May QBot Persistence and Attack Details

Introduction

In May 2017, ActiveCanopy’s Cyber Operations Center was contacted to support and investigate an incident of an enterprise network of over 7,500 hosts at a non-profit organization.  . Subsequent analysis determined that the incident was an ongoing infection affecting over 2000 host, including the discovery of three of Qbot Polymorphic variants.

Discoveries and remediation included:

  • Identified/blocked HASH’s ~2,000 infected hosts
  • Detected 3 variants of Polymorphic Qbot/Quakbot worms not detected by over 60 Anti-Virus providers
  • Developed and executed custom tools to block and remove tasks set to control Command and Control communications and executables for the identified malware
  • Identified beaconing to 200+ Command and Control IP addresses related to Qbot and recommended firewall blocking
  • Isolated 3 systems involved with unauthorized banking transactions and analyzed sessions to determine attack vector coordinated with Qbot attack methodologies.

Qbot Purpose

Qbot, also known as Qakbot, is a network-aware worm with backdoor capabilities, primarily designed as a credential harvester for financial data. It does so by stealing data contained in stored cookies or credentials, and by injecting code into web browsers to manipulate live browsing sessions. Qbot lets malicious actors piggyback on the victim’s browsing sessions, enabling them to bypass security like simple implementations of two-factor authentication.  If the user does not logout completely from a session that session can be hijacked via a javascript inject to control bank account transactions autonomously.

W32.Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence.

Process Analysis

The server-based polymorphism used by Qbot allows it to largely avoid AV detection.Therefore the malicious software, at the time of discovery, was not detected by any of the top 62 virus engines listed on VirusTotal. ActiveCanopy analyst created custom behavior rules pushed out to the endpoint tool, as specific alerts were building the fingerprint of a wide-spread Qbot infection due to the infected host count and alerting frequency.

Signatures for watchlists were then created based on the following information.  Subsequently, ActiveCanopy built an automated removal tool to block all new variants before start-up, remove malicious scheduled tasks set to restart the bot and removed the bot executables as the spread of the Qbot propagated to more endpoints.  This was also compounded by the efforts of the client to re-image new computers and redeploy them to the network.  Re-infection and spread were a constant challenge.

  1. Beacon to known C&C IP’s:
    • (hosts communicating with multiple Qbot IP’s over TCP ports 990, 995, 22, 443, 2222, 22, 21, 80)
  2. Identified Unsigned executables with Company Names of ‘Nokia Corporation and/or its subsidiary(-ies)’ and ‘Bang Microsoft’
  3. Multiple explorer.exe “cross process injects” seen
  4. Connection attempts to Network Speed Tests
  5. Shares seen being used to propagate: Print$, c$, Admin$
  6. Qbot dropped itself into a newly created directory with a random filename:
    • (c:\users*\appdata\roaming\microsoft**)
  7. Windows Schedule Tasks initiated propagation of Qbot. Patient Zero only had to run the initial polymorphic malware once to start a chain reaction that is spreading via print$, ‘C$ and admin$ shares.
Polymorphism

Polymorphic malware is “mal-code” engineered with the ability to “morph” or change from its original form every time it is compiled and executed to evade detection. Its unique, changing characteristics include changes in; file names, types, or encryption keys making the malware unrecognizable with traditional security tools. Polymorphic malware can include viruses, worms, trojans, or spyware, which constantly change.

The first step of polymorphism is the binary changes without affecting its purpose which is accomplished by a script that runs within the C&C channels. Each time a new updated copy is retrieved, the C&C script will patch two large sections within the binary frame with random data to produce a new copy that will calculate a different hash value.   This makes hash values for this binary unusable for indications of compromise.

Second step of polymorphism, the entire copy is compiled and encrypted, so that it is structure is completely different from the original version it was replicated from.  Also, within the C&C channels is a new configuration file that contains an updated list of C&C and FTP URL’s for exfiltration. When a beacon is sent to the C&C, the request sends the bot’s current version. If the ‘gateway’ PHP script compares this version and if it is older than the latest version, it will deliver the ‘updbot’ task to ‘update bot’ command. When the bot receives the ‘updbot’ task/command, it will download a new version of the bot from the C&C, and then install to update itself.  When the malware is activated the code is scrambled and right before execution is unscrambled to its original code.  Although the appearance of the code changes with each execution, the function remains uniform.  For example, a polymorphic spyware will continue to get the private information of the user and send it to the attacker.

