{"id":21797,"date":"2023-04-24T08:59:26","date_gmt":"2023-04-24T16:59:26","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/04\/24\/news-15528\/"},"modified":"2023-04-24T08:59:26","modified_gmt":"2023-04-24T16:59:26","slug":"news-15528","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/04\/24\/news-15528\/","title":{"rendered":"QBot changes tactic, remains a menace to business networks"},"content":{"rendered":"<p>QBot, an infostealer-turned-dropper that aids criminal gangs in their malicious campaigns, is now being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF), according to recent discoveries by malware hunter Proxylife (<a rel=\"noreferrer noopener\" href=\"https:\/\/twitter.com\/pr0xylife\" target=\"_blank\">@pr0xylife<\/a>) and the Cryptolaemus group (<a rel=\"noreferrer noopener\" href=\"https:\/\/twitter.com\/Cryptolaemus1\" target=\"_blank\">@Cryptolaemus1<\/a>).<\/p>\n<p>The last time QBot (aka QakBot) had its modus operandi changed was in November. Campaign operators&nbsp;<a target=\"_blank\" href=\"https:\/\/href.li\/?https:\/\/www.malwarebytes.com\/blog\/news\/2022\/11\/qbot-uses-zero-day-motw-bypass-in-phishing-campaign\" rel=\"noreferrer noopener\">adopted<\/a>&nbsp;tactics from Magniber&rsquo;s playbook to successfully exploit a Mark of the Web (MotW) zero-day flaw to run a JavaScript (JS) that executed QBot.<\/p>\n<p>The latest QBot phishing campaign is illustrated simply in the diagram below:<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/easset_upload_file40586_264355_e.png\" alt=\"\" width=\"737\" height=\"147\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/>The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs)<\/p>\n<p>The attack starts with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment. BleepingComputer&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/href.li\/?https:\/\/www.bleepingcomputer.com\/news\/security\/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware\/\" target=\"_blank\">has noted<\/a>&nbsp;that these phishing emails use a variety of languages. This means the language barrier is absent in such an attack, so any business from any part of the world could be affected.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/easset_upload_file38381_264355_e.png\" alt=\"\" width=\"865\" height=\"587\" \/><br \/>A sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. (Source: BleepingComputer)<\/p>\n<p>Once someone in the email chain opens the attached PDF, they see a message saying, &#8220;This document contains protected files, to display them, click on the &#8216;open&#8217; button.&#8221; Clicking the button downloads a ZIP file containing the WSF script.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/easset_upload_file982_264355_e.png\" alt=\"\" width=\"749\" height=\"370\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed.<\/p>\n<p>Once QBot runs, it issues a PING command to check for an internet connection. It then injects itself into&nbsp;<em>wermgr.exe<\/em>, a legitimate Windows Error Manager program, to run quietly in the background.<\/p>\n<p>Because QBot is said to be used by operators of ransomware-as-a-service (RaaS) offerings, its presence in company systems could be disastrous. Therefore, any organization must take its QBot-infected systems offline as soon as possible and thoroughly scan and review network logs for unusual behavior.<\/p>\n<p>The DFIR Report in February 2022&nbsp;<a target=\"_blank\" href=\"https:\/\/href.li\/?https:\/\/thedfirreport.com\/2022\/02\/07\/qbot-likes-to-move-it-move-it\/\" rel=\"noreferrer noopener\">showed<\/a>&nbsp;QBot collecting data from a compromised system 30 minutes after infecting it. Within an hour, QBot can be spread to adjacent systems.<\/p>\n<p>Malwarebytes detects the malicious DLL&nbsp;(QBot).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/easset_upload_file81240_264355_e.png\" alt=\"\" width=\"761\" height=\"512\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\" class=\"blue-cta-bttn\">TRY NOW<\/a><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/qbot-changes-tactic-remains-a-menace-to-business-networks\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: QBot<\/p>\n<p>Tags:  Trojan dropper<\/p>\n<p>QBot has resurfaced with a new tactic involving a reply-chain phishing email, a fake PDF, and the likely promise of a ransomware infection.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/qbot-changes-tactic-remains-a-menace-to-business-networks\" title=\"QBot changes tactic, remains a menace to business networks\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/qbot-changes-tactic-remains-a-menace-to-business-networks\">QBot changes tactic, remains a menace to business networks<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[32,10740,28678],"class_list":["post-21797","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-news","tag-qbot","tag-trojan-dropper"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21797","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21797"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21797\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21797"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}