Rewterz Threat Alert – Qakbot (Qbot) Active Campaign

Rewterz Threat Alert – Windows 7 ‘Upgrade’ Emails Steal Outlook Credentials

September 30, 2020

Rewterz Threat Alert – Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East

October 1, 2020

Rewterz Threat Alert – Qakbot (Qbot) Active Campaign – IoCs

Severity

Medium

Analysis Summary

A massive maldoc campaign delivering the QakBot/QBot banking trojan is detected. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word or excel documents attached to the spam email. This particular campaign features an xls file that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. The attackers use a common tactic to lure the victim to enable macros: when the target downloads the file, it asks the target to enable editing and then enable content in order to view the document.

Impact

Unauthorized Code Execution
Financial Theft
Information theft

Indicators of Compromise

Domain Name

mahathi2[.]ondemandcreative[.]com
foundation[.]shanto-mariamfoundation[.]org
staging[.]stikbot[.]toys
ideskonline[.]com
condochicks[.]com
pramars[.]xyz
matterandhome[.]com
exploshot[.]com

MD5

655efdbff591c09da5cbf14d745b698e
a1b02af212a61f9d722f1da26b8cea46
ce2dc5dc3b0c340d32e1c318407eb382
41e5e579501f68408a03f942367afaea
ca06e01ffb4c9a6d0868e958b2a29858
42da7e8dbd48c24b8da485fd64a9450d
7fd9425c48c4303e6ef26095b97d4894
e7310bf41edb90e20104eb239d771a58
5c102de95e323ec2665c9a2a18c8b720
6540b1c0442d0cc0613e052559220f15
604290512477c1fc5fbd74ae1b52a907
f564011c2aaf582fc5e7e9c95d5b6b44
7766f6b4350d804402382756f4aaf0cd
e54d723c20a307755cfdfaf182d1958b
26858617878471e93b85b7b1d493bb49
cade7da497b31ed3a0e3351684ce01e9
a6d8ec0ba1e5fc696ceba867f2ea1a6f
186a428695145948173106cc21b1055a
ecaca7e7b5b9603abc76a5c04eb5c9f2
78be13d43095b04ee92492d305dab5b1
aa7fbd05a1fe5d4a0c68e0f24ca55cb2
672d5182cf44bf90e72853dd70158da8
a5192ac90a6dcecae309065f480059e2
9c3c80b8aee5e2e360550ae54f572dd7
8806c925f3fa2d03249dea96f332acaf
4adeaae18cdfe9956f8ffae84c141389
6caef751e74e5f2295ebfb62a37e2726
655efdbff591c09da5cbf14d745b698e
c1e2cc6b1d3c35c640ab25646644f720
8cc39e2d1e3664dc70f7608b488c86c8
bde40d1aef9f06ea49a4ae9790876f07
3ee269ba6e84cdeba1ff9e053c586d51
537e59de0aabba91499e323b738ce7ba
01264f378629ee108736d8d641dddfbf
16e99c690b644e9e81d0b089dd006b50
8deca6164023a3be2797605c59e66260
b802461f2e61451ddf088be420ddea50
3492b9653005b0882e40a8528720d822
ae7e33d2e81c9550729698f84a9c45e6
254d84dfb21a429011b62739252ab40b
9c554028997b72a925338f66cc1b73b9
61a63072c09195c7fb516f2a52195fd1
f3f2f0efe5214f2feafc11eb9626c898
d91023950ba37d19b2668deefae370d0
1229a7ca9e16bbdc6b60a3654d85530f

