Request a Demo
Rewterz
Rewterz Threat Alert – Microsoft Excel used to Spread New Dridex Trojan Variant
August 21, 2020
Rewterz
Rewterz Threat Advisory – Security Updates for Windows 8.1 and Server 2012 R2
August 21, 2020

Rewterz Threat Alert – Qakbot (Qbot) Maldoc Campaign – IoCs

Severity

Medium

Analysis Summary

A massive maldoc campaign delivering the QakBot/QBot banking trojan was detected, starting earlier this month. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word documents attached to the spam email. This particular campaign features a ZIP file; within the ZIP attachment is a Word document that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. This campaign includes two new techniques: a bypass of the content disarm and reconstruction (CDR) technology through zipping the Word document, and a bypass of child-pattern pattern detection because Visual Basic is executed using Explorer. The attackers use a common tactic to lure the victim to enable macros: when the target downloads the file, it asks for the target to enable editing and then enable content in order to view the document.

Qakbot(qbot)%20maldoc%20campaign-3.png

Impact

  • Security Bypass
  • Code Execution
  • Financial Theft

Indicators of Compromise

Domain Name

  • craniotylla[.]ch
  • studiomascellaro[.]it
  • optovik[.]store
  • atsepetine[.]com
  • maplewoodstore[.]com
  • akersblog[.]top
  • ankaramekanlari[.]net
  • all-instal[.]eu
  • marineworks[.]eu
  • quoraforum[.]com
  • nashsbornik[.]com
  • nanfeiqiaowang[.]com
  • quickinsolutions[.]com
  • akindustrieschair[.]com
  • bronco[.]is
  • Hostname
  • forum[.]insteon[.]com
  • store[.]anniebags[.]com

SHA1

  • 147101a88cc1fe91bac9161425986a1c1e15bc16
  • 2bd118bb81b709b1013d7ffd8789f05d4e1f734f
  • e36af99c29a474f82cd57f2736b9d1b5ecadfdfd
  • 8253ed3b08ab8996d471af5d25a7223d8c259f45
  • 791179b20d936cf76d885d1949d4a50a295b4918
  • 78f498003afb55d18207ab7bb22170c6c8c7ef98
  • be852364d22d508f8ef601bb3bc9eac6bd98713b
  • 952917654b5c0328a31c3bbd8c7bf7a70a4a82e7
  • 39d29aa254c55a5222ea0ec63dc22da67e3b483d
  • 58b023e339a9557adbdbf0de63c0584500438b9b
  • e7480e6adb6af1c992bc91605e4bba682d76c43d
  • d772f78169d9ba175d22c8ecf1a0c3f0328ff6eb
  • 295e604af22f8ced8fe5349765d345507fd3c079
  • b841a34ec95bd1c3d1afe6d578aadef9439f3c38

URL

  • http[:]//marineworks[.]eu/dwaunrsamlbq/111111[.]png
  • http[:]//forum[.]insteon[.]com/suowb/111111[.]png
  • http[:]//all-instal[.]eu/mgpui/555555[.]png
  • http[:]//duvarsaatcisi[.]com/gbmac/555555[.]png
  • http[:]//store[.]anniebags[.]com/qyvbyjaiu/555555[.]png
  • http[:]//bronco[.]is/pdniovzkgwwt/111111[.]png
  • http[:]//ankaramekanlari[.]net/vmnzwr/555555[.]png
  • http[:]//optovik[.]store/bkatah/555555[.]png
  • http[:]//quoraforum[.]com/btmlxjxmyxb/111111[.]png
  • http[:]//akersblog[.]top/kipql/555555[.]png
  • http[:]//maplewoodstore[.]com/rmwclxnbeput/555555[.]png
  • http[:]//quickinsolutions[.]com/wfqggeott/111111[.]png
  • http[:]//akindustrieschair[.]com/smuvtnrgvmd/55555[.]png
  • http[:]//rijschoolfastandserious[.]nl/rprmloaw/111111[.]png
  • http[:]//nashsbornik[.]com/rqzvoxtjyhw/555555[.]png
  • http[:]//craniotylla[.]ch/vzufnt/111111[.]png
  • http[:]//studiomascellaro[.]it/wnzzsbzbd/111111[.]png
  • http[:]//atsepetine[.]com/evuyrurweyib/555555[.]png
  • http[:]//nanfeiqiaowang[.]com/tsxwe/111111[.]png

Remediation

  • Block the threat indicators at their respective controls. 
  • Do not download email attachments from untrusted email addresses.
  • Do not enable content or macros for untrusted files.