March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Microsoft Excel used to Spread New Dridex Trojan Variant
August 21, 2020Rewterz Threat Advisory – Security Updates for Windows 8.1 and Server 2012 R2
August 21, 2020Rewterz Threat Alert – Microsoft Excel used to Spread New Dridex Trojan Variant
August 21, 2020Rewterz Threat Advisory – Security Updates for Windows 8.1 and Server 2012 R2
August 21, 2020
Severity
Medium
Analysis Summary
A massive maldoc campaign delivering the QakBot/QBot banking trojan was detected, starting earlier this month. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word documents attached to the spam email. This particular campaign features a ZIP file; within the ZIP attachment is a Word document that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. This campaign includes two new techniques: a bypass of the content disarm and reconstruction (CDR) technology through zipping the Word document, and a bypass of child-pattern pattern detection because Visual Basic is executed using Explorer. The attackers use a common tactic to lure the victim to enable macros: when the target downloads the file, it asks for the target to enable editing and then enable content in order to view the document.
%20maldoc%20campaign-3.png)
Impact
- Security Bypass
- Code Execution
- Financial Theft
Indicators of Compromise
Domain Name
- craniotylla[.]ch
- studiomascellaro[.]it
- optovik[.]store
- atsepetine[.]com
- maplewoodstore[.]com
- akersblog[.]top
- ankaramekanlari[.]net
- all-instal[.]eu
- marineworks[.]eu
- quoraforum[.]com
- nashsbornik[.]com
- nanfeiqiaowang[.]com
- quickinsolutions[.]com
- akindustrieschair[.]com
- bronco[.]is
- Hostname
- forum[.]insteon[.]com
- store[.]anniebags[.]com
SHA1
- 147101a88cc1fe91bac9161425986a1c1e15bc16
- 2bd118bb81b709b1013d7ffd8789f05d4e1f734f
- e36af99c29a474f82cd57f2736b9d1b5ecadfdfd
- 8253ed3b08ab8996d471af5d25a7223d8c259f45
- 791179b20d936cf76d885d1949d4a50a295b4918
- 78f498003afb55d18207ab7bb22170c6c8c7ef98
- be852364d22d508f8ef601bb3bc9eac6bd98713b
- 952917654b5c0328a31c3bbd8c7bf7a70a4a82e7
- 39d29aa254c55a5222ea0ec63dc22da67e3b483d
- 58b023e339a9557adbdbf0de63c0584500438b9b
- e7480e6adb6af1c992bc91605e4bba682d76c43d
- d772f78169d9ba175d22c8ecf1a0c3f0328ff6eb
- 295e604af22f8ced8fe5349765d345507fd3c079
- b841a34ec95bd1c3d1afe6d578aadef9439f3c38
URL
- http[:]//marineworks[.]eu/dwaunrsamlbq/111111[.]png
- http[:]//forum[.]insteon[.]com/suowb/111111[.]png
- http[:]//all-instal[.]eu/mgpui/555555[.]png
- http[:]//duvarsaatcisi[.]com/gbmac/555555[.]png
- http[:]//store[.]anniebags[.]com/qyvbyjaiu/555555[.]png
- http[:]//bronco[.]is/pdniovzkgwwt/111111[.]png
- http[:]//ankaramekanlari[.]net/vmnzwr/555555[.]png
- http[:]//optovik[.]store/bkatah/555555[.]png
- http[:]//quoraforum[.]com/btmlxjxmyxb/111111[.]png
- http[:]//akersblog[.]top/kipql/555555[.]png
- http[:]//maplewoodstore[.]com/rmwclxnbeput/555555[.]png
- http[:]//quickinsolutions[.]com/wfqggeott/111111[.]png
- http[:]//akindustrieschair[.]com/smuvtnrgvmd/55555[.]png
- http[:]//rijschoolfastandserious[.]nl/rprmloaw/111111[.]png
- http[:]//nashsbornik[.]com/rqzvoxtjyhw/555555[.]png
- http[:]//craniotylla[.]ch/vzufnt/111111[.]png
- http[:]//studiomascellaro[.]it/wnzzsbzbd/111111[.]png
- http[:]//atsepetine[.]com/evuyrurweyib/555555[.]png
- http[:]//nanfeiqiaowang[.]com/tsxwe/111111[.]png
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments from untrusted email addresses.
- Do not enable content or macros for untrusted files.