这篇博客文章由JérômeSegura和Hossein Jazi撰写。

在全球大流行中,2020年美国选举一直是严格审查和情感的主题。随着选举之夜的结束,对结果的不确定性开始蔓延,威胁性演员也决定加入其中。

Those tracking the threat landscape know very well that major world events do not go unnoticed by criminals. In this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.

Qbot Banking Trojan运营商使用相同的劫持电子邮件线程诱使受害者具有恶意选举干扰附件,返回又有主题的垃圾邮件浪潮。

Hijacked email threads pushing bogus DocuSign documents

恶意电子邮件作为线程的答复,类似于情绪添加合法性并使检测更加困难的事情类似。它们包含恰当命名的electioninterference_ [8至9位] .zip。

While the election results are still being evaluated and debated, victims are enticed to open up the document to read about alleged election interference:

图1:带有选举交附件的恶意电子邮件

提取的文件是一个Excel电子表格,它已经被制成,好像是安全的DocuSign文件一样。用户被欺骗以允许宏来“解密”文档。

Figure 2: Excel document containing malicious macro

This tried and tested trick will download a malicious payload onto the victim’s machine. The URL for that payload is encoded in a cell of a Cyrillic-named sheet “Лист3”.

图3:有效载荷URL混淆

Once executed, the QBot Trojan will contact its command and control server and request instructions. In addition to stealing and exfiltrating data from its victims, QBot will also start grabbing emails that will later be used as part of the next malspam campaigns.

Figure 4: QBot process flow execution

世界活动是最好的诱惑

At the core of the malware attacks we witness each day are typical social engineering schemes. Threat actors need to get victims to perform a certain set of actions in order to compromise them.

Spam campaigns routinely abuse email delivery notifications (Fedex, DHL, etc.) or bank alerts to disguise malicious payloads. But world events such as the Covid pandemic or the US elections provide ideal material to craft effective schemes resulting in high infection ratios.

必威平台APP由于我们的反爆炸技术,Malwarebytes用户已经受到了这种攻击的保护。此外,我们将有效载荷视为backdoor.qbot。

Figure 5: Malwarebytes blocking the macro from delivering its payload

妥协的指标

恶意Excel文件

B500A3C769E22535DFC0C0C0C0F2383B7B4FB5EB52097F001814D8219ECBBBB3048A1
f2fb3e7d69bf1b8c0c20484e94b20be33723b4715e7cf94c5cbb120b800328da
0282A796DEC675F556A0BF88EDA0FE84F3558AFC96321709A298D7A0A4F8E5
E800B0D95E02E6E46A05433A9531D7FB900A45AF799A262C3C3C147AC23CD4C10
7DEC31D782AB776BCBB51BD64CBBD40039805AD9473D644A23D5CF16F85552C
0BEC208127E4A021DCCB499131EA91062386126B75D098947134A37E41C4B035
30de8dcd4e894549d6d16edb181dd1a7abec8f001c478cf73baf6075756dc8c2
A8329913C8BBCCB86B207E5A851F7696B1E8A120929CA5C0A5709BD779BABEDF
EF8A17C3BB01D58BFEA74A19F6CB8573CFB2D94D9E6159709AC15A7E0860DBCE
7DDC225AD0ED91CE90B3BDE296C5CE0B4649447FB3F02188E5303E222222222222222DCB5F0

QBot

china[.]asiaspain[.]com/tertgev/1247015.png

1edfe375fafa1f941dc4ee30702f4af31ba636e4b639bcbb90a1d793b5d4b06c 06be75b2f3207de93389e090afd899f392da2e0f1c6e02226db65c61f291b81b

QBot C2s

142.129.227 [。] 86
95.77.144[.]238

MITRE ATT&CK techniques

Tactic ID 姓名 细节
执行 T1059 命令行接口 Starts CMD.EXE for commands execution
T1106 执行through API 应用程序启动了
T1053 计划的任务 Loads the Task Scheduler COM API
持久性 T1050 New Service 以Windows服务执行
T1060 Registry Run Keys / Startup Folder Changes the autorun value in the registry
T1053 计划的任务 Loads the Task Scheduler COM API
Privilege Escalation T1050 New Service 以Windows服务执行
T1055 过程注入 申请被另一个过程注入
T1053 计划的任务 Loads the Task Scheduler COM API
Defense Evasion T1553 安装根证书 Changes settings of System certificates
T1055 过程注入 申请被另一个过程注入
Discovery T1087 Account Discovery Starts NET.EXE to view/change users group
T1135 Network Share Discovery 启动net.exe进行网络探索
T1069 Permission Groups Discovery Starts NET.EXE to view/change users group
T1012 Query Registry Reads the machine GUID from the registry
T1018 远程系统发现 启动net.exe进行网络探索
T1082 System Information Discovery Reads the machine GUID from the registry
T1016 系统网络配置发现 Uses IPCONFIG.EXE to discover IP address