Qbot Malware Analysis
Introduction:
Qbot is a banking trojan has existed over a decade. This malware is dynamic and it changes its TTPs day to day. Quakot is one of the leading banking trojan and its main purpose is to steal a banking credentials.
Qbot malware commonly delivered using many phishing methods via malicious emails. This technique is effective as it appears to come from trusted source and result in convincing a user to believe legitimate and feel safe to click a link which downloads a malicious zip file or to open an html attachment within the zip file is embedded. We will see in detail of an html attachment and zip file embedded within.
Recently threat actor using a tactics that user to open a zip file (password protected) and then a files leading to malware itself. The embedded files has been a ISO file, which is opened as folder in windows.
Lets get started
The file SHA: f5c16248418a4f1fd8dff438b26b8da7f587b77db9e180a82493bae140893687
In the latest campaign the malware is carried through an html attachment(TXRTN_2636021.html) I renamed file as stage1.html. This html file has zip file inside which is password protected.
HTML Smuggling: The payload hidden inside the html files. On opening file in vscode, observed code with base64 encoded content present in the javascript section of html file. This base64 content packed into the zip file and dropped into the device. Search password in the code we will be able to see the password to unzip the zip archive.
Easily this encoded base64 content saved to zip archive via cyberchef.
I saved this zip file as stage2.zip. I unzipped and found folder 2518 and inside ISO file.
On mounting the ISO, user sees only the LNK(shortcut) file rest of the files are hidden. On checking show hidden files, there are 4 files inside i.e., .LNK, two dll files and calc.exe. 102755 is a Qbot payload.
When user click’s on shortcut file it triggers the Qbot malware infection by executing the calc.exe though the command prompt as shown below.
Why threat actor using Windows 7 calculator?
DLL sideloading:
DLL sideloading is technique uses DLL search order mechanism which initially loads the trusted executable then executes the malicious payloads.
In this analysis threat actor using LNK file as legitimate file, since the parameter of the LNK file call the trusted executable(calc.exe). Calc.exe it automatically searches for and attempt to load the legitimate WindowsCodecs DLL file. It does not check for the DLL in certain hard coded paths and will load any DLL file with the same name if placed in the same folder as the calc.exe executable.
I clicked calc.exe, I see there is nothing happened. On curiosity I have opened the procmon to see its process. I found the below clue which say’s all about DLL side loading.
What does WindowsCodecs.dll does?
The malware paylod checks for Windows Defender emulation using WinAPI GetFileAttributes “C:\INTERNAL\__empty”.
Aslo, the payload users flag SELF_TEST_1 which uses for self debugging puposes to check if the machine is infected or not.
The local variables assigned values which looks to be hex, I have changed the data type to char. As a result this variables actually consists of dll name.
Later, when Qbot payload executed it tries for persistence via schedule task.
Windows defender successfully catches the Qbot behavior for the above execution and blocked further execution.
Thanks for reading my article! Happy hunting.
