QBot banker delivered through business correspondence

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The QBot delivery scheme begins with an e-mail letter with a PDF file in the attachment being sent. “The QBot malware delivery scheme begins with an e-mail letter with a PDF file in the attachment being sent.”
• [T1204] User Execution – Such letters urge the addressee under a plausible pretext to open an enclosed PDF file. “Such simulated business correspondence can obstruct spam tracking while increasing the probability of the victim falling for the trick.”
• [T1027] Obfuscated/Compressed Files and Information – In the downloaded archive there is a .wsf file containing an obfuscated script written in JScript. “In the downloaded archive there is a .wsf (Windows Script File) file containing an obfuscated script written in JScript.”
• [T1059.001] PowerShell – The WSF file reveals a PowerShell script encoded into a Base64 line, which is later decoded and executed. “After the WSF file is deobfuscated its true payload gets revealed: a PowerShell script encoded into a Base64 line.”
• [T1105] Ingress Tool Transfer – The PowerShell script will try to download the DLL from remote servers. “The PowerShell script will try in succession to download the file from each one of the URLs listed in the code.”
• [T1218.011] Signed Binary Proxy Execution: Rundll32 – The downloaded library is run with the help of rundll32. “The downloaded library is the Trojan known as QBot … run with the help of rundll32.”
• [T1021] Remote Services / Lateral Movement – The bot can download additional malware like Cobalt Strike to spread through the corporate network. “depending on the value of the victim, additional malware can be downloaded locally, such as CobaltStrike (to spread the infection through the corporate network) or various ransomware.”