QBot phishing attacks exploit Windows zero-day

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: High – Successful exploitation can result in loss of sensitive data and post exploitation targeting.

QBot is reportedly exploiting a known Windows zero-day vulnerability to deploy malware without triggering Mark of the Web (MotW) security warnings.
MotW triggers on a user’s system, alerting the user when a data stream from untrusted location such as an email attachment are queued for download. The alert prompts the user if they would like to proceed with the potentially suspicious download and is normal for most download processes.

The zero-day currently being exploited by QBot target a weakness in MotW by sending victims password-protected ZIP files via malicious phishing emails, containing Java Script (JS) files. These files are signed with malformed signatures to trick and bypass the MotW process and proceed malicious download without alerting the user.

QBot, also known as Qakbot, is a malware dropping banking trojan that targets Windows systems. QBot achieves its objectives by remaining hidden in the background and soaks up emails from the compromised system for use in future attacks.

Additionally, QBot drops further post exploitation payloads such as, Brute Ratel C4, Cobalt Strike and Sliver. Compromise by either one of these will likely result in further exploitation by ransomware. In June 2022 several instances of Black Basta were spread in this way.

Impact

Compromise by QBot will highly likely result in the loss of sensitive email data that can be used to target the business again in the future. Additional post exploitation malware may also be spread to the victim system, malware such as Cobalt Strike, Brute Ratel C4 and Sliver. Furthermore, if not stopped, this additional malware may result in compromise by further ransomware and associated financial complications.

Vulnerability Detection

A comprehensive Endpoint Detection and Response (EDR) solution such as Microsoft Defender can provide effective protection against malware threats such as QBot. EDRs can alert system users of potential breaches and stop the malware process during early signs of an attack attempt, therefore limiting damage.

Phishing emails associated with this attack campaign are reported look relatively basic in design and contain a password protected ZIP file with the password displayed beneath the file.

Once a system has been exposed to the malware, the QBot DLL will be injected as a legitimate Windows process as executable file to avoid detection.

Affected Products

Windows OS

Containment, Mitigations & Remediations

It is recommended that employees receive training on how to spot signs of phishing emails. A main method of initial compromise is phishing so some in-house training will go far to reduce the effectiveness of future campaigns.

As stated above, a main method of reducing the threat of QBot is to detect it in the early stages using an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of QBot compromise and halt the malware’s progress if detected.

Indicators of Compromise

QBot associated hashes:
c6f6ca23761292552e6ea5f12496dc9c73374be0c5f9d0b2142ca3ae0bb8fe14
b51b7123017c0059c63c638b077e068bc7cdb05cfd3f497fb6be914db86d79d1
13775ffbc4b27099427fb25a10e5fd128f5bf17336f02aafbc6a07c955d3c1de
66cf82a525dd6afc32f4fe44d8f2f78f361bfb8dbf5a8835dd135d6658e3f266
68ca22045f5217672677e12a2794bd38a8ad45ac1ff3044882f2c96cd8e0edea
6c08c3f6f36366388f8f4c06c2992194ba9c221c69602d0d3479b973fad08522
726bf8cbdfa86f8e18083c069950a6abae8931bd415c0d8b1726abe45db305e1
84e1ab40b406edf5dcc9adc4d4ba86225b6c461bfa85fe73d2a71b50324a0a22
a23a9f11600b53c7e5315295b37eabeee9e6d9b899e4cda542e0e88c25b79cc7
e5256ba7e1f9aae29ca1efa003484f597ff0be5251604780ec93b5cea69b21ef
147ed176b6f1069b7f32542d668585c8800b77608ce406afde96c7160ed12cb5
19f995ba1881eb6aed18e0ea9f8ac851ae746cf1ac70b0c92064fdb2e64b26ce
1d5bd95057dfa68d889611f1ab1bdc280d8fc02d6031dbcaff78e4764b4b345d
34a29135decfb91736d18e3e74aaef7257c851c5afc130359cee312ea0da3fc4
6a264482fbad4352e47f4ef77bb64962f8c53705d76cbd4503171ee0da8274b2
6cb543e9aef7467a8dea8afb138c2f734d071a95fe07ac780cc1a06b675dd3f3
8a911fc537ab3ed68a00b6770d15871dd6afd23fc8049292fdb3b11d98310614
8d7f9c5418d162d79e2af3bc5c56573115f36d0be35ba9af939ebba8dbe28cd2
a59a2d7bf571973e3d38d30bdb48336e78cf275eafd37e17e77341f4ab4d0d76
a9e99fd0fd0deb0f6ba5aa68481cc8a62840ad3a685d1b8cbc1943278c44e2e9

QBot associated IPs (obfuscated for customer safety):
85.31.44[.]164
185.177.57[.]104
209.141.40[.]234
45.95.55[.]51
46.23.109[.]212
79.110.62[.]20
91.151.89[.]220
20.25.153[.]134
45.201.189[.]9
115.59.165[.]200
123.11.13[.]150
100.38.242[.]113
109.136.174[.]200
117.248.109[.]38
174.112.25[.]29
182.191.92[.]203
187.199.224[.]16
196.203.37[.]215
208.107.221[.]224
24.178.196[.]158
41.228.22[.]180
45.248.169[.]101
47.23.89[.]60
63.143.92[.]99
63.248.148[.]87
75.84.234[.]68
92.149.205[.]238
99.232.140[.]205
186.154.189[.]162
186.188.80[.]134
24.206.27[.]39

QBot associated Domains (obfuscated for customer safety):
briptravel[.]com
masazebogdan[.]rs
hXXp://briptravel[.]com/pun/vXy/Oge/oPF/S0xIDiU[.]zXp
hXXp://masazebogdan[.]rs/pun/oso/Kyb/MGR/NBL7sd5[.]zXp
hXXps://baldocortez[.]adv.br/pun/5fk/fxI/Zqt/xAXJI6q[.]zXp

Threat Landscape

QBot has been used in multiple attacks in the past. Due to the discovery and accessibility of this specific vulnerability it is highly likely that this style of attacks will increase until Microsoft releases an official patch to address the threat.

Threat Group

QBot is used by multiple threat actors.

Mitre Methodologies

T1021.001– Remote desktop protocol
T1027– Obfuscated files or information
T1053.005 – Scheduled task
T1055.001 – Dynamic-link library injection
T1059.001 – PowerShell
T1068 – Exploitation for privilege escalation
T1190 – Exploit public-facing application
1204.002– User execution: Malicious file
T1218.010 – System binary proxy execution: Regsvr32
T1221– Template injection
T1486 – Data encrypted for impact
T1566.001 – Phishing: Spearphishing attachment
T1566.002 – Phishing: Spearphishing link
T1574.002 – Hijack execution flow: DLL side-loading
T1616 – Call control

Further Information

Github – QBot
News article – Bleeping Computer QBot