Rewterz Threat Alert – Qakbot (Qbot) Maldoc Campaign – IoCs

Severity

Medium

Analysis Summary

A massive maldoc campaign delivering the QakBot/QBot banking trojan was detected, starting earlier this month. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word documents attached to the spam email. This particular campaign features a ZIP file; within the ZIP attachment is a Word document that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. This campaign includes two new techniques: a bypass of the content disarm and reconstruction (CDR) technology through zipping the Word document, and a bypass of child-pattern pattern detection because Visual Basic is executed using Explorer. The attackers use a common tactic to lure the victim to enable macros: when the target downloads the file, it asks for the target to enable editing and then enable content in order to view the document.

Impact

• Security Bypass
• Code Execution
• Financial Theft

Indicators of Compromise

Domain Name

• craniotylla[.]ch
• studiomascellaro[.]it
• optovik[.]store
• atsepetine[.]com
• maplewoodstore[.]com
• akersblog[.]top
• ankaramekanlari[.]net
• all-instal[.]eu
• marineworks[.]eu
• quoraforum[.]com
• nashsbornik[.]com
• nanfeiqiaowang[.]com
• quickinsolutions[.]com
• akindustrieschair[.]com
• bronco[.]is
• Hostname
• forum[.]insteon[.]com
• store[.]anniebags[.]com

SHA1

• 147101a88cc1fe91bac9161425986a1c1e15bc16
• 2bd118bb81b709b1013d7ffd8789f05d4e1f734f
• e36af99c29a474f82cd57f2736b9d1b5ecadfdfd
• 8253ed3b08ab8996d471af5d25a7223d8c259f45
• 791179b20d936cf76d885d1949d4a50a295b4918
• 78f498003afb55d18207ab7bb22170c6c8c7ef98
• be852364d22d508f8ef601bb3bc9eac6bd98713b
• 952917654b5c0328a31c3bbd8c7bf7a70a4a82e7
• 39d29aa254c55a5222ea0ec63dc22da67e3b483d
• 58b023e339a9557adbdbf0de63c0584500438b9b
• e7480e6adb6af1c992bc91605e4bba682d76c43d
• d772f78169d9ba175d22c8ecf1a0c3f0328ff6eb
• 295e604af22f8ced8fe5349765d345507fd3c079
• b841a34ec95bd1c3d1afe6d578aadef9439f3c38

URL

• http[:]//marineworks[.]eu/dwaunrsamlbq/111111[.]png
• http[:]//forum[.]insteon[.]com/suowb/111111[.]png
• http[:]//all-instal[.]eu/mgpui/555555[.]png
• http[:]//duvarsaatcisi[.]com/gbmac/555555[.]png
• http[:]//store[.]anniebags[.]com/qyvbyjaiu/555555[.]png
• http[:]//bronco[.]is/pdniovzkgwwt/111111[.]png
• http[:]//ankaramekanlari[.]net/vmnzwr/555555[.]png
• http[:]//optovik[.]store/bkatah/555555[.]png
• http[:]//quoraforum[.]com/btmlxjxmyxb/111111[.]png
• http[:]//akersblog[.]top/kipql/555555[.]png
• http[:]//maplewoodstore[.]com/rmwclxnbeput/555555[.]png
• http[:]//quickinsolutions[.]com/wfqggeott/111111[.]png
• http[:]//akindustrieschair[.]com/smuvtnrgvmd/55555[.]png
• http[:]//rijschoolfastandserious[.]nl/rprmloaw/111111[.]png
• http[:]//nashsbornik[.]com/rqzvoxtjyhw/555555[.]png
• http[:]//craniotylla[.]ch/vzufnt/111111[.]png
• http[:]//studiomascellaro[.]it/wnzzsbzbd/111111[.]png
• http[:]//atsepetine[.]com/evuyrurweyib/555555[.]png
• http[:]//nanfeiqiaowang[.]com/tsxwe/111111[.]png

Remediation

• Block the threat indicators at their respective controls. 
• Do not download email attachments from untrusted email addresses.
• Do not enable content or macros for untrusted files.