Due to polymorphic malware’s ability to change its patterns of code, endpoint detection and response or advanced threat protection are behavior-based detection tools which can pinpoint threats in real time and has the capability of being more precise than conventional signature-based methods. The server-based polymorphism used by Qbot allows it to avoid many Anti-Virus detection solutions. Out of 61 AV vendors, only a couple of reputable AV vendors are reliably able to detect Qbot – or to be specific, generically detect its external encryptor.   After a few days, the same sample is normally detected by more than half of the AV engines.   However, as the bot normally updates itself with a new version within a day or two, it keeps ahead of this process and remains undetected for long periods.

Infection Vector

Qbot spreads by exploiting vulnerabilities when a user visits certain web pages. Exploit code hosted at these remote locations downloads the threat on to the compromised computer. Many of the infections are aided by users unwittingly clicking on malicious links. The worm also spreads through network shares by copying itself to shared folders when instructed to by a remote attacker. It also copies itself to removable drives. Once delivered through email or other means the bot registers itself on the system, performs a speed test to determine the network connection bandwidth, then contacts the Command and Control (C&C) via its internal Domain Generation Algorithm (DGA) and sends an initial beacon to the FTP server. The beacon contains a list of installed software, if the local user has admin rights and external IP address of the infected network.

Once Qbot is executed in its install directory, it executes a new instance of the Windows executable “Explorer.exe”. The injected process loads the resource “IDB_BITMAP1” which contains a malicious DLL. The resource is decrypted using the first 20 bytes as an RC4 key. The decrypted data contains the DLL in a compressed form, preceded by the SHA1 hash of the compressed data.

Speed Test

The bot tests the network speed by downloading a file from the following URL:
Connection to 205.171.198.30 on tcp/8080 (minneapolis.speedtest.centurylink.net)
http://[CITY].speedtest.comcast.net/speedtest/random750x750.jpg?x=[RANDOM_NUMBER]&.

Process Injection

The malware injects itself into the running process explorer.exe. Whenever another process starts up, that process will also be infected. The injected component of the bot is a DLL. When executed, the DLL will extract its strings, configuration, APIs, and critical strings block into heap-allocated buffers.

To coordinate the functions of all the injected instances, Qbot uses IPC (inter-process communication) based on memory pipes.

Explorer is injected to most likely provide system level permissions to then run the bot at a higher privilege and set a couple scheduled tasks.  Also, Print Audit 6 client gets injected.

“C:\Windows\system32\schtasks.exe” /create /tn {A04F4DC7-6FF9-4B35-A1CA-8535FFF3B15C} /tr “cmd.exe /C \”start /MIN C:\Windows\system32\cscript.exe //E:javascript \”C:\Users\Administrator\AppData\Local\Microsoft\tcvoo.wpl\”\”” /sc WEEKLY /D TUE /ST 12:00:00 /F

Scheduled Tasks creating a service that runs at Tuesday at 12am.

“C:\Windows\system32\schtasks.exe” /create /tn {57E700A7-645B-4C0E-A82C-E5ADDBF59F8F} /tr “\”C:\Users\Administrator\AppData\Roaming\Microsoft\Tcvooc\tcvoo.exe\”” /sc HOURLY /mo 7 /F

Scheduled Tasks creating a service that runs at hourly everyday.

Qbot attempted to piggy-back on existing auto-run entries, (realtek audio and print audit 6) modifying these entries to start Qbot instead, passing a parameter to also run the intended application as well.  Seen using auto-run function in the realtek audio app which also contains a known privilege escalation vulnerability. “Print Audit 6” for use of the print$ shares for propagation.

(c:\program files\realtek\audio\hda\rtdcpl64.exe)
(c:\program files (x86)\print audit inc\print audit 6\client\pa6wtrak64.dll)

Configuration

Qbot has an internal table that stores configuration parameters to use. This starts as a default table, containing FTP credentials, C&C settings and timestamps. Qbot then updates some of its parameters.

