Get in Touch
Indiscriminate, opportunistic targeting.
Severity level: High – Successful exploitation can result in loss of sensitive data and post exploitation targeting.
QBot is reportedly exploiting a known Windows zero-day vulnerability to deploy malware without triggering Mark of the Web (MotW) security warnings.
MotW triggers on a user’s system, alerting the user when a data stream from untrusted location such as an email attachment are queued for download. The alert prompts the user if they would like to proceed with the potentially suspicious download and is normal for most download processes.
The zero-day currently being exploited by QBot target a weakness in MotW by sending victims password-protected ZIP files via malicious phishing emails, containing Java Script (JS) files. These files are signed with malformed signatures to trick and bypass the MotW process and proceed malicious download without alerting the user.
QBot, also known as Qakbot, is a malware dropping banking trojan that targets Windows systems. QBot achieves its objectives by remaining hidden in the background and soaks up emails from the compromised system for use in future attacks.
Additionally, QBot drops further post exploitation payloads such as, Brute Ratel C4, Cobalt Strike and Sliver. Compromise by either one of these will likely result in further exploitation by ransomware. In June 2022 several instances of Black Basta were spread in this way.
Compromise by QBot will highly likely result in the loss of sensitive email data that can be used to target the business again in the future. Additional post exploitation malware may also be spread to the victim system, malware such as Cobalt Strike, Brute Ratel C4 and Sliver. Furthermore, if not stopped, this additional malware may result in compromise by further ransomware and associated financial complications.
A comprehensive Endpoint Detection and Response (EDR) solution such as Microsoft Defender can provide effective protection against malware threats such as QBot. EDRs can alert system users of potential breaches and stop the malware process during early signs of an attack attempt, therefore limiting damage.
Phishing emails associated with this attack campaign are reported look relatively basic in design and contain a password protected ZIP file with the password displayed beneath the file.
Once a system has been exposed to the malware, the QBot DLL will be injected as a legitimate Windows process as executable file to avoid detection.
Containment, Mitigations & Remediations
It is recommended that employees receive training on how to spot signs of phishing emails. A main method of initial compromise is phishing so some in-house training will go far to reduce the effectiveness of future campaigns.
As stated above, a main method of reducing the threat of QBot is to detect it in the early stages using an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of QBot compromise and halt the malware’s progress if detected.
Indicators of Compromise
QBot associated hashes:
QBot associated IPs (obfuscated for customer safety):
QBot associated Domains (obfuscated for customer safety):
QBot has been used in multiple attacks in the past. Due to the discovery and accessibility of this specific vulnerability it is highly likely that this style of attacks will increase until Microsoft releases an official patch to address the threat.
QBot is used by multiple threat actors.
T1021.001– Remote desktop protocol
T1027– Obfuscated files or information
T1053.005 – Scheduled task
T1055.001 – Dynamic-link library injection
T1059.001 – PowerShell
T1068 – Exploitation for privilege escalation
T1190 – Exploit public-facing application
1204.002– User execution: Malicious file
T1218.010 – System binary proxy execution: Regsvr32
T1221– Template injection
T1486 – Data encrypted for impact
T1566.001 – Phishing: Spearphishing attachment
T1566.002 – Phishing: Spearphishing link
T1574.002 – Hijack execution flow: DLL side-loading
T1616 – Call control