Threat Research

QBOT – A HTML Smuggling technique to target victims

Securonix

QBot (Qakbot/QuackBot/Pinkslipbot) is leveraging a new HTML Smuggling technique to deliver and execute payloads through HTML5/JavaScript-encoded content embedded in HTML attachments, enabling attackers to bypass some network controls. This article details the mechanism, attack flow, persistence, and IOCs observed in QBot’s HTML smuggling chain. #QBot #HTMLSmuggling

Keypoints

  • QBot is using HTML Smuggling to hide and deliver payloads inside HTML files, leveraging encoded content to bypass network filters.
  • HTML Smuggling techniques include using an anchor tag, JavaScript Blob objects, and the embed element to construct and deliver payloads.
  • Opening the HTML attachment decodes embedded data, leading to extraction of a ZIP inside the HTML and subsequent stages of the attack.
  • The attack flow involves a ZIP in HTML, extracting REJ_2975 disk image, executing a “REJ” shortcut to run a reprocesses script, and loading a QBot loader DLL named counteractively.dat.
  • Payloads are injected into wermgr.exe via process hollowing, demonstrating process injection as part of the final stage.
  • QBot uses defense evasion and persistence techniques, including registry-based configuration, random folder creation, and regsvr32-based Dropped DLL loading.

MITRE Techniques

  • [T1566] Phishing – The attack uses HTML attachments to lure victims; “When the victim opens the HTML attachment, it decodes embedded files and saves them locally.”
  • [T1027.006] HTML Smuggling – HTML Smuggling is an attack vector in which the attacker smuggles encoded malicious script or payload embedded uniquely. It uses HTML 5 and JavaScript to accomplish its task. “HTML Smuggling is an attack vector in which the attacker smuggles encoded malicious script or payload embedded uniquely. It uses HTML 5 and JavaScript to accomplish its task.”
  • [T1553.005] Mark of the Web bypass – Encoded patterns are used to bypass network filters; “Due to encoded patterns, no malicious content passes through the network, bypassing network filters and firewalls.”
  • [T1574.002] DLL Sideloading – The malware relies on a loader DLL; “Qbot loader DLL” and the final loader file named “counteractively.dat.”
  • [T1055] Process Injection – The payload is injected into a running process; “payload is injected in wermgr.exe via process hollowing.”
  • [T1112] Modify Registry – Persistence/config data is dumped into the Registry; “encrypted registry keys to the ‘HKCUSoftwareMicrosoft[RandomString]’ Hive.”
  • [T1027] Obfuscated Files or Information – Use of encoded/encrypted data to evade detection; “encoded patterns” and obfuscated elements noted in the analysis.
  • [T1218.010] System Binary Proxy Execution: Regsvr32 – Dropped DLLs are loaded via Regsvr32; “Folder Creation and Dropped DLLs are loaded via regsvr32.exe.”
  • [T1010] Application Window Discovery – The malware performs checks on system windows/defenses; “QBot checking Windows Defender.”
  • [T1082] System Information Discovery – The analysis references loader information, indicating collection of system info to tailor execution; “QBot loader information.”
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication uses web protocols; “C2 Communication IPs” indicating web-based C2 traffic.

Indicators of Compromise

  • [MD5] context – Html attachment, 6783003a0737331c66a0b8fc0a35754d, and 2 more hashes (HTML.QBot.47153)
  • [MD5] context – QBot loader DLL, 52EC63A6F7F089862E648112FE8E9F1D
  • [File name] – REJ_2975 disk image file and counteractively.dat loader
  • [Process] – wermgr.exe (payload injection target)
  • [Registry] – HKCUSoftwareMicrosoft[RandomString] (encrypted registry keys)
  • [URL] – C2 / download hosts – http://156.221.50.70:995, http://190.26.159.108:995, and 20 more URLs

Read more: https://blogs.quickheal.com/qbot-a-html-smuggling-technique-to-target-victims/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint