An information-stealing malware (Qbot) has recently emerged, and according to the analysis, it only takes 30 minutes for it to exfiltrate all the user browser data and emails from Outlook, and only 50 minutes to spread across the whole network.
This malware has been seen in the wild used by many adversaries such as REvil, Egregor, ProLock, and MegaCortex. It is utilized mostly for the beginning stage of ransomware deployment to gain a foothold to various hosts and further compromise the targeted organization.
The sequence if events following the infection chain
The initial access for Qubot starts with a traditional phishing email that contains a malicious document such as Excel (XLS), where a user has to initiate the macro enabling, which drops the DLL loader on the target machine.
The title of the file is usually an obfuscation that tricks the user into following the instruction to enable the macro to see the document.
In the diagram below, Qbot moves between the shown stages quickly to perform privilege escalation immediately following an infection, while a full-fledged reconnaissance scan takes place within ten minutes.
When launched, the Qbot DLL payload will be injected and launched into legitimate Windows applications to evade detection, such as MSRA.exe and Mobsync.exe.
In this example, we see Qbot injected itself into MSRA.exe and then created a scheduled task for privilege escalation. Additionally, the malware adds the Qbot DLL to Microsoft Defender’s exclusion list, so it won’t be detected when injection into msra.exe happens.
Following the sequence of the event, the msra.exe is spawning multiple discovery commands for the purpose of enumeration and lateral movement.
msra.exe spawning discovery processes
Qbot will also steal Windows credentials by dumping the memory of the LSASS (Local Security Authority Server Service) process and by stealing from web browsers. These credentials can then be used to spread to other devices on the network laterally. The lateral movement takes place rapidly, so if there’s no network segmentation to protect the workstations, the situation becomes very challenging for defense teams. The impact of these expeditious attacks isn’t limited to data loss, as Qbot has also been observed in the past to drop ransomware payloads onto compromised corporate networks.
Qbot is widely known to steal emails with the intention of collecting information and performing email thread hijacking.
Email data will be collected and stored in 1 of 2 locations.
We can see that the msra.exe is spavning ping.exe and performs the staged data exfiltration.
Once exfiltrated from the system this folder is then deleted as seen below.
Collection of browser data from Internet Explorer and Microsoft Edge was also observed with Qbot using the built-in utility esentutl.exe.
Detection and prevention
The most effective prevention method is stopping this attack at the very beginning when the user downloads and executes the malicious document. It is very important to have the users properly trained and have proper security policies in place. An announcement made recently by Microsoft says that they will be blocking macros in downloaded documents by default by removing the ‘Enable Content’ and ‘Enable Editing’ buttons.
However, it is inevitable that the adversary will find a way around this and find a new vector for potential compromise.
We at CyberConvoy are making sure that this or any other kind of attack does not go noticed, as we are continuously mapping existing and emerging threats and creating detection rules for them.
Source: The DFIR Report