The Re-Emergence of Qbot
After more than a decade in operation, the Qbot Trojan is back in the news. A modified version of the malware which now extracts email threads from Outlook to use in phishing attacks was used in a prominent campaign that ran from March to the end of June. Then this same modified version was used, in some cases, as the payload for the Emotet Trojan campaign in July that may have affected up to 5% of organizations worldwide. Now, Qbot is taking on a life of its own with its malspam campaign launched in August.
First discovered in 2008, Qbot has evolved from a banking Trojan which steals online banking credentials to becoming a “Swiss Army knife” of malware, capable of not only stealing credentials but also distributing ransomware and performing other malicious activity.
This Malware Analysis Spotlight focuses on one of the methods used to deliver Qbot and highlights some interesting features of the delivery process leading to the execution of Qbot. In contrast to commonly used delivery techniques through documents with embedded VBA macros, the payload used in this sample is disguised as properties of different objects. This can bypass static analysis because the referenced properties have to be taken into account to see the full behavior of the macro.
View the VMRay Analyzer Report for Qbot
Analysis of a Qbot Delivery Method
The initial delivery method is using a Word document with an embedded VBA macro. The macro is referencing data hidden inside a forms object also embedded inside the document. From the label embedded in the form, it extracts a Visual Basic script, drops it into a file and executes it by starting explorer.exe with the script as an argument (Figure 1). The tool oledump by Didier Stevens is also capable of extracting information from user forms as has been demonstrated in Maldoc: Payloads in User Forms.
The VBS contains a lot of noise including a variable declaration for errors and messages, and a header claiming the original name of the file is winrm.vbs.
The actual purpose it serves is to write a set of commands into a .cmd file which it then executes. This functionality is located near the middle of the file, surrounded by the previously mentioned noise.
The written cmd script invokes Powershell with commands as arguments, which then downloads the payload from one of the hard-coded domains to “C:\BlotRoots\Loterious.exe and executes it with the standard alias saps (Figure 2).
The VBS contains a lot of noise including a variable declaration for errors and messages, and a header claiming the original name of the file is winrm.vbs.
The actual purpose it serves is to write a set of commands into a .cmd file which it then executes. This functionality is located near the middle of the file, surrounded by the previously mentioned noise.
The written cmd script invokes Powershell with commands as arguments, which then downloads the payload from one of the hard-coded domains to “C:\BlotRoots\Loterious.exe and executes it with the standard alias saps (Figure 2).
The final payload is Qbot. It contains multiple evasion techniques and at this stage, it enumerates over existing processes and compares them against a hard-coded list (Figure 3). Next, it sets a mutex, drops a copy of itself with a random name together with a configuration file into the %AppData% directory and starts 3 new processes. The first one is using current process’s base image but this time uses the parameter “/C”, the second one has the image located in %AppData% as base and takes no parameters, the third one is executing a command which overwrites the Loterios.exe image with calc.exe (Figure 4).
The new process that was started with the “/C” parameter is responsible for the anti-analysis techniques. Just as before it enumerates running processes and compares them to an internal list, it also uses the SetupAPI to enumerate devices and compare them against a hard-coded list. The next check it performs is to verify that none of the currently loaded DLLs is one on his list (Figure 5).
Finally, it verifies that the name of the sample doesn’t contain one of the following strings (Figure 6):
- sample
- mlwr_smpl
- artifact.exe
After the attempts to identify an artificial environment, the final stage is injected into explorer.exe at address 0x28e0000 (Figure 7).
This payload then decrypts one of its resources with the name “307” and loads it at address 0x02AC0000 (Figure 8). This resource is one of the core modules of Qbot. A more detailed analysis of Qbot can be found in Deep Analysis of Qbot Banking Trojan.
Conclusion
In this analysis, we can see that the delivery can be split up into multiple stages, whereby each stage has its own purpose.
However, we can easily follow the path of delivery and observe Qbot’s detection mechanism and its further behavior. The memory dumping ability of VMRay’s Analyzer eases the access to Qbots core modules loaded in memory.
One day after we collected the sample, the payload was either deleted or replaced by putty. This means that opening the document now can result in downloading and executing putty instead of Qbot.
IOCs
Sample
b2946daf21b5a0d9c70f32230f6e511ff4aeb939fc8f9a5d372a67f932483c4d
Payload
37790b6946072ccacb7cf9be694b962deee2c53818449eba20f450389d0cfa4a
Network
hxxp://rijschoolfastandserious[.]nl
hxxp://nanfeiqiaowang[.]com
hxxp://forum[.]insteon[.]com
hxxp://webtest[.]pp[.]ua
hxxp://quoraforum[.]com/
hxxp://quickinsolutions[.]com
hxxp://bronco[.]is
hxxp://studiomascellaro[.]it
hxxp://craniotylla[.]ch
IP Addresses
173.172.205.216
66.25.168.167
201.216.216.245
75.182.220.196
188.25.26.41
213.67.45.195
68.134.181.98
68.190.152.98
75.183.171.155
67.165.206.193
75.170.94.218
73.137.184.213
190.24.177.147
188.173.70.18
216.146.110.68
98.190.24.81
209.137.209.163
189.210.114.157
93.151.180.170
188.26.11.29
186.82.157.66
108.46.145.30
71.197.126.250
175.111.128.234
24.71.28.247
66.26.160.37
71.163.224.206
207.255.161.8
47.153.115.154
72.209.191.27
76.170.77.99
47.153.115.154
100.4.173.223
200.75.136.78
100.37.36.240
93.113.177.152
77.27.173.8
67.170.137.8
108.185.113.12
72.28.255.159
24.37.178.158
207.255.161.8
2.90.92.255
166.62.180.194
103.238.231.40
71.182.142.63
71.56.53.127
35.134.202.234
172.87.134.226
73.227.232.166
190.77.170.197
79.115.145.90
72.240.200.181
72.142.106.198
98.11.125.62
69.123.179.70
187.214.9.138
69.11.247.242
72.214.55.195
189.140.61.205
68.174.15.223
172.78.30.215
68.225.56.31
24.234.86.201
71.80.66.107
96.20.108.17
95.76.185.240
173.173.72.199
188.51.3.210
115.21.224.117
209.182.122.217
70.164.39.91
70.95.118.217
24.116.227.63
98.4.227.199
144.202.48.107
2.7.65.32
178.222.12.162
75.137.239.211
94.59.241.189
73.60.148.209
73.30.244.90
206.51.202.106
70.123.92.175
189.163.82.104
182.185.40.22
36.230.79.179
95.77.144.238
187.163.101.137
95.77.223.148
73.214.248.17
189.130.26.216
66.57.216.53
70.164.37.205
24.44.142.213
159.0.126.131
72.82.15.220
24.122.157.93
207.255.161.8
186.6.197.11
99.231.221.117
188.241.159.208
2.89.74.34
24.46.40.189
68.4.137.211
189.183.72.138
74.73.120.226
86.153.98.126
24.229.150.54
134.228.24.29
151.205.102.42
96.234.20.230
96.232.163.27
208.93.202.49
47.44.217.98
45.32.154.10
98.240.24.57
5.15.65.198
5.193.155.181
80.240.26.178
45.77.215.141
207.246.71.122
67.8.103.21
199.247.16.80
207.246.75.201
49.191.3.234
73.228.1.246
24.139.132.70
76.187.12.181
92.59.35.196
50.244.112.10
108.27.217.44
199.116.241.147
24.201.79.208
217.162.149.212
59.98.248.254
96.41.93.96
50.244.112.106
78.100.229.44
86.182.234.245
71.126.139.251
165.120.230.108
80.195.103.146
89.247.217.163
216.201.162.158
197.210.96.222
117.218.208.239
174.80.7.235
98.26.50.62
199.247.22.145
