QBOT Spam Campaign

Written by Roland Middelweerd and Frank de Korte from the Northwave CERT

In recent months Northwave has seen an increase of spam campaigns[1] containing the QBot backdoor malware. The threat actors behind the malware use stolen emails for these spam campaigns. The emails have a zip file attached which contain a Microsoft Office document. This document has an embedded malicious macro which installs Qbot upon execution. Images of commonly used software, such as Office 365 and DocuSign, are used to persuade users to execute the malicious macro. The section “Qbot Campaign” provides a detailed description of how Qbot works, using of their phishing campaigns.

In the past few months, the Northwave CERT investigated several ransomware infections where Qbot was used as initial access vector. The exact same modus operandi was found during each investigation. After the execution of Qbot malware, within 2 days (at most) ransomware was used to encrypt multiple systems. Ransomware strains Egregor and DoppelPaymer were found during the investigations. Reports[2] mention that the ProLock ransomware strain has used Qbot in the past as initial access vector.

In August 2020, a large phishing campaign was launched with Qbot as attachment[3]. Qbot teaming up with the new ransomware strain Egregor resulted in the infection of a large number of victims by the Egeregor ransomware2. According to MalwareBytes[4], even the elections of the United States of America were used for a phishing campaign of Qbot. Attachments referring to the uncertainty regarding the election results were used to persuade its victims. Northwave expects a new phishing campaign of Qbot starting from 21 January 2021 based on spikes in submissions on public anti-virus tools and in other malware trackers as well as an increase in calls to the Northwave CERT.

Qbot Campaign

As mentioned before, Qbot uses stolen e-mails for their phishing campaigns. By using a legitimate e-mail history, it is more convincing to the victim that it concerns a legitimate e-mail. Although, the e-mail is actually sent from a different e-mailaddress. To the e-mail a zip file is attached. This zip file contains a Microsoft Office document (often Word or Excel). The contents of the e-mail generally ask the recipient to open the attachment. An example of such an e-mail can be found in Figure 1. These figure examples were obtained and shared by the SANS institute[5].

After unpacking the zip file, the user is presented, in this case, with a legacy (.xls) Excel file. Opening the Excel file reveals a fake DocuSign description, see Figure 2. According to the description, the file is encrypted. For the user to be able to access the file, first editing needs to be enabled and then content needs to be enabled. Doing this will allow the malicious Visual Basic for Applications (VBA) macro to execute. Qbot uses images of DocuSign and also Office 365 to gain trust of their victums, showing a familiar environment.

Northwave opened a similar document in a sandboxed environment. After enabling content, the Excel process uses an HTTP request to retrieve an image file from one of the staging websites for Qbot. This image file can have different extensions, including “.png”, “.jpg” and “.gif”. Although the downloaded file has an image related extension, the file is actually a Windows executable. Figure 3 shows an example of an HTTP request and its answer. The answer starts with the characteristic “MZ” header, which leads to the conclusion that the answer contains an MS-DOS compatible executable.

According to research[6] done by Checkpoint, the download Windows executable implements several measures to make its analysis more difficult and to reduce its visibility. The executable is packed, uses string encryption and builds the import table dynamically based on the encrypted strings. Moreover, the executable uses anti-VM and anti-debug techniques. Persistence is achieved using the registry and the task scheduler.

Now the executable is running and has unpacked its necessary content, it contacts a Command & Control server for instructions. These instructions vary from downloading and installing new modules to using these modules for malicious actions. One of these modules collects e-mails by extracting all e-mails from the local Outlook client. These e-mails are then used by Qbot for new phishing campaigns. Other modules Qbot uses are6:

  • Password Grabber module: tries to steal credentials.
  • hVNC plugin: allows remote control using a VNC connection.
  • Cookie Grabber module: steals cookies from popular browsers.

It is clear that when a host is infected with Qbot, an attacker can remotely perform all sorts of malicious actions. Northwave CERT has seen this and very similar campaign in recent cases, almost always resulting in a ransomware attack. During a recent investigation the Northwave CERT found out that within 2 hours after the Qbot infection, manual activity of an attacker was observed. Network discovery was performed and attempts at lateral movement were made.

How to Protect Against Qbot?

Inform people on the dangers of this sort of phishing campaigns. Make sure they have the knowledge and skills to recognize these types of e-mails. Always check the sender of an e-mail to very if you are talking to the right person and not an impersonator. Moreover, blocking zip file attachments and disabling the execution of macros can reduce the effectivity of a Qbot phishing campaign. People should know where and how they can report phishing e-mails so organisations can act on a phishing campaign in a timely manner. Depending on the technology used, Indicators of Compromise (IoC) can be actively blocked and monitored on to spot a successful phishing attempt in an early stage. The section below contains IoC’s which the Northwave CERT found during their recent investigations.

Indicators of Compromise