ReliaQuest detects security incident caused by QBot banking trojan

March 30, 2023 - TuxCare PR Team

ReliaQuest has discovered a security incident caused by the QBot banking trojan in a client’s environment. A threat actor gained access to the network via a phishing email, installed the QBot malware, and escalated privileges and established a foothold in 77 minutes.

The attacker’s behavior indicated that they were a member of the Black Basta RaaS program, which has been linked to a large number of ransomware attacks. The phishing email was detected as malicious but managed to avoid detection by an overly permissive security solution, and the malware was executed via HTML smuggling, a common tactic used by threat actors.

ReliaQuest worked with the impacted customer to mitigate the impact of the intrusion and advised businesses to avoid accepted risks that could prevent or at least slow down attackers’ advances.

The QBot banking trojan was discovered in 2007 and has since been updated to include new techniques and capabilities such as lateral movement, detection evasion, debugging, and the installation of additional malware on compromised machines.

The deployment of the Cobalt Strike Beacon and remote management software in the victim’s environment facilitated QBot’s use for initial access. After gaining a foothold, the threat actor obtained valid service account credentials and moved laterally to deploy additional Cobalt Strike beacons.

Office 365 management correctly identified the phishing email that provided the initial access as malicious. The ZIP file was password-protected with abc333. The attackers took advantage of the initial QBot foothold to deliver a Cobalt Strike beacon, which communicated with its team server at 194.165.16[.]95. The attackers communicated and maintained their foothold using remote access software AnyDesk, Atera, and Splashtop, which use the HTTPS protocol.

The initial access was granted via a phishing email with the subject REF#6547 SEP 28.HTML on September 26, 2022. ReliaQuest identified several takeaways from the attack, including how the attackers’ actions were aided by a known risk that, if avoided, could have prevented their progress.

HTML smuggling enabled execution. When the HTML file was opened in an email client, and the user was asked to download it locally. They did this, and when they opened the HTML file in a browser, an encoded JavaScript binary large object (BLOB) appeared. The BLOB then created and downloaded a ZIP file to the user’s hard drive.

The threat actor gained credential access after interacting with a credential key for an account via the Data Protection Application Programming Interface (DPAPI); DPAPI is used to protect personal data on the local system, including user credentials. This is a common target for credential harvesting, and in this case, the account was compromised as a result. Some of the most common tools, such as Mimikatz, which was also used during the incident, provide ways to interact with DPAPI in order to access credentials. Mimikatz is an open-source malware program used by hackers and penetration testers to gather credentials on Windows computers.

The sources for this piece include an article in Reliaquest.

Summary