Qbot Malware Phishing Steps & Detection

Qbot Malware Phishing Steps & Detection

P R P R

P R

SOC

发布日期: 2022年12月18日
+ 关注

Qbot Malware Phishing Steps & Detection


1.Initial Access / Phishing (T1566)

Malicious email with an .html attachment.

Threat actor lured user to open malicious email with malicious .html attachment.


2.Defense Evasion / Obfuscated Files or Information: HTML Smuggling (T1027.006)

The .html file opens in a browser and uses HTML Smuggling to drop an embedded .ZIP file to the hard drive.User manually click the HTML file from downloads directory.

Process: Chrome.exe Commandline: --single-argument *.html Path:*\\User\\Downloads\\*


3.Defense Evasion / Subvert Trust Controls: Mark-of-the-Web Bypass (T1553.005)

Password-protected zipped file which contains an .ISO image.

User unzips the password protected zip file which contain an ISO file.


4.Execution / User Execution (T1204.002)

User executed malicious Windows Shortcut, which executes calc.exe from mounted ISO image.

User clicks the malicious LNK file from the ISO file.As rest of the items will be hidden, only lnk file will be visible to the user.


5.Defense Evasion / Hijack Execution Flow: DLL Side-Loading (T1574.002)

calc.exe loads adversary crafted WindowsCodecs DLL. Process: Calc.exe

Sysmon event id: 7

ImageLoaded:C:\Users\User\Downloads\..\WindowsCodecs.dll


6.Defense Evasion / System Binary Proxy Execution (T1218)

Calc.exe spawns Microsoft signed binary (RegSvr32.exe) to executes Qbot dll (loader) ParentProcess: Calc.exe

Process: Regsvr32.exe


7.Defense Evasion / Process Injection (T1055)

RegSvr32.exe(Qbot loader dll) spawns and injects Explorer. (Recent versions has seen injecting to explorer.exe, wermgr.exe, msra.exe etc) ParentProcess: Regsvr32.exe Process: Explorer.exe/ wermgr.exe


8.Persistence/Scheduled Task/Job: Scheduled Task

Explorer creates scheduled task ParentProcess: Explorer.exe

Process:schtasks.exe

9.Defense Evasion/Modify Regsitry

Explorer creates new registry entries Symon event id: 13

Event Action: Registry Value Set


10.System Binary Proxy Execution/ Command & Control

Explorer connects with C2 Sysmon event id: 3

Process: Explorer.exe


11.Discovery / System Information Discovery (T1082)

Explorer executes a well-known sequence of Qbot discovery commands. Explorer.exe spawns whoami, arp, ipconfig, net view, cmd, nslookup, nltest, net share, route, netstat, net localgroup, qwinsta and other discovery activities via WMI queries.


Detection Sigma rules:

===============================================================

?Detects the DLL-Sideloading of windowscodecs.dll by calc.exe.

??selection:

???- ImageLoaded|endswith:

????- '\WindowsCodecs.dll'

???- Image|endswith:

????- 'calc.exe'

???- Imageloaded|startswith:

????- 'C:\Windows\System32\'

????- 'C:\Windows\Syswow64\'

===============================================================

description: Detects the suspicious child process of calc

???ParentImage|endswith:

????- '\\calc.exe'

???Image|endswith:

领英推荐

????- '\\regsvr32.exe'

??condition: all of them

=======

description: Detects the suspicious regsvr32 child process

???ParentImage|endswith:

????- '\\regsvr32.exe'

???Image|endswith:

????- '\\Explorer.exe'

??condition: all of them

===============================================================

description: Detects the suspicious commandlines from explorer

??selection:

????ParentImage|endswith:

????- '\\Explorer.exe'

???commandLine|contains:

????- 'whoami /all'

????- 'arp -a'

????- 'ipconfig /all'

????- 'net view /all'

????- 'cmd /c set'

????- 'nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs'

????- 'nltest /domain_trusts /all_trusts'

????- 'net share'

????- 'netstat -nao'

????- 'net localgroup'

????- 'qwinsta'

???condition: all of them

===============================================================

description: Detects the suspicious commandlines from wermgr.exe

??selection:

???ParentImage|endswith:

????- '\\Wermgr.exe'

???commandLine|contains:

????- 'whoami /all'

????- 'arp -a'

????- 'ipconfig /all'

????- 'net view /all'

????- 'cmd /c set'

????- 'nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs'

????- 'nltest /domain_trusts /all_trusts'

????- 'net share'

????- 'netstat -nao'

????- 'net localgroup'

????- 'qwinsta'

=================================================================

description: Adversaries may abuse explorer.exe to proxy execution of malicious payloads and connect with C2.

???selection:

????Initiated: 'true'

????Image|endswith: '\explorer.exe'

=================================================================

description:?Adversaries may abuse wermgr.exe to proxy execution of malicious payloads and connect with C2.

???selection:

????Initiated: 'true'

????Image|endswith: '\wermgr.exe'

???condition: selection


=================================================================

Resources:

https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html

https://isc.sans.edu/diary/Recent+Qakbot+Qbot+activity/26862

https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/

要查看或添加评论,请登录

P R的更多文章

  • Detection of malicious .lnk file
    2024年5月19日

    Detection of malicious .lnk file

    An attack using an LNK (shortcut) file is a type of cyber threat commonly associated with malware distribution and…

    4 条评论
  • THREAT HUNTING OF DNS QUERIES & ANOMALIES
    2023年1月1日

    THREAT HUNTING OF DNS QUERIES & ANOMALIES

    The goal of this hunt is to review DNS logs to baseline common domains queried by endpoints in the environment as well…

    10 条评论

社区洞察

其他会员也浏览了