The Zscaler ThreatLabZ team is constantly on the lookout for trending and evolving techniques used by malware authors to infiltrate victims' machines, steal information, and carry out other malicious activities. Recently, we observed newly registered domains (NRDs) specifically created to distribute QakBot, a stealer delivered through spam email and bundled with a malicious Microsoft Office attachment.
These malicious Office documents are used for the delivery of payloads and are often involved in targeted attacks. ThreatLabZ has analyzed thousands of malicious documents from different campaigns, and this blog will outline our analysis of the obfuscated macro used to deliver the QakBot stealer.
Malicious Office macro analysis:
We noted a campaign using malicious Office documents with the filename Operating Agreement_.doc and we detonated the file in our sandbox to see what would happen if a user did the same. We observed that the user would receive the following notice before enabling the macro.
The filenames and hashes for these attachments are as follows:
Md5
File Type
File Name
35c410f461d0568449e8e1ce9071c9c8
DOCM
Operating Agreement_11.doc
fc3ce33366a6a958190e1191381cd88a
DOCM
Operating Agreement_1.doc
0662a56970ab101c3cc3ffd28f1e8611
DOCM
Operating Agreement_12.doc
ef5f8a577667c01ca4e888fc92fbc2ba
DOCM
Operating Agreement_4.doc
ff3fb1ca6740a8bcfad9240931f58fd6
DOCM
Operating Agreement_1.doc
0045b7c3d514c62806f215ad6b2c009d
DOCM
Operating Agreement_22.doc
78c96b3b71c6dc7c6a9462b85836cc12
DOCM
Operating Agreement_11.doc
c8a121c6f5c23ee55d2d0d96d8dd6736
DOCM
Operating Agreement_25.doc
ad00392f05ff38447fbd9cb6adc5e820
DOCM
Operating Agreement_40.doc
47a48a09467c0627e253da4e0caff9cc
DOCM
Operating Agreement_33.doc
7f699f567aa1ee82d7d951acd1d1ed95
DOCM
Operating Agreement_8.doc
9c601faf5047ee6a783ee1d6d2b14327
DOCM
Operating Agreement_20.doc
bcb055c370178754930305890f763988
DOCM
Operating Agreement_34.doc
e8e06c8a52f2ac87874b93e777b5abba
DOCM
Info_102.doc
f3de4b872baf17a253da5cf05ea1bff9
DOCM
Judgment_1434.doc
The macro is password-protected, but we were able to extract it after tweaking the code. At first glance, the presence of many userforms in the macro implies that code is placed within it; but it is actually performing actions, including:
Copying hardcoded, obfuscated data from the userform and, after decrypting, placing it in the userform again in different “properties” sections, such as captions and tags, and, from there, executing PowerShell to download the payload from the command-and-control (C&C) server.
Once the macro is enabled, it generates a fake popup window to make the user believe the system is performing a function. This is similar to the activity we examined in the TA505 APT and Emotet campaigns. This window is displayed as malicious activities are being performed by the macro.
File system persistence:
It drops the .bat files to the following path:
C:\Users\Public\tmp.bat
Tmp.bat in return makes a directory C:\Users\Public\tmpdir\tmps1.bat
Functionality of tmps1.bat :
C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 2 & C:\Users\Public\tmpdir\[payload].exe
The payload is run by using the choice command when prompted. The choice command was disabled in earlier versions but is available in Windows Vista and later versions.
The choice command allows users to keep batch files and scripts from running while they make a set of choices.
/C : Specifies the list of choices to be created. Default list is "YN".
Y : Y signifies as YES which is to be displayed on the prompt.
/N : Hides the list of choices in the prompt. The message before the prompt is displayed and the choices are still enabled.
/D : Specifies the default choice after timeout seconds.
/T : The number of seconds to pause before a default choice is made.
Obfuscation and decryption routine:
This macro is highly obfuscated and difficult to analyze because of its added junk code.
The below snapshot displays copying obfuscated data to the userform.
The above-mentioned string appeared as ubc/qnu]djmcv]tsftV];D.
We reversed the string before moving on to the decryption algorithm.
After reversing, it appeared as D;]Vtfst]vcmjd]unq/cbu, which was used later for decryption.
Decryption routine:
We fetched the obfuscated data from a stored variable and then calculated the mid-value of the string (D;]Vtfst]vcmjd]unq/cbu) in a loop. The loop will perform based on string length. After that, the returned value is converted to ASCII and subtracted by 1. The final value will be converted to Chr again.
Using the same decryption routine, it obfuscates the four URLs mentioned in the file and, at the end, encodes the Base64 code which is, again, passed to the PowerShell script.
QakBot analysis:
QakBot is a sophisticated stealer that is distributed by documents downloaded from spam email. It uses different techniques to evade detection and complicate analysis. We checked the timestamp of the unpacked sample and discovered it was from 2010.
