During a routine threat hunting exercise, researchers last week came across a Twitter Publish in which a researcher shared new indicators of compromise (IOC) related to the Qakbot malware, aka QBot.
The tweet from threat researchers ProxyLife said that Qakbot had been abusing the Windows 7 Calculator app for DLL sideloading attacks since at least July 11.
In a Cyble Research Labs blog post, researchers explained that Qakbot uses a mass spamming campaign to steal victim’s system credentials and uses them to make money. Apart from the financial impact, these attacks can also lead to cases of fraud and identity theft for any victim of the Qakbot malware.
Qakbot operates as a strain of Windows malware that started out as a banking Trojan but evolved into a malware dropper. Researchers say it is often used by ransomware gangs in the early stages of an attack to drop Cobalt Strike beacons.
Using DLL sideloading to bypass endpoint protection has been a well-known technique for several years, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said what’s remarkable here with this latest QBot malware campaign is that the first stage runs as a phishing attack, and the second relies on the Windows 7 Calculator app. For the first point, Parkin said he was re-emphasizing the need to educate users.
“While good anti-phishing-spam-malware tools for email can reduce risk, it’s ultimately up to users to know when not to open an attachment,” Parkin said. “This attack relies not only on opening the attachment, but also on using a provided password to decrypt it, which users really should know better than to do. They don’t, unfortunately that’s the problem Part 2 relies on the Windows 7 version of calc because the Windows 10 version is not vulnerable Since Windows 7 was end of life almost two and a half years ago , this highlights the need to retire outdated operating systems and applications.
Saryu Nayyar, Founder and CEO of Gurucul, added that malicious actors continue to leverage email attacks to trigger the initial compromise from which they can execute the core of their attack campaign. Nayyar said that once the user accidentally clicks on a link, the full malware is executed and this opens systems for well-known tools like Cobalt Strike.
“The reality is that QBot Malware is undetected by many current SIEMs and even XDR tools based on masking it as a legitimate .DLL,” Nayyar said. “However, neither QBot nor Cobalt Strike are new tools. This shows that organizations need to invest in better security analytics, including a mature set of behavioral analytics, capable of detecting unusual activity and not just known attacks that have been modified as a new variant. »