SHA-256

9439095348654b59f46d31daef0765884e282205d96e63df8f462675b0b04d79
f2fb9e8d57be17edac4b1e71cb6b0eb553b77d97c1121dbfbed52a5df4ccc53e
2582f28c02b7aa7f23c3769e21292a5ea40249694acac347b9d3bf1462352a5a
b482fdc10e853fa08aca9304d2d3e2b8ef84541fecafb02a48a799f9d4cd9d36
6d4ea2569fa09f6d9d64286668f41742029536b00f29dd8916f5043e4572a7c6
fb06ebc9ddde4c52a9264c9097529658d80d280d2cc19fc7ed8c9f6a0bd69bb8
0d14c1121400b163843ee8b1904bd4b065151540e54f171b3fe7a0a35198d749
701b36a63fa76c353d4e6425af52dc5e3872d44813c447ded8f6ea58a2f877fb
e3bb14251e5117e697d995db97ecc456c4dbdaf4f4e6187bbb33929135a362ab
8f4481d551b6a29a1db38421b9b3d5f869f44cb0d5a6288d14118870b710438f
d4686f63adae1aa98f978db75adccc91e3eb30b2e3bb2d54f5ef1bec51f7fee4
83016b48397789f5215cffc5c1cc223846736ce2d795fb14bc1f3f7b87af0fa1
664f4ab87eca073fe888f387f5a52f4f16c4283bd11505141dcd4a2b3f64c535
a066c127cb82adb3964d27dd7525e64934ea57f802a6c1bb2d8cc7e056b7b180
85a1db0ffba3fc8b753002fac199d790b430892ca3165b5b906faa870e3f55b3
5f26a176bf32ae9899089afc111edc42e175ec391e1f59c3f4340efda96174b7
ce4c65f246e06beab38b74be1e7fbff936f74b37559525f41a60471658cdf6c4
04a6ee2063d0b4a6de76579d270fd58315208fab6cb1d1c6deeca3fab4f718e4
6e8d0c4d192be8126d023e06e646683a9d754cdf2018ba0c79785530e2fec6c5
ec4ea1d549b7402deb97b29a5b3326d44993a9c5adee63ff4975819c6ccd6b9a
d705b4cfd6e8b2c77fc358d1b5ff2cf34e26876743a69b38015a4484c73fad45
2f9dd14eb2884a06aa2d0d8f071d5b49460a2b0c790dbf19994e281d2ea9d6b2
5d538baadbd8a22f4d697c4598725f45a2fb032fa70891d8d03be4de905fe732
489f54798c12257c22af3b8107322df50ecd7c0540397e3df557c270f40e3028
cd8ad573fb6bee6e44a08c5b9bc6cbb3669153fc613043a12b6bbaaa7bb311e7
24a766d198d5d3947b96bc736bdf89470477071bf2faf4e9b26ad5c92c407f4b
1eb9920cccf0fff726a8ebd7344e1865cfffe3c99266b875d66cc2925a60a92a
9439095348654b59f46d31daef0765884e282205d96e63df8f462675b0b04d79
2e1004bead368d06e82fa6bddb98ec4a0d5d2bf190e547e02ba629aba2e7735d
8e0bef38e9fc4deffca816af591c114adb40149f308ca118f2d948e1a5ef4f25
cc520b6370f031e04970b527d7fcb85692e6882e2548787cb39281c0dc7cee47
805b5c0354456cd90e1ff4aed2efc1f3e760216fb990e14685ffacbd24ad4edd
a311635084a2cf59ca51527cf308ab352ae75ca35c673062855882d11e6b95f1
7e6d0713f152941a1c09c46d02f1a7692f0654e675eccf54203fb38167b8a194
7a36691e0d6e2c9fadfd858c43bdb69b92e902830244526682e27098933633d7
a05f104379b362a6a86170297749659c02d78c776a94e5cdb81e235203a4abf9
a90d64ff62e514acf92101034dde3f8e9a92a767efc34be2b5678380384daa21
f355eb0f2f613886df3bf7268f80f7690f4f7a3eaec043ac8732748b496168fd
10431ebb8514257c75e00e1d428e018a39e67c0c34dfbc0b320bd2bacef33f3a
bd8152527444a50f31db7697100fb97a5d44e40288275f293947b13259ca7b81
977e4c0822bcae6d4ca37c8ea1f2dd5347d02f6a09309a26316417a92a1db894
209899f6aee8d225c836bfec12336cdc14a31d5ae833b042203ac1cb1d863937
e7892204068276a9339655dd252f3f1cb5819fe939bec6124193017b1d36ce9d
75f3b48f942eca9006473b9581943181ab8b320c5991160b4c6882112f30b1bf
11bc50af49acfd081f56f7b0702e1793cad368b49574aa93d3ad39668109a9a9
d7e679017bae3d7ab05e80e406bb6ff06a3e46ba3078d007ae70065ec43d74f5

SHA1

f68be50404b9270572000283b67916f9962ec75a
8f4dfe4c8d8ce900f98b8d3a37b254f4b1bbee50
95483d2bdec996ed52acaa9a5601395a1560fc91
b7bce03067b19050cdd3da7ffea275e1e5e9a0fa
eed7d47da955c4150089180355bf6723bc527e8a
c15c2a74356c81d55668dea26d9c070de419861c
dff865334cc4bd67600a6c3695abba3b3f35bd32
b41d5889e2336e2a4e590af7872df8791def898c
d9363b8bcde593629220f190d02f3d21119ae4ea
02364c370301d4fbff148750edcd3d18130501dc
2e3d9e7d8d7cc30e7e1ede1af6b0587ea71ee186
65d02f58a19d9e2a5fd7f3e8906ae0c1cb0e1dfe
a052b5f2981c77072a88ed352b1704ebbbf06a75
7ce5da57e629be279e2de1cdc8ac17b5ce485ea0
8fedcc5d9b5cb2d0909de8acb969adc76a5dc09c
6d2e7e93a18022ccb7c010378e341ab02ce900b3
037d13947324d61f9240b2dd2d8e5811f698847c
389e143e636e8be31091cab2cd59576a573990aa
ee130bcaae46b2e98dd3f8d38cbdf2ee05f87e77
42b1ab8833eff1b35ac68ddcb010b62b3d4648de
097990eab583a7060776a068996a0cf02939feba
88e5c08dc83d921e47d38000ebe169b292a049b9
e782e228c134fc5a46567e5d72c420d79a6f3b1a
5169321af7e65e5a9616ac03602b9cf5e69edd10
b4d0929c8d0d60a3b72b5df46e37aab8a6809224
d26be17a80daf6c9a6a34193e6b5a90d1ca58769
65e946b9b8ebd68bb063b12d6bebb56231ed38a1
f68be50404b9270572000283b67916f9962ec75a
1be42ba4034e134232c4f9376e173e5c99ed303f
55c973427ae0497cc378f6df524da61d4e54ca26
3c9f52673d497a5c4583566101b095d4d87eb4a4
7dea8619450880b36ff32b5aed6964e75ea2587f
5a7f5b12d8e2f84c8273630adfb928e08b7e48a2
6d8c808502e6605a9e0fb9f00bbbab9550a927ef
db403627b597d2f10128272806646d7da3429c36
70ff0bdccbb2110a2bcb4ce3bde356d4d1672bf9
72cecf37c93855120a5954d79a917081bc9d3d17
3649be8168c2add9317e0625d29dd91eab0e46d6
0be334680c99052eec19a30445e58cb8e33633ce
d861eea4b0e8596a1c4d94414debd5b871721853
1596d02160234701c0c61f0893eb1b4a3bc5f3b8
00006b9f30d997c88a8fc051787b4b1580776b7f
09ce36cce76ef3dc51953b04f784637681cc7616
278cb85ffaf2f0f0aa5550137608e905a7623984

URL

http[:]//foundation[.]shanto-mariamfoundation[.]org/24[.]gif
http[:]//pramars[.]xyz/psswhqxs/222222[.]png
http[:]//mahathi2[.]ondemandcreative[.]com/24[.]gif
http[:]//matterandhome[.]com/twtao/222222[.]png
http[:]//staging[.]stikbot[.]toys/24[.]gif
http[:]//ideskonline[.]com/vzpcwa/222222[.]png
https[:]//exploshot[.]com/24[.]gif
http[:]//condochicks[.]com/ynwnx/222222[.]png

Remediation

Block the threat indicators at their respective controls.
Do not download files attached in untrusted emails.
Do not enable macros for untrusted files.