QBot, also known as Qakbot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a vicious and persistent threat to organizations and has become one of the leading Banking Trojans globally. Over the years, it has changed its initial techniques to deliver payloads like using VBA macros, Excel 4 macros, VBS files, exploits like Follina, etc. Recently in Quick Heal’s Security Labs, we have come across a new technique that QBot leverages for its attack. It is called an “HTML Smuggling attack.”
When the victim opens the HTML attachment, it decodes embedded files and saves them locally. Due to encoded patterns, no malicious content passes through the network, bypassing network filters and firewalls; hence this attack method is gaining popularity among cybercriminals.
In one of the documents we analyzed, an embedded HTML element was found to be created with the “document.createElement” method. Attackers took advantage of this tag to distribute payloads in zip archives. We can see in the below image base64 encoded data for the zip file:-
Fig.1- HTML Smuggling Template
While opening an HTML file, it tricks the user as if it is downloading a zip file, whereas the zip is already embedded in an HTML file. The password is highlighted in the image below, “abc555”.
Fig.2 – Zip Download
After extracting the zip file, we get the”REJ_2975” disk image file, which again contains several files.
Fig.3 – Extracted files from iso
Shortcut file “REJ” is then responsible for conducting the further attack. This file’s task is to execute the “reprocesses” command script in the “oslo” folder. Subsequently, the command script will execute the final QBot loader DLL file having the name “counteractively.dat” as shown in the following figure:-
Fig.4 – Execution Commands
Later, the payload is injected in wermgr.exe via process hollowing:-
Fig.5 – Execution Commands
This Qbot loader DLL is an x32 bit Delphi compiled binary with no export functions.
Fig. 6- QBot loader information
Defense Evasion checks are being used by Qbot; in this case, it is for windows defender simulation by checking the file “C:\INTERNAL\__empty.”
Fig. 7 – QBot checking Windows Defender
Qbot uses registry entries and self-replication to attain persistence. As the payload gets executed, the Qbot gains its persistence in 2 steps:
Folder Creation and Dropped DLLs are loaded via regsvr32.exe, as shown below:
Fig. 8- Folder Creation with a random name
Dumping config data in Registry. In the latest payload versions, Qbot has moved from creating its config file in “.dat” format. Now, it writes its cloned DLL entry in the victim as encrypted registry keys to the ‘HKCU\Software\Microsoft\[RandomString]’ Hive.
Fig. 9 – Registry Entries
As shown in the following figure, injected process “wermgr.exe” is making a connection to hardcoded Ips:-
Fig. 10 – C2 Communication IPs
Detection name: HTML.QBot.47153
QBot loader DLL
Detection name: Trojan.Qakbot
|T1553.005||Mark of the web bypass|
|T1027||Obfuscated Files or Information|
|T1218.010||System Binary Proxy Execution: Regsvr32|
|T1010||Application Window Discovery|
|T1082||System Information Discovery|
|T1071.001||Application Layer Protocol: Web Protocols|