Threat Research

Demystifying Qbot Malware

Securonix

Qbot (QakBot) infections surged in 2022, with Trellix SecOps documenting its evolving delivery vectors and detection strategies to outpace defenses. The post details Qbot’s infection chain, MITRE technique mappings, IOCs, and Trellix detection/hunting guidance to help defenders protect networks against this threat. #Qbot #QakBot #HTMLSmuggling #DLLSideLoading #LNK #Regsvr32 #Explorer #Wermgr

Keypoints

  • Qbot has been active since 2008 and continues to evolve its techniques to evade detection.
  • Malspam email campaigns with HTML attachments delivering a password-protected ISO are now a major infection vector.
  • HTML smuggling hides a payload inside HTML and uses a long base64-encoded variable to assemble and drop a ZIP/ISO payload.
  • Multi-stage delivery uses DLL side-loading (WindowsCodecs.dll) and regsvr32 to load the Qbot loader, followed by process injection into explorer.exe/wermgr.exe.
  • Persistence relies on registry modifications and scheduled tasks to launch the loader DLL (102755.dll).
  • C2 communications occur from the exploited process to hardcoded IPs, with POST fingerprint data sent back after a successful infection.
  • Trellix provides detections, Sigma rules, and hunting queries to surface Qbot indicators across products.

MITRE Techniques

  • [T1566] Initial Access – Phishing – “Malicious email with an html attachment.”
  • [T1027.006] HTML Smuggling – “The .html file opens in a browser and uses HTML Smuggling to drop an embedded .ZIP file to the hard drive.”
  • [T1553.005] Mark-of-the-Web Bypass – “Password-protected zipped file which contains an .ISO image.”
  • [T1204.002] User Execution – “User executed malicious Windows Shortcut, which executes calc.exe from mounted ISO image.”
  • [T1574.002] DLL Side-Loading – “calc.exe loads adversary crafted WindowsCodecs DLL.”
  • [T1218] Signed Binary Proxy Execution – “RegSvr32.exe(Qbot loader dll) spawns and injects Explorer.”
  • [T1055] Process Injection – “Regsvr32.exe spawns and injects Explorer. (Recent versions has seen injecting to explorer.exe, wermgr.exe, msra.exe etc)”
  • [T1053] Scheduled Task – “Explorer creates scheduled task.”
  • [T1112] Modify Registry – “Registry entries are encrypted using system dependant password hash, config IDs, etc., which upon decrypting reveals the BotID/Campaign ID, time of the infection, DLL loader path, etc.”
  • [T1082] System Information Discovery – “Explorer.exe spawns whoami, arp, ipconfig, net view, cmd, nslookup, nltest, net share, route, netstat, net localgroup, qwinsta and other discovery activities via WMI queries.”
  • [T1071.001] Web Protocols – “Calling home: C2 communications… pings every IP in the C2 list and posts victim fingerprinting data.”

Indicators of Compromise

  • [File] context – TXRTN_2636021.html, TXRTN_2636021.iso, WindowsCodecs.dll, 102755.dll, zhujpga.dll/mfvffncbov.dll (cloned dlls) – File names and associated hashes are listed in the Appendix IOCs.
  • [Network] C2/Delivery IPs – 94.59.15.56:2222, 190.252.242.69:443 (and other listed IPs/hosts) – Hardcoded C2 list used by the malware.

Read more: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html