Threat Research

QBot returns with new TTPS – Detection & Response – Security Investigation

Securonix

QBot (QakBot) is a long-standing banking trojan that steals credentials and is spread via spam emails with macro-enabled Office documents. The article highlights two recent distribution methods (XLSB with hidden payload sheets and XLTM macro templates), details payload concealment techniques, and outlines detection/response approaches. #QBot #regsvr32

Keypoints

  • QBot is a banking trojan that aims to steal banking credentials and other sensitive data.
  • Infection primarily starts with spam emails containing Excel documents or password-protected archives with macros.
  • Two new distribution techniques are discussed: XLSB with hidden sheets carrying payloads and XLTM macro-enabled templates.
  • Payloads use unusual extensions (e.g., .ooooccccxxxx) and have historically used .ocx or .dll extensions.
  • Post-infection actions include information collection, scheduled tasks, credential harvesting/dumping, password theft, web injects, password brute-forcing, registry persistence, replication, and process injection.
  • The article maps QBot’s behavior to MITRE ATT&CK tactics/techniques (Initial Access, Execution, Persistence, etc.).
  • Detection and response coverage includes multiple security platforms with indicators such as Excel + regsvr32.exe usage and specific payload/cmdline patterns.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Used to deliver QBot via Office documents in spam emails. Quote: “Generally, QBot infects its victims by initial infection vectors of spam emails. This kind of email contains Microsoft Office documents (Excel) or sometimes with password-protected archives format attachments.”
  • [T1566.002] Spearphishing Link – Part of spearphishing approach described as initial infection vectors via spam emails. Quote: “Generally, Qbot infects its victims by initial infection vectors of spam emails. This kind of email contains Microsoft Office documents (Excel) or sometimes with password-protected archives format attachments.”
  • [T1027] Obfuscated Files or Information – Payloads are stored within hidden sheets and require unhiding to view contents. Quote: “Here, the Sheets are in hidden mode, and we need to unhide them to see the contents embedded in the Sheets.”
  • [T1059.005] Visual Basic – Macros in documents are used to execute the payload. Quote: “Usually, the document contains macros, and the victims are tricked to enable the content to perform the action.”
  • [T1204.002] Malicious File – Payload executes after the user enables content. Quote: “Once the user enabled the content, then the payload files will execute.”
  • [T1053.005] Scheduled Task – Creation of scheduled tasks for persistence/privilege escalation. Quote: “Creating scheduled tasks (privilege escalation and persistence).”
  • [T1547.001] Registry Run Keys / Startup Folder – Registry-based persistence mechanism. Quote: “Registry Run Keys / Startup Folder.”
  • [TA0005] Defense Evasion (general cluster) / [T1027.002] Software Packing – Techniques used to evade detection. Quote: “Defense Evasion … T1027.002 – Software Packing.”
  • [T1055] Process Injection – Concealing malicious actions via process injection. Quote: “Process injection to conceal the malicious action.”
  • [T1055.012] Process Hollowing – Advanced process injection technique used by the malware. Quote: “Process Hollowing.”
  • [T1497.001] System Checks – The malware performs system checks as part of its defense/evasion. Quote: “System Checks.”
  • [T1003] OS Credential Dumping – Credentials may be dumped from the system. Quote: “Credential dumping (.exe access).”
  • [T1110.001] Password Guessing – Brute-forcing passwords as part of credential access. Quote: “Password brute-forcing.”
  • [T1555.003] Credentials from Web Browsers – Harvesting credentials from browsers. Quote: “Credentials from Web Browsers.”
  • [TA0007] Discovery / [T1016] System Network Configuration Discovery – Discovery of the host/network configuration. Quote: “Discovery: T1016 – System Network Configuration Discovery.”
  • [T1071.001] Web Protocols – Command-and-control via web protocols. Quote: “C&C Server” (Web Protocols).
  • [T1090] Proxy / [T1090.002] External Proxy – Use of proxies for C2 or obfuscation. Quote: “Proxy” / “External Proxy.”

Indicators of Compromise

  • [File Extension] – Payload extensions used by QBot payloads and in cmdlines: .ooooccccxxxx, .ocx, .dll
  • [Process] – Excel-related processes invoking regsvr32.exe: excel.exe, regsvr32.exe
  • [Command Line] – Obfuscated payload indicators in command lines: .OOOCCCXXX, .OOOOOCCCCCXXXXX, .dddlllxxx
  • [Registry Keys] – Registry Run Keys / Startup Folder as persistence mechanism

Read more: https://www.socinvestigation.com/qbot-returns-returns-with-new-ttps-detection-response/