{"id":22094,"date":"2023-05-24T16:10:55","date_gmt":"2023-05-25T00:10:55","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/05\/24\/news-15824\/"},"modified":"2023-05-24T16:10:55","modified_gmt":"2023-05-25T00:10:55","slug":"news-15824","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/05\/24\/news-15824\/","title":{"rendered":"Tracking down a trojan: An inside look at threat hunting in a corporate network"},"content":{"rendered":"

At Malwarebytes, we talk a lot about the importance of threat hunting for SMBs—and not for no good reason, either. Just consider the fact that, when a threat actor breaches a network, they don’t attack right away. The median amount of time<\/a> between system compromise and detection is 21 days.<\/p>\n

By that time, it’s often too late. Data has been harvested or ransomware has been deployed.<\/p>\n

Threat hunting<\/a> helps find and remediate highly-obfuscated threats like these that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”<\/p>\n

The bad news for small-to-medium sized businesses (SMBs): Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC).<\/p>\n

That’s where Malwarebytes Managed Detection and Response (MDR) comes in.<\/a><\/p>\n

Malwarebytes MDR is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack.<\/p>\n

But talk is cheap: let’s look at a real time where Malwarebytes MDR successfully helped a company detect and respond to a potent banking Trojan known as QBot.<\/p>\n

The Incident<\/h2>\n

On a date left undisclosed for security reasons, a reputable oil and gas company we’ll refer to as Company 1 experienced an intrusion in their network. The culprit was Qakbot<\/strong> (also known as QBot).<\/p>\n

QBot is notorious for its abilities to steal sensitive information<\/a>, like login credentials, financial data, and personal information, and even create backdoors for additional malware to infiltrate the compromised system. What’s more, it also facilitates remote access to the compromised machines.<\/p>\n

QBot has recently been observed being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF).<\/p>\n

\"\"<\/p>\n

The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs)<\/p>\n

QBot attacks start with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment.<\/p>\n

\"\"<\/p>\n

A sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. (Source: BleepingComputer)<\/p>\n

Once someone in the email chain opens the attached PDF, they see a message saying, “This document contains protected files, to display them, click on the ‘open’ button.” Clicking the button downloads a ZIP file containing the WSF script.<\/p>\n

\"\"<\/p>\n

The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed.<\/p>\n

Once QBot runs, it issues a PING command to check for an internet connection. It then injects itself into wermgr.exe, a legitimate Windows Error Manager program, to run quietly in the background.<\/p>\n

The Infection<\/h2>\n

The initial infection at Company 1 was traced to a laptop in their network.The Qakbot malware used Windows Script File (WSF), executed by WSCRIPT.EXE, to launch a PowerShell script encoded in Base64.<\/strong><\/p>\n

\"\"<\/p>\n

The Process Graph tile<\/a> under the Suspicious Activity page in Nebula shows a visual representation of the files or processes touched by the suspicious activity.<\/p>\n

\"\"<\/p>\n

Clicking on the node to view more details, we see WSCRIPT.EXE was used to execute a Windows Script File, which spawned an instance of PS executing a Base64 encoded command.<\/p>\n

\"\"<\/p>\n

Node detail showing malicious encoded PowerShell script.<\/p>\n

This script was designed to be patient and stealthy.<\/p>\n

It first initiated a waiting period of 4 seconds before creating an array of URLs, presumably leading to malicious websites. The malware then attempted to download a file from each URL, with each file being checked for a minimum size of 100,000 bytes, implying a meaningful content requirement. If a download failed, the script would wait for 4 seconds before moving to the next URL.<\/p>\n

The downloaded files were executed using the RUNDLL32.EXE Windows utility, which was invoked from the PowerShell instance<\/strong>. This allowed the downloaded file, dubbed “FreeformOzarkite.marseillais<\/strong>,” to load and execute its malicious payload.<\/p>\n

\"\"<\/p>\n

RUNDLL32.EXE was invoked from the previous instance of PowerShell to execute a malicious payload or module that is stored in the file “FreeformOzarkite.marseillais” in the temporary folder of the infected user. <\/p>\n

The Malicious DLL<\/h2>\n

A specific DLL file, identified as zibkwyxdtpcrqshpuqkoomcoba.dll<\/strong>, was found to be one of the malicious codes executed by the Qakbot infection.<\/p>\n

\"\"<\/p>\n

Node detail showing the malicious DLL is executed (zibkwyxdtpcrqshpuqkoomcoba.dll).<\/p>\n

Decomposition of this DLL revealed several nefarious functions, including:<\/p>\n