for malware delivery. It has been seen in the past distributing Ransom eXX, Labyrinth, and Aggregor Ransomware. After a gap of about a month and a half, the malware distributor switched the payload back to QBot (aka QakBot), which has been seen in the past delivering ProLock, Egregor, and DoppelPaymer ransomware. 

Malware Researcher and Reverse Engineer reecDeep was the one that noticed the specific switch on Monday, concluding the fact that campaign update relies on XLM macros. Analysis from both binary defense and Brad Duncan on the switch of a malware distributor to deliver IcedID in February 2021 has seen the same trick.

Recently, security researchers at the threatening intelligence firm Intel 471 published details about Ettersilent creating a malicious document, which shows its continued development and ability to bypass multiple security mechanisms (Windows Defender, AMSI, email services). 

A feature of the tool is that it can design malicious documents that look like DocuSign or DigiCert-protected files that require user interaction for decryption. According to Intel 471, many cybercriminal groups have started using Ettersilent services including IcedID, QakBot, Ursnif, and Trickbot.

Trickbot- A Banking Trojan Returns With Latest Phishing Campaigns and Attacks


Trickbot, a banking malware has resurged again with new phishing campaigns and attacks after the collaboration of cybersecurity and technology companies disrupted the Trickbot malware in October last year. Trickbot malware evolved into a highly favorable form of malware among threat actors after starting life as a banking trojan.

Trickbot is a banking malware that sends victims banking-related website pages that almost look identical to the original thing. Trickbot is a replication of older malware Dyre/Dyreza and is also dispersed via malicious spam including HTML attachments. These HTML files download a Word document posing as a login form, in reality, it is embedded with a malicious macro that restores Trickbot from the threat actors’ command and control (C&C) server when permitted.

Microsoft targeted the infamous Trickbot malware last year due to its ability to possess ransomware that could pose a threat to the websites that display election information or to third party software dealers that supply resources to election officials. Trickbot can steal information, keys, and credentials and give backdoor access for transporting other malware, including ransomware.

Threat actors are specifically targeting legal and insurance companies in North America and sending phishing emails to the potential targets and tricking them to click on a link that will transfer them to a server that downloads a malicious payload.

Vinay Pidathala, director of security research at Menlo Security stated that “where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot operations. While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment”.

UK’s National Cyber Security Centre (NCSC) issued the advisory that companies should patch the security vulnerabilities and should run on the latest versions of operating system and software.