QBot malware is now being distributed in phishing attack campaigns, making use of PDF files and Windows Script Files (WSF) via emails. Initial access is gained by dropping additional payloads such as Cobalt Strike, Brute Ratel and other malware that allows other Threat Agents to access the compromised device.
Using the access described above, the threat spreads laterally through the network, stealing data and information to eventually deploy Ransomware extortion attacks.
Starting this month, QBot’s use of a new email distribution method has been reported. It refers to PDF attachments that download Windows Script files to install QBot on victims’ devices.
It all starts with an E-mail
Qbot is currently being distributed via a reply-chain of phishing emails, where threat actors use stolen email exchanges and then reply to these with links to malware or malicious attachments.
The use of chain email replies is an attempt to make phishing emails less suspicious as it is a response to an ongoing conversation. In turn, this phishing email uses a wide variety of Languages, which in turn brands it as a worldwide distribution campaign.
Attached to these emails is a PDF file called “CancelationLetter-[number].pdf” which, when opened, displays a message saying, “This document contains protected files, to disply them, click on the ‘open’ button”.
However, upon clicking the button, a ZIP file which contains a Windows Script file (WSF) will proceed to be installed. This file ends with the .wsf extension and contains a combination of JScript and VBScript code that is executed when the file is double-clicked. The WSF file used in the QBot distribution campaign is heavily obfuscated, with the goal of running a PowerShell script on the computer.
The PowerShell script that runs through WSF proceeds to download a DLL from a list of URLs. Each of these URLs is tested until the file is successfully downloaded to the %TEMP% folder and then executed. Once the QBot DLL is executed it will run the PING command to determine if there is an internet connection. Immediately the malware will inject itself into the legitimate Windows program wermgr.exe (Windows Error Manager) where it will be hosted and run in the background.
It is worth mentioning that affiliates linked to multiple Ransomware-as-a-Service (RaaS) operations including BlackBasta, REvil, ProLock and MegaCortex, have used QBot as initial access to corporate networks. It has been observed that it takes about 30 minutes for QBot to steal sensitive information after the initial infection, therefore, if a device is compromised by QBot, it is critical to immediately disconnect the system and then proceed to do a full assessment of the network for unusual behavior.
