Malware Analysis Spotlight: Qbot’s Delivery Method

Sep 15th 2020

The Re-Emergence of Qbot

After more than a decade in operation, the Qbot Trojan is back in the news. A modified version of the malware which now extracts email threads from Outlook to use in phishing attacks was used in a prominent campaign that ran from March to the end of June. Then this same modified version was used, in some cases, as the payload for the Emotet Trojan campaign in July that may have affected up to 5% of organizations worldwideNow, Qbot is taking on a life of its own with its malspam campaign launched in August.

First discovered in 2008, Qbot has evolved from a banking Trojan which steals online banking credentials to becoming a “Swiss Army knife” of malware, capable of not only stealing credentials but also distributing ransomware and performing other malicious activity.

This Malware Analysis Spotlight focuses on one of the methods used to deliver Qbot and highlights some interesting features of the delivery process leading to the execution of Qbot. In contrast to commonly used delivery techniques through documents with embedded VBA macros, the payload used in this sample is disguised as properties of different objects. This can bypass static analysis because the referenced properties have to be taken into account to see the full behavior of the macro.

View the VMRay Analyzer Report for Qbot

 

Analysis of a Qbot Delivery Method

The initial delivery method is using a Word document with an embedded VBA macro. The macro is referencing data hidden inside a forms object also embedded inside the document. From the label embedded in the form, it extracts a Visual Basic script, drops it into a file and executes it by starting explorer.exe with the script as an argument (Figure 1). The tool oledump by Didier Stevens is also capable of extracting information from user forms as has been demonstrated in Maldoc: Payloads in User Forms.

 

Malicious Document

Figure 1: Malicious document with “hidden” data.

 

The VBS contains a lot of noise including a variable declaration for errors and messages, and a header claiming the original name of the file is winrm.vbs.

The actual purpose it serves is to write a set of commands into a .cmd file which it then executes. This functionality is located near the middle of the file, surrounded by the previously mentioned noise.

The written cmd script invokes Powershell with commands as arguments, which then downloads the payload from one of the hard-coded domains to “C:\BlotRoots\Loterious.exe and executes it with the standard alias saps (Figure 2).

 

VMRay Analyzer

Figure 2: VMRay Analyzer Behavior – Powershell downloads next stage.

 

The final payload is Qbot. It contains multiple evasion techniques and at this stage, it enumerates over existing processes and compares them against a hard-coded list (Figure 3). Next, it sets a mutex, drops a copy of itself with a random name together with a configuration file into the %AppData% directory and starts 3 new processes. The first one is using current process’s base image but this time uses the parameter “/C”, the second one has the image located in %AppData% as base and takes no parameters, the third one is executing a command which overwrites the Loterios.exe image with calc.exe (Figure 4).

 

Function Log

Figure 3: VMRay function log – Enumerate processes and compare against an internal list

 

VMRay Analyzer Behavior

Figure 4: VMRay Analyzer Behavior – Creation of new processes.

 

The new process that was started with the “/C” parameter is responsible for the anti-analysis techniques. Just as before it enumerates running processes and compares them to an internal list, it also uses the SetupAPI to enumerate devices and compare them against a hard-coded list. The next check it performs is to verify that none of the currently loaded DLLs is one on his list (Figure 5).

 

Function Log

Figure 5: VMRay function log – Device enumeration (left) and DLL enumeration (right)

 

Finally, it verifies that the name of the sample doesn’t contain one of the following strings (Figure 6):

  • sample
  • mlwr_smpl
  • artifact.exe

 

Function Log

Figure 6: VMRay function log – Verify the sample’s name

 

After the attempts to identify an artificial environment, the final stage is injected into explorer.exe at address 0x28e0000 (Figure 7).

 

VMRay Analyzer Behavior

Figure 7: VMray Analyzer Behavior – Injection into process.exe at address 0x028e0000

 

This payload then decrypts one of its resources with the name “307” and loads it at address 0x02AC0000 (Figure 8). This resource is one of the core modules of Qbot. A more detailed analysis of Qbot can be found in Deep Analysis of Qbot Banking Trojan.

 

Figure 8: VMRay function log and Behavior – Find resource and allocate memory for it (left) and a dump of that memory region (right).

 

Conclusion

In this analysis, we can see that the delivery can be split up into multiple stages, whereby each stage has its own purpose.

However, we can easily follow the path of delivery and observe Qbot’s detection mechanism and its further behavior. The memory dumping ability of VMRay’s Analyzer eases the access to Qbots core modules loaded in memory.

One day after we collected the sample, the payload was either deleted or replaced by putty. This means that opening the document now can result in downloading and executing putty instead of Qbot.

 

IOCs

Sample

b2946daf21b5a0d9c70f32230f6e511ff4aeb939fc8f9a5d372a67f932483c4d

Payload

37790b6946072ccacb7cf9be694b962deee2c53818449eba20f450389d0cfa4a

Network

hxxp://rijschoolfastandserious[.]nl
hxxp://nanfeiqiaowang[.]com
hxxp://forum[.]insteon[.]com
hxxp://webtest[.]pp[.]ua
hxxp://quoraforum[.]com/
hxxp://quickinsolutions[.]com
hxxp://bronco[.]is
hxxp://studiomascellaro[.]it
hxxp://craniotylla[.]ch
hxxp://marineworks[.]eu

IP Addresses

173.172.205.216

66.25.168.167

201.216.216.245

75.182.220.196

188.25.26.41

213.67.45.195

68.134.181.98

68.190.152.98

75.183.171.155

67.165.206.193

75.170.94.218

73.137.184.213

190.24.177.147

188.173.70.18

216.146.110.68

98.190.24.81

209.137.209.163

189.210.114.157

93.151.180.170

188.26.11.29

186.82.157.66

108.46.145.30

71.197.126.250

175.111.128.234

24.71.28.247

66.26.160.37

71.163.224.206

207.255.161.8

47.153.115.154

72.209.191.27

76.170.77.99

47.153.115.154

100.4.173.223

200.75.136.78

100.37.36.240

93.113.177.152

77.27.173.8

67.170.137.8

108.185.113.12

72.28.255.159

24.37.178.158

207.255.161.8

2.90.92.255

166.62.180.194

103.238.231.40

71.182.142.63

71.56.53.127

35.134.202.234

172.87.134.226

73.227.232.166

190.77.170.197

79.115.145.90

72.240.200.181

72.142.106.198

98.11.125.62

69.123.179.70

187.214.9.138

69.11.247.242

72.214.55.195

189.140.61.205

68.174.15.223

172.78.30.215

68.225.56.31

24.234.86.201

71.80.66.107

96.20.108.17

95.76.185.240

173.173.72.199

188.51.3.210

115.21.224.117

209.182.122.217

70.164.39.91

70.95.118.217

24.116.227.63

98.4.227.199

144.202.48.107

2.7.65.32

178.222.12.162

75.137.239.211

94.59.241.189

73.60.148.209

73.30.244.90

206.51.202.106

70.123.92.175

189.163.82.104

182.185.40.22

36.230.79.179

95.77.144.238

187.163.101.137

95.77.223.148

73.214.248.17

189.130.26.216

66.57.216.53

70.164.37.205

24.44.142.213

159.0.126.131

72.82.15.220

24.122.157.93

207.255.161.8

186.6.197.11

99.231.221.117

188.241.159.208

2.89.74.34

24.46.40.189

68.4.137.211

189.183.72.138

74.73.120.226

86.153.98.126

24.229.150.54

134.228.24.29

151.205.102.42

96.234.20.230

96.232.163.27

208.93.202.49

47.44.217.98

45.32.154.10

98.240.24.57

5.15.65.198

5.193.155.181

80.240.26.178

45.77.215.141

207.246.71.122

67.8.103.21

199.247.16.80

207.246.75.201

49.191.3.234

73.228.1.246

24.139.132.70

76.187.12.181

92.59.35.196

50.244.112.10

108.27.217.44

199.116.241.147

24.201.79.208

217.162.149.212

59.98.248.254

96.41.93.96

50.244.112.106

78.100.229.44

86.182.234.245

71.126.139.251

165.120.230.108

80.195.103.146

89.247.217.163

216.201.162.158

197.210.96.222

117.218.208.239

174.80.7.235

98.26.50.62

199.247.22.145