Qbot, or Qakbot, is a banking trojan that has been seen in the wild for at least 10 years. Recent campaigns have been often delivered by exploit kits and weaponized documents delivered via context-aware phishing campaigns. Qbot has also been suspected of delivering MegaCortex ransomware. Many recent samples are observed to conduct worm-like behavior to spread across network shares or via SMB, and contain multiple levels of anti-analysis controls such as VM awareness and lengthy execution delays.
The TTPs for this particular sample discussed in this report are displayed within CB Defense as shown below.
Upon execution, the malware attempts to evade detection by overwriting itself with the legitimate Windows executable calc.exe using the following command:
Command line: "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > “<Path to malware executable>”
After performing multiple VM checks, the malware checks its file name against two hardcoded values, myapp.exe and self.exe, then sleeps for a randomized amount of time to delay execution. When it finally executes the malware creates a directory in the user’s roaming profile directory and copies itself to this directory with a randomized name such as the following:
c:\users\<user>\appdata\roaming\microsoft\xyupi\iizuk.exe The malware then injects into explorer.exe and creates both a scheduled task and registry entry HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random> for persistence. Finally, it also modifies the following registry entries for Windows Defender to exclude its location from the scanner:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\<random> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent
The sample analyzed also has the ability to spread across the network via SMB using credentials obtained from the infected host system as well as attempting brute-force logins using a list of common passwords hardcoded in the binary. As a banking trojan, some samples of Qbot also possess the ability to inject into web pages on the infected system to collect credential information from targeted websites.
The CB Defense process diagram below shows the initial process activity.
TID | Tactic | Description
T1053 | Execution | Scheduled Task
T1064 | Execution | Scripting
T1053 | Persistence | Scheduled Task
T1060 | Persistence | Registry Run Keys
T1112 | Defense Evasion | Modify Registry
T1055 | Defense Evasion | Process Injection
T1045 | Defense Evasion | Software Packing
T1497 | Defense Evasion | Virtualization/Sandbox Evasion
T1089 | Defense Evasion | Disabling Security Tools
T1497 | Discovery | Virtualization/Sandbox Evasion
T1124 | Discovery | System Time Discovery
T1057 | Discovery | Process Discovery
T1110 | Credential Access | Brute Force
T1187 | Credential Access | Forced Authentication
T1135 | Lateral Movement | Network Share Discovery
Indicator | Type | Context
bd582c5310d7eddc8adb4649b7223f877802f78d71044b24b3225f7a7e321c9e | SHA256 | Qbot sample
37c27f69e643203587064068088ca2b8c1f8bc508612e2fd2f6ed6fd3e300ee5 | SHA256 | Qbot sample
6d0f5953b6a2234e00e720b297cdfa12a4d9074a92b85e9e5c508938b5907a0a | SHA256 | Qbot sample
68b9de2981e3d74fbc83b3e26a45eda5611fd1791362d775e12b6db5f1f5f646 | SHA256 | Qbot sample
The post CB TAU Threat Intelligence Notification: Qbot/Qakbot Attempts to Evade Detection By Overwriting Itself appeared first on Carbon Black.