March 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Quasar RAT – Active IOCs
December 22, 2021Rewterz Threat Alert – APT-C-41 StrongPity – Active IOCs
December 22, 2021Rewterz Threat Alert – Quasar RAT – Active IOCs
December 22, 2021Rewterz Threat Alert – APT-C-41 StrongPity – Active IOCs
December 22, 2021
Severity
High
Analysis Summary
A massive maldoc campaign delivering the QakBot/QBot banking trojan is detected. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word or Excel documents attached to the spam email. This particular campaign features an xls file that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. The attackers use a common tactic to lure the victim to enable macros: when the target downloads the file, it asks the target to enable editing and then enable content in order to view the document.
Impact
- Unauthorized Access
- Financial Theft
- Information Theft
Indicators of Compromise
MD5
- 1b15377d27de0a1afa7125773dd3db78
SHA-256
- 11d23db59e3766d5bd65786f1a0eeb721316827a126df8944fd281e7abf47fee
- baeb9491d914aa725272921326479a63917cf9f469340790546dcb2c6a14bfb1
- d42725438ad7e63d2beb8916ee8bb77a70cc002432669c2c0449d9568a4be5ef
- eb0ac0333266510ae8394e0210c2daf6a3b9f61e559be0991478baea8063e926
SHA-1
- 544492b690d581b42a299fef1dd9c91c1c3a0e35
Remediation
- Block the threat indicators at their respective controls.
- Seach for IOCs in your environment.