Qbot Likes to Move It, Move It

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The initial access was delivered via an Excel (xls) document in a malspam campaign. Quote: “We assess with medium to high confidence that a malicious email campaign was used to deliver an Excel (xls) document.”
• [T1053.005] Scheduled Task – A scheduled task was created to escalate to SYSTEM privileges, run by msra.exe, and set to run once. Quote: “A scheduled task was created by Qbot to escalate to SYSTEM privileges. This scheduled task was created by the msra.exe process, to be run only once, a few minutes after its creation.”
• [T1055] Process Injection – The QBot DLL loader was executed and shortly after injected into msra.exe. Quote: “The QBot dll was executed on the system and shortly after, injected into the msra.exe process.”
• [T1562.001] Impair Defenses – Windows Defender exclusions were added to prevent detection of the dropped DLL. Quote: “Multiple folders were added to the Windows Defender Exclusions list in order to prevent the Qbot dll placed inside of it from being detected.”
• [T1003.001] LSASS Memory – LSASS was accessed to obtain credentials from memory. Quote: “LSASS was accessed by Qbot, with the intention of accessing credentials.”
• [T1114] Email Collection – Qbot collects emails (Outlook) as part of data collection. Quote: “Collection of browser data from Internet Explorer and Microsoft Edge was also observed with Qbot using the built-in utility esentutl.exe.” (also noted: “Qbot is widely known to steal emails…”)
• [T1555.003] Credentials from Web Browsers – Browser data collection observed. Quote: “Collection of browser data from Internet Explorer and Microsoft Edge was also observed with Qbot…”
• [T1049] System Network Connections Discovery – Lateral movement and network connections observed across hosts. Quote: “The lateral movement activity from the beachhead host was rapid and connections were seen across all workstations in the network.”
• [T1016] System Network Configuration Discovery – Discovery commands observed on beachhead and compromised hosts (e.g., ipconfig, arp). Quote: “The following discovery commands where observed coming from the Qbot processes.”
• [T1135] Network Share Discovery – Lateral movement involved copying DLLs to other machines and remotely creating services (implies discovery of network resources). Quote: “by copying a dll to the machine and then remotely creating a service…”
• [T1043] Commonly Used Port – C2 uses multiple ports (e.g., 88, 443, 25, 995, 2222, etc.). Quote: “Count Port 88 443 25 995 17 2222 3 2078 2 465 2 20 1 993 1 61201 1 50010 1 32100 1 21 1 1194”
• [T1071.001] Web Protocols – C2 over SSL with multiple ports; not solely port 443. Quote: “Qbot uses SSL in it’s C2 communication but does not rely soley on port 443 for communication…”
• [T1041] Exfiltration Over C2 Channel – Data exfiltrated could be used for further attacks or sold. Quote: “The data exfiltrated from the network could be used to conduct further attacks or sold to 3rd parties.”