Before executing the main code, the malware checks for the presence of antivirus software. It also checks for virtual environments and other monitoring tools by checking the running processes on the victim's computer. It takes a snapshot of the processes using CreateToolhelp32Snapshot and enumerates through all the processes using the Process32First and Process32Next API. Below is the list of processes:
ccSvcHst.exe
avgcsrvx.exe
avgsvcx.exe
avgcsrva.exe
MsMpEng..exe
mcshield.exe
avp.exe
egui.exe
ekrn.exe
bdagent.exe
vsserv.exe
AvastSvc.exe
coreServiceShell.exe
PccNTMon.exe
NTRTScan.exe
SAVAdminService.exe
SavService.exe
fshoster32.exe
WRSA.exe
vkise.ex
isesrv.exe
cmdagent.exe
MBAMService.exe
ByteFence.exe
mbamgui.exe
fmon.exe
Vmnat.exe
Further, the malware copies itself into the %AppData%\Roaming\Microsoft\{Random}\ directory and executes it. It executes the below command to ping itself and replace the original binary with a copy of the legitimate Windows Calculator application: calc.exe.
“C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\”
Persistence mechanism:
QakBot establishes persistence by creating a RUN key at the auto startup location and executing the malware at every login. It also creates scheduled tasks to execute the payload once at 5:33 a.m. and delete the scheduled task after execution.
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\{Random}
C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn {Random}/tr '\'% AppData%\Roaming\Microsoft\{Random}\{Random.exe}\' /I {Random}' /SC ONCE /Z /ST 05:33 /ET 05:45
Additionally, it creates the explorer.exe process in suspended mode and injects the unacknowledged DLL into it. After executing, it creates a .wpl file that is in JavaScript and creates a scheduled task to execute JavaScript at 12:00 p.m. on Tuesday and Wednesday of every week as shown in the below screenshot.
Functionality:
The JavaScript downloads the updated QakBot form ebook[.]w3wvg.com/datacollectionservice.php3 and executes it. The downloading payload is encrypted and the script decrypts it before dropping it into the system and stealing the following information from the victim’s machine:
IP address
Hostname
Username
OS Version
Banking credentials
It uses WebInject to alter communication between the victim’s machine and banking websites and steals the credentials.
Apart from this, we have analyzed the POST network activity in QakBot and it is using HTTPS or SSL/TLS traffic to 96.227.122.123 with no associated domain.
Conclusion
QakBot malware is not new—we know it has been active for at least 13 years. But it is ever-evolving and uses different mechanisms and methods to infect machines and to evade detection. The Zscaler ThreatLabZ team is continuously monitoring these types of cyberattacks to keep our customers safe.
Sandbox detection:
In addition to sandbox detections, the Zscaler Cloud Security Platform detects indicators at various levels:
VBA.Downloader.Qakbothttps://threatlibrary.zscaler.com/threats/7c716d69-474b-4d81-b67f-54d8db2b1412/
Win32.Banker.Qakbothttps://threatlibrary.zscaler.com/threats/dc8c9559-b57c-4358-8707-4100137ed1db
Indicators of Compromise:
Archive source URL:
URL
Md5
8bmskg.sn.files.1drv.com
5516505b431014e7e1239559a3d69d08
g1wf8w.dm.files.1drv.com
ffd16da51c2faf80d4787e9f707585e9
public.sn.files.1drv.com
d2ce5e5f9b0e62f825fbe52f3671b6f9
g1xquw.dm.files.1drv.com
b0abe47be307b67cdc0b53715a9d54b8
g1wf8w.dm.files.1drv.com
bf4699a1c0653150ebfa36532b2ce67e
di2szw.ch.files.1drv.com
f2ad83b93ca5099a71e334e06ccee60b
8bmskg.sn.files.1drv.com
71fac0d7b0af2be4cd9d1a79faab96d0
di1jlq.ch.files.1drv.com
2b43ab02f13b6ccea9c0d5fe37739113
rh6zdw.by.files.1drv.com
e6bea2f73828b56e14b2107f5f22defa
pr6zdw.by.files.1drv.com
9caaa51ec65ab3018b4c512fae441347
gofjig.dm.files.1drv.com
af9a57237aa3b24ec88fe2658538ac1f
ztmjyq.sn.files.1drv.com
71e6e0049337764cb2bfd7f1d3a01f34
qb6zdw.by.files.1drv.com
65ffdf05ecaf70b412c7953e487afb70
grieche.apptec24.com
93274854c7ed4ee6f5c9fe7384cd2106
9.kamstore.com.ua
44a7f5101b54df759a895cc3996703fe
Newly registered domains to serve the QakBot payload:
econspiracy[.]se/evolving/888888.png
blog.buatvideomu[.[.]com/wp-content/uploads/2020/04/last/444444.png
intermed19[.]com/wp-content/themes/calliope/previous/444444.png.
greenmagicbd[.]com/wp-content/themes/calliope/previous/444444.png
y-sani[.]com/docs_bcx/55555.png
tianmaouae[.]com/docs_9qu/55555.png
dctechdelhi[.]com/wp-content/plugins/advanced-ads-genesis/previous/444444
themmacoach[.]com/wp-content/uploads/2020/04/docs_cv0/55555.png
QakBot Md5:
ee360e519957018391a31808e4f4448e
QakBot C&C :
ebook[.]w3wvg.com/datacollectionservice.php3
masson[.]prodigyprinting.com/datacollectionservice.php3
↧