Persistence

When executed, Qbot drops itself into a new directory, within one of the existing ‘APPDATA’ directories, such as:

APPDATA\roaming\Microsoft\[random_filename]\[random_filename].exe

It then registers itself as a service, using an existing service name and depending on another existing service. For example, it may register itself with the following service parameters:

ImagePath: “APPDATA\roaming\Microsoft\[random_filename]\[random_filename].exe /D”

DisplayName: “Remote Procedure Call (RPC) Service”

DependOnService: ‘Dnscache’

ObjectName: “LocalSystem”

Start type: Automatic

Service status: Stopped

It then creates an auto-run registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random_filename] = “APPDATA\roaming\Microsoft\[random_filename]\[random_filename].exe”

If possible, Qbot will attempt to piggy-back on an existing auto-run entry, modifying this entry to start Qbot instead, passing a parameter to also run the intended application as well. For example, the messenger’s key MSMSGS is modified as:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = ““APPDATA\roaming\Microsoft\[random_filename]\[random_filename].exe” /c “[PATH]\msmsgs.exe” /background”

The [random_filename] is not in fact random; it’s calculated from the system footprint. Hence, if the bot is executed on a previously cleaned machine, it will generate the same [random_filename], as the system footprint did not change.

  1. Explorer is injected to most likely provide system level permissions to then run the bot at a higher privilege and set a couple scheduled tasks. Also, Print Audit 6 client gets injected.
  2. “C:\Windows\system32\schtasks.exe” /create /tn {A04F4DC7-6FF9-4B35-A1CA-8535FFF3B15C} /tr “cmd.exe /C \”start /MIN C:\Windows\system32\cscript.exe //E:javascript \”C:\Users\Administrator\AppData\Local\Microsoft\tcvoo.wpl\”\”” /sc WEEKLY /D TUE /ST 12:00:00 /F
  3. Scheduled Tasks creating a service that runs at Tuesday at 12am.
  4. “C:\Windows\system32\schtasks.exe” /create /tn {57E700A7-645B-4C0E-A82C-E5ADDBF59F8F} /tr “\”C:\Users\Administrator\AppData\Roaming\Microsoft\Tcvooc\tcvoo.exe\”” /sc HOURLY /mo 7 /F
  5. Scheduled Tasks creating a service that runs at hourly everyday.

Qbot was successful in spreading to open shares across the network, including the default shares Print$, C$ and Admin$.

By using stolen IE credentials, in addition to credentials intercepted from the network traffic, Qbot attackers were able to gain access to other FTP servers that may be used to infect other websites with the exploit kits, in order to disseminate their malware further.

For inter-process communications, Qbot uses a named pipe called “\\.\pipe\[RANDOM_FILENAME]sp”, where [RANDOM_FILENAME] is the calculated name of the Qbot used for installation, e.g. there will be [RANDOM_FILENAME].exe and [RANDOM_FILENAME].dll files in the system.

 IOC’s

Location of exeC:\Users\%USERNAME%\AppData\Local\Microsfot\*.[exe][dll]
Scheduled Taskscmd /C “start /MIN C:\Windows\system32\cscript.exe //E:javascript “C:\Users\DeverickCora21\AppData\Local\Microsoft\uesjlkt.wpl”
Registry KeyHKCU\Software\Microsoft\CurrentVersion\Run: “C\Users\[username]\appdata\roaming\microsoft\yixuhkxi\yixuhkx.exe”
C2IP 74.5.136.50 over TCP port 990  
IP 67.10.229.104 over 443
IP 50.198.141.161 over 2078
IP 105.224.196.216 over 443
IP 174.135.45.106 over 443
IP 89.154.213.154 over 2222
IP 173.25.234.18 over 443
IP 66.165.13.205 over 32103
Speed testhttp://[CITY].speedtest.comcast.net/speedtest/random750x750.jpg?x=[RANDOM_NUMBER]&
SharesC$, Admin$, Print$
Publisher/ Company Names of ‘Nokia Corporation and/or its subsidiary(-ies)’ and ‘Bang Microsoft’
Signature Status“Unsigned”

Table 2. IOC Information

References

Ben Baker, TALOS, Research Spotlight: The Resurgence of Qbot (April 28, 2016) http://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html

Symantec Security Response Report W32.Qakbot (August 10, 2012) http://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf