Qbot Likes to Move It, Move It
Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following links: Microsoft & Red Canary
In this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an environment, while stealing browser information and emails. While the case is nearly 5 months old, Qbot infections in the past week have followed the same pattern.
Case Summary
We did not observe the initial access for this case but assess with medium to high confidence that a malicious email campaign was used to deliver an Excel (xls) document. Following the opening of the xls document, the initial Qbot DLL loader was downloaded and saved to disk. Interestingly, the name of the DLL contained a .html extension to disguise the portable executable nature of the payload. Once executed, the Qbot process creates a scheduled task to elevate itself to system.
Qbot injected into many processes but one favorite in this intrusion, was Microsoft Remote Assistance (msra.exe). Within minutes of landing on the beachhead, a series of discovery commands were executed using Microsoft utilities. Around the same time, LSASS was access by Qbot to collect credentials from memory.
Thirty minutes after initial access, Qbot was observed collecting data from the beachhead host including browser data and emails from Outlook. At around 50 minutes into the infection, the beachhead host copied a Qbot dll to an adjacent workstation, which was then executed by remotely creating a service. Minutes later, the beachhead host did the same thing to another adjacent workstation and then another, and before we knew it, all workstations in the environment were compromised.
Qbot followed it’s normal process on each machine. Servers were not accessed in this intrusion. After this activity, normal beaconing occurred but no further actions on objectives were seen.
Services
We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Qbot, Cobalt Strike, BazarLoader, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here.
We also have artifacts and IOCs available from this case such as memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services.
Timeline
Analysis and reporting completed by @iiamaleks
Reviewed by and @MetallicHack & @tas_kmanager
MITRE ATT&CK
Initial Access
We assess with medium to high confidence that the QBot infection was delivered to the system via a malspam campaign through a hidden 4.0 Macro’s in Excel.
We believe this is the xls file that lead to the Qbot infection, due to the overlap in time period, download url, and file name.
Execution
The QBot dll was executed on the system and shortly after, injected into the msra.exe process.
Privilege Escalation
A scheduled task was created by Qbot to escalate to SYSTEM privileges. This scheduled task was created by the msra.exe process, to be run only once, a few minutes after its creation.
"schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn juqpxmakfk /tr "regsvr32.exe -s \"C:\Users\REDACTED\ocrafh.html\"" /SC ONCE /Z /ST 14:20 /ET 14:32
Defense Evasion
QBot was observed injecting into msra.exe process on multiple systems.
Multiple folders were added to the Windows Defender Exclusions list in order to prevent the Qbot dll placed inside of it from being detected. The newly dropped dll was then executed and process injected into msra.exe.
Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.
C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths\" /f /t REG_DWORD /v \"C:\ProgramData\Microsoft\Oweboiqnb\" /d \"0\"
C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /f /t REG_DWORD /v \"C:\ProgramData\Microsoft\Oweboiqnb\" /d \"0\"
dll files dropped by Qbot, were deleted after injection into msra.exe.
Credential Access
LSASS was accessed by Qbot, with the intention of accessing credentials. This can be observed through the Sysmon process access event, indicating the GrantedAccess
value of 0x1410
.
Additional evidence of LSASS access was visible in API calls from Qbot injected processes to LSASS.
Discovery
The following discovery commands where observed coming from the Qbot processes. These commands where executed on the beachhead system along with other workstations compromised through lateral movement.
whoami /all
arp -a
cmd /c set
arp -a
net view /all
ipconfig /all
net view /all
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.REDACTED
route print
net share
net1 localgroup
net localgroup
netstat -nao
Lateral Movement
Qbot moved laterally to all workstations in the environment by copying a dll to the machine and then remotely creating a service to execute the Qbot dll. The services created had the DeleteFlag set causing the service to be removed upon reboot.
The following occurred on each workstation:
The lateral movement activity from the beachhead host was rapid and connections were seen across all workstations in the network. A view from the memory of the beachhead host shows the injected msra process connecting to hosts across the network.
The service creations were also observed via event id 7045 across all hosts.
Collection
Qbot is widely known to steal emails with the intention of collecting information and performing email thread hijacking.
Email data will be collected and stored in 1 of 2 locations.
C:\Users\Username\EmailStorage_ComputerHostname-Username_TimeStamp
C:\Windows\system32\config\systemprofile\EmailStorage_ComputerHostname-Username_TimeStamp
Once exfiltrated from the system this folder is then deleted as seen below
cmd.exe /c rmdir /S /Q "C:\Users\REDACTED\EmailStorage_REDACTED-REDACTED_REDACTED" cmd.exe /c rmdir /S /Q "C:\Windows\system32\config\systemprofile\EmailStorage_REDACTED-REDACTED_REDACTED"
Collection of browser data from Internet Explorer and Microsoft Edge was also observed with Qbot using the built-in utility esentutl.exe.
esentutl.exe /r V01 /l"C:\Users\REDACTED\AppData\Local\Microsoft\Windows\WebCache" /s"C:\Users\REDACTED\AppData\Local\Microsoft\Windows\WebCache" /d"C:\Users\REDACTED\AppData\Local\Microsoft\Windows\WebCache"
Command and Control
Qbot uses a tiered infrastructure, often using other compromised systems as first tier proxy points for establishing a constantly changing list of C2 endpoints. You can review a in-depth analysis of the modules of this malware in this Checkpoint report.
With this type of setup the list of C2 from October 2021, has in large rotated out of use. To keep up to date on current Qbot C2 endpoints you can check out our Threat Feed & All Intel service as we track these changing lists daily.
Qbot does use SSL in it’s C2 communication but does not rely soley on port 443 for communication, in the case investigated here the following ports were found in the extracted C2 configuration.
Count Port
88 443
25 995
17 2222
3 2078
2 465
2 20
1 993
1 61201
1 50010
1 32100
1 21
1 1194
Qbot uses SSL and while the domains do not resolve, they follow a pattern and are detectable with several Suricata ETPRO signatures.
Qbot JA3/S:
JA3: 72a589da586844d7f0818ce684948eea, c35a61411ee5bdf666b4d64b05c29e64
JA3s: 7c02dbae662670040c7af9bd15fb7e2f
Impact
The final actions of the threat actor were not observed, however, the data exfiltrated from the network could be used to conduct further attacks or sold to 3rd parties.
IOCs
Network
120.150.218.241:995
71.74.12.34:443
24.229.150.54:995
185.250.148.74:443
136.232.34.70:443
82.77.137.101:995
75.188.35.168:443
72.252.201.69:443
109.12.111.14:443
68.204.7.158:443
196.218.227.241:995
27.223.92.142:995
76.25.142.196:443
73.151.236.31:443
185.250.148.74:2222
173.21.10.71:2222
189.210.115.207:443
105.198.236.99:443
47.22.148.6:443
24.55.112.61:443
24.139.72.117:443
45.46.53.140:2222
92.59.35.196:2222
95.77.223.148:443
68.186.192.69:443
89.101.97.139:443
173.25.166.81:443
140.82.49.12:443
File
ocrafh.html.dll
2897721785645ad5b2a8fb524ed650c0
d836fa75f0682b4c393418231aefca97169d551e
956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85
qbbwlwjmlmnaggd.dll
e0fafe1b4eb787444ed457dbf05895a4
16b5b1494e211b74e97d9f35ff5a994f70411f2e
9f6e3b0b18f994950b40076d1386b4da4ce0f1f973b129b32b363aac4a678631
hyietnrfrx.uit
b6ed9b2819915c2b57d4c58e37c08ba4
e9ff9b7e144bdad9d8955f4a328f7b6daa2b455e
70a49561f39bb362a2ef79db15e326812912c17d6e6eb38ef40343a95409a19a
znmxbx.evj
2a8cf6154e6a129ffd07a501bbc0b098
304d8e812a8d988e21af8a865d8dd577dc6f3134
e510566244a899d6a427c1648e680a2310c170a5f25aff53b15d8de52ca11767
zsokarzi.xpq
43660d21bfa1431e0ee3426cd12ddf38
5d3b7e0c05e65aa0dfc8b5e48142d782352e36be
cbfc135bff84d63c4a0ccb5102cfa17d8c9bf297079f3b2f1371dafcbefea77c
tuawktso.vbe
ad413cd422c1a0355163618683e936a0
5fca07dfc68a13b3707636440d5c416e56149357
1411250eb56c55e274fbcf0741bbd3b5c917167d153779c7d8041ab2627ef95f
jtrbde.dll
5dd964c8d9025224eb658f96034babea
6c526a28ed49b2ef83548e20a71610877e69d450
3d913a4ba5c4f7810ec6b418d7a07b6207b60e740dde8aed3e2df9ddf1caab27
rzmulxiilw.dll
000df43b256cdc27bb22870919bb1dfa
f94d5bf14dee6a6e8db957d49c259082dd82350b
ca564c6702d5e653ed8421349f4d37795d944793a3dbd1bb3c5dbc5732f1b798
ljncxcwmsg.gjf
88834d17d2cdce884a73e38638a4e0dd
b5b264d00a7d6d6b3dd4965dbe2bd00e0823ba6c
c789bb45cacf0de1720e707f9edd73b4ed0edc958b3ce2d8f0ad5d4a7596923a
Detections
Network
ETPRO TROJAN Observed Qbot Style SSL Certificate
ETPRO TROJAN Possible Qbot SSL Cert
ET POLICY PE EXE or DLL Windows file download HTTP
Sigma
title: QBot process creation from scheduled task REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line id: 33d9c3f4-57a6-4ddb-a2a0-b2ccf8482607 status: test description: Detects the process creation from Scheduled Task with REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line author: tas_kmanager, TheDFIRReport references:https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ date: 2022/02/06 modified: 2022/02/06 logsource: category: process_creation product: windows detection: selection: CommandLine|contains|all: - 'schtasks.exe' - 'regsvr32.exe -s' - 'SYSTEM' condition: selection falsepositives: - unknown level: high tags: - attack.persistence - attack.privilege_escalation - attack.t1053.005 - qbot
title: QBot scheduled task REGSVR32 and C$ image path id: 014da553-5727-4e47-9544-56da83b3eb6f description: Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image path field status: test author: tas_kmanager, TheDFIRReport references:https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ date: 2022/02/06 modified: 2022/02/06 logsource: product: windows service: system detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 ImagePath|contains|all: - 'regsvr32.exe' - 'C$' condition: selection level: high falsepositives: - low tags: - attack.persistence - attack.privilege_escalation - attack.t1053.005 - qbot
title: EmailStorage file deletion - QBot id: 695e7200-c733-44b3-9231-6d3459c668ba status: test description: Detect EmailStorage file deletion after QBot infection author: tas_kmanager, TheDFIRReport references:https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ date: 2022/02/06 modified: 2022/02/06 logsource: category: process_creation product: windows detection: selection: ParentCommandLine|contains: - '\EmailStorage_' - 'rmdir' Image|endswith: '\cmd.exe' condition: selection falsepositives: - low level: high tags: - attack.defense_evasion - attack.t1070.004 - qbot
Whoami Execution Anomaly
Suspicious Reconnaissance Activity
Mimikatz Detection LSASS Access
Yara
/*
YARA Rule Set
Author: The DFIR Report
Date: 2022-02-07
Identifier: Case 7685
Reference: https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule tuawktso_7685 {
meta:
description = "Files - file tuawktso.vbe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-02-01"
hash1 = "1411250eb56c55e274fbcf0741bbd3b5c917167d153779c7d8041ab2627ef95f"
strings:
$s1 = "* mP_5z" fullword ascii
$s2 = "44:HD:\\C" fullword ascii
$s3 = "zoT.tid" fullword ascii
$s4 = "dwmcoM<" fullword ascii
$s5 = "1iHBuSER:" fullword ascii
$s6 = "78NLog.j" fullword ascii
$s7 = "-FtP4p" fullword ascii
$s8 = "x<d%[ * " fullword ascii
$s9 = "O2f+ " fullword ascii
$s10 = "- wir2" fullword ascii
$s11 = "+ \"z?}xn$" fullword ascii
$s12 = "+ $Vigb" fullword ascii
$s13 = "# W}7k" fullword ascii
$s14 = "# N)M)9" fullword ascii
$s15 = "?uE- dO" fullword ascii
$s16 = "W_* 32" fullword ascii
$s17 = ">v9+ H" fullword ascii
$s18 = "tUg$* h" fullword ascii
$s19 = "`\"*- M" fullword ascii
$s20 = "b^D$ -L" fullword ascii
condition:
uint16(0) == 0xe0ee and filesize < 12000KB and
8 of them
}
rule wmyvpa_7685 {
meta:
description = "Files - file wmyvpa.sae"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-02-01"
hash1 = "3d913a4ba5c4f7810ec6b418d7a07b6207b60e740dde8aed3e2df9ddf1caab27"
strings:
$s1 = "spfX.hRN<" fullword ascii
$s2 = "wJriR>EOODA[.tIM" fullword ascii
$s3 = "5v:\\VAL" fullword ascii
$s4 = "K6U:\"&" fullword ascii
$s5 = "%v,.IlZ\\" fullword ascii
$s6 = "\\/kX>%n -" fullword ascii
$s7 = "!Dllqj" fullword ascii
$s8 = "&ZvM* " fullword ascii
$s9 = "AU8]+ " fullword ascii
$s10 = "- vt>h" fullword ascii
$s11 = "+ u4hRI" fullword ascii
$s12 = "ToX- P" fullword ascii
$s13 = "S!G+ u" fullword ascii
$s14 = "y 9-* " fullword ascii
$s15 = "nl}* J" fullword ascii
$s16 = "t /Y Fo" fullword ascii
$s17 = "O^w- F" fullword ascii
$s18 = "N -Vw'" fullword ascii
$s19 = "hVHjzI4" fullword ascii
$s20 = "ujrejn8" fullword ascii
condition:
uint16(0) == 0xd3c2 and filesize < 12000KB and
8 of them
}
rule ocrafh_html_7685 {
meta:
description = "Files - file ocrafh.html.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-02-01"
hash1 = "956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85"
strings:
$s1 = "Over.dll" fullword wide
$s2 = "c:\\339\\Soon_Back\\Hope\\Wing\\Subject-sentence\\Over.pdb" fullword ascii
$s3 = "7766333344" ascii /* hex encoded string 'wf33D' */
$s4 = "6655557744" ascii /* hex encoded string 'fUUwD' */
$s5 = "7733225566" ascii /* hex encoded string 'w3"Uf' */
$s6 = "5577445500" ascii /* hex encoded string 'UwDU' */
$s7 = "113333" ascii /* reversed goodware string '333311' */
$s8 = "'56666" fullword ascii /* reversed goodware string '66665'' */
$s9 = "224444" ascii /* reversed goodware string '444422' */
$s10 = "0044--" fullword ascii /* reversed goodware string '--4400' */
$s11 = "444455" ascii /* reversed goodware string '554444' */
$s12 = "5555//" fullword ascii /* reversed goodware string '//5555' */
$s13 = "44...." fullword ascii /* reversed goodware string '....44' */
$s14 = ",,,2255//5566" fullword ascii /* hex encoded string '"UUf' */
$s15 = "44//446644//" fullword ascii /* hex encoded string 'DDfD' */
$s16 = "7755//44----." fullword ascii /* hex encoded string 'wUD' */
$s17 = "?^.4444--,,55" fullword ascii /* hex encoded string 'DDU' */
$s18 = "66,,5566////55" fullword ascii /* hex encoded string 'fUfU' */
$s19 = "operator co_await" fullword ascii
$s20 = "?\"55//////77" fullword ascii /* hex encoded string 'Uw' */
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and
( pe.imphash() == "fadf54554241c990b4607d042e11e465" and ( pe.exports("Dropleave") and pe.exports("GlassExercise") and pe.exports("Mehope") and pe.exports("Top") ) or 8 of them )
}
rule ljncxcwmsg_7685 {
meta:
description = "Files - file ljncxcwmsg.gjf"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-02-01"
hash1 = "c789bb45cacf0de1720e707f9edd73b4ed0edc958b3ce2d8f0ad5d4a7596923a"
strings:
$s1 = "x=M:\"*" fullword ascii
$s2 = "=DdlLxu" fullword ascii
$s3 = "#+- 7 " fullword ascii
$s4 = "1CTxH* " fullword ascii
$s5 = "OF0+ K" fullword ascii
$s6 = "\\oNvd4Ww" fullword ascii
$s7 = "jvKSZ21" fullword ascii
$s8 = "o%U%uhuc]" fullword ascii
$s9 = "~rCcqlf1 0" fullword ascii
$s10 = "kjoYf^=8" fullword ascii
$s11 = "jpOMR4}" fullword ascii
$s12 = "ZIIUn'u" fullword ascii
$s13 = "7uCyy7=H" fullword ascii
$s14 = "#c.sel}W" fullword ascii
$s15 = ")t)uSKv%&}" fullword ascii
$s16 = "VGiAP/o(" fullword ascii
$s17 = "SwcF~i`" fullword ascii
$s18 = "*ITDe5\\n" fullword ascii
$s19 = "MjKB!X" fullword ascii
$s20 = "tjfVUus" fullword ascii
condition:
uint16(0) == 0xa5a4 and filesize < 2000KB and
8 of them
}
rule hyietnrfrx_7685 {
meta:
description = "Files - file hyietnrfrx.uit"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-02-01"
hash1 = "70a49561f39bb362a2ef79db15e326812912c17d6e6eb38ef40343a95409a19a"
strings:
$s1 = "Z)* -^'" fullword ascii
$s2 = "%EGMf%mzT" fullword ascii
$s3 = "CYR:\"n" fullword ascii
$s4 = "CbIN$P;" fullword ascii
$s5 = "We:\\>K" fullword ascii
$s6 = "h^nd* " fullword ascii
$s7 = "+ GR;q" fullword ascii
$s8 = "u%P%r2A" fullword ascii
$s9 = "ti+ gj?" fullword ascii
$s10 = "glMNdH8" fullword ascii
$s11 = "SuiMFrn7" fullword ascii
$s12 = "K* B5T" fullword ascii
$s13 = "eLpsNt " fullword ascii
$s14 = "aQeG% SMF " fullword ascii
$s15 = "JdYQ67 " fullword ascii
$s16 = "f>xYrBDvNF+Q" fullword ascii
$s17 = "OESW[>O" fullword ascii
$s18 = "9rlPY5__" fullword ascii
$s19 = "DMvH{}L" fullword ascii
$s20 = ".dgQ>H" fullword ascii
condition:
uint16(0) == 0x4eee and filesize < 2000KB and
8 of them
}
rule zsokarzi_7685 {
meta:
description = "Files - file zsokarzi.xpq"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-02-01"
hash1 = "cbfc135bff84d63c4a0ccb5102cfa17d8c9bf297079f3b2f1371dafcbefea77c"
strings:
$s1 = "}poSpY" fullword ascii
$s2 = "[cmD>S" fullword ascii
$s3 = "# {y|4" fullword ascii
$s4 = "IX%k%5u" fullword ascii
$s5 = "YKeial7" fullword ascii
$s6 = "#%y% !" fullword ascii
$s7 = "wOUV591" fullword ascii
$s8 = "| VJHt}&Y" fullword ascii
$s9 = "BEgs% 5" fullword ascii
$s10 = "UKCy\\n" fullword ascii
$s11 = "w;gOxQ?" fullword ascii
$s12 = "'OHSf\"/x" fullword ascii
$s13 = "=#qVNkOnj" fullword ascii
$s14 = "{_OqzbVbN" fullword ascii
$s15 = "QEQro\\4" fullword ascii
$s16 = "ohFq\\P" fullword ascii
$s17 = "34eYZVnp2" fullword ascii
$s18 = "rxuqLDG" fullword ascii
$s19 = "kUZI6J#" fullword ascii
$s20 = "IEJl1}+" fullword ascii
condition:
uint16(0) == 0xc1d7 and filesize < 2000KB and
8 of them
}
rule znmxbx_7685 {
meta:
description = "Files - file znmxbx.evj"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-02-01"
hash1 = "e510566244a899d6a427c1648e680a2310c170a5f25aff53b15d8de52ca11767"
strings:
$s1 = "# /rL,;" fullword ascii
$s2 = "* m?#;rE" fullword ascii
$s3 = ">\\'{6|B{" fullword ascii /* hex encoded string 'k' */
$s4 = "36\\$'48`" fullword ascii /* hex encoded string '6H' */
$s5 = "&#$2\\&6&[" fullword ascii /* hex encoded string '&' */
$s6 = "zduwzpa" fullword ascii
$s7 = "CFwH}&.MWi " fullword ascii
$s8 = "e72.bCZ<" fullword ascii
$s9 = "*c:\"HK!\\" fullword ascii
$s10 = "mBf:\"t~" fullword ascii
$s11 = "7{R:\"O`" fullword ascii
$s12 = "7SS.koK#" fullword ascii
$s13 = "7lS od:\\" fullword ascii
$s14 = "kMRWSyi$%D^b" fullword ascii
$s15 = "Wkz=c:\\" fullword ascii
$s16 = "1*l:\"L" fullword ascii
$s17 = "GF8$d:\\T" fullword ascii
$s18 = "i$\".N8spy" fullword ascii
$s19 = "f4LOg@" fullword ascii
$s20 = "XiRcwU" fullword ascii
condition:
uint16(0) == 0x3888 and filesize < 12000KB and
8 of them
}
MITRE
- Rundll32 – T1218.011
- Scheduled Task – T1053.005
- Disable or Modify Tools – T1562.001
- Process Injection – T1055
- LSASS Memory – T1003.001
- Network Share Discovery – T1135
- Local Groups – T1069.001
- Local Account – T1087.001
- System Network Connections Discovery – T1049
- System Network Configuration Discovery – T1016
- Internet Connection Discovery – T1016.001
- Email Collection – T1114
- Credentials from Web Browsers – T1555.003
- Commonly Used Port – T1043
- Application Layer Protocol – T1071
- Web Protocols – T1071.001
- Exfiltration Over C2 Channel – T1041
Internal case #7685