I recently came across an interesting malicious document that I would like to analyze for you.
The initial scans show us that the document is detected by some big names such as Google, Symantec, Fortinet…
But let’s see what we can find if we dig a little deeper!
Running the File command verifies that it is an HTML document.
This function seems to be loading stage 2 of the exploit. Which is base64 encoded data. We can see from the code that it is image/svg+xml but we can also verify it by grabbing the base64 encoded payload.
Cool. Now that we have our stage 2 file let’s keep going with our analysis.
We can open up the stage2 file in a text editor and give it some syntax highlighting for better visibility.
The variable names are well obfuscated. We can try to logically make sense of the code and obfuscated variables. And clean it up to better understand what is going on.
After some basic cleanup, we can see that on line 36 there’s a function call with the arguments set as our next payload and integer 512. The function seems to be looping through the base64 encoded payload, decoding it, and writing it to a file.
Seems like we should expect the next stage file to be an archive!
Just as we suspected, we are left with a Zip archive data. Let’s see what we have inside.
We rename the file as filestage4.zip and run unzip on it.
When trying to unzip the file asks for a password. After some tinkering with good old John, we crack the password which turns out to be “abc111”.
But It didn’t make any sense to me, as to why I would have to crack a password to extract malware. Later when I opened the malware on any.run I realized that the password is given on the initial HTML file. LOL.
Anyway… Let’s move on…
Extracting the files from the archive gives us a .iso file.
I mounted the image file to see its contents.
Moved it to the /tmp directory and also unmount the image so I don’t forget it later.
In the image, we are greeted with the following files.
ComplianceReportCopy.lnk is a windows shortcut file
Imