The Cisco Talos team, the cybersecurity research arm of Cisco networks has disclosed the new variant of Qbot (AKA Oakbot), an extensible banking trojan which is infecting vulnerable Windows computers in the wild. With its various ways to trap the user in executing the dropper, either through a malicious email, infected website links and drive-by downloads, the malware immediately takes hold of Windows Scheduler. The Task Scheduler command then executes the link:
C:\Windows\system32\schtasks.exe /create /tn {guid} /tr cmd.exe /C “start /MIN C:\Windows\system32\cscript.exe /E:javascript “C:\Users\USERNAME\ymwoyf.wpl” /sc WEEKLY /D TUE,WED,THU /ST 12:00:00 /F
This is in order to keep itself in memory even after a Windows reboot. It also executes a Windows Scripting host command which will further install itself deep into the system.
cmd.exe /C start /MIN C:\Windows\system32\cscript.exe /E:javascript C:\ProgramData\\puigje.wpl”
C:\Windows\system32\cscript.exe /E:javascript C:\ProgramData\puigje.wpl
“Cisco Talos first observed a spike in requests to these hijacked domains on April 2, 2019. This coincides with DNS changes made to these domains on March 19, 2019. Additionally, the comment string “CHANGES 15.03.19” is contained within the malicious JavaScript downloader, suggesting this actor updated the code on March 15. This indicates that these changes to the Qbot persistence mechanism seem to coincide with the launch of a new campaign,” explained Ashlee Benge, Cisco Talos’ Research Engineer.
The new Qbot variant specifically uses three domains in order to “host” the stolen information, with randalpha_1(.)zz receiving the first 1000 bytes of the transmission, followed by randalpha_2(.)zzz and randalpha_3 both receiving the rest of the contents of the transmission. This way, the stolen data is hidden from plain sight, even though the computer itself is processing its upload to the command and control servers. The Qbot malware itself does not come as an immediate download from the dropper application, but rather two distinct files with .zzz extension. The dropper then recombined the two files, creating just one executable code, the main module of Qbot.
This is the latest technique for a malware to bypass antivirus software, by separating the main module to two files, the signature-based antimalware will never detect the signature of Qbot. Likewise, the process of stitching two files together is a normal operating system function, as two rar files can be divided into parts in order to fit in smaller media.
“There has been a change in the infection chain of Qakbot that makes it more difficult for traditional anti-virus software to detect. This may allow the download of the malware to go undetected, as the malware is obfuscated when it is downloaded and saved in two separate files. These files are then decrypted and reassembled using the type command. Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it,” concluded Benge.
Related Resources:
Malware That Can Pull To Pieces Cloud Security Protections
About Monero Malware Troajn Win32.Fysna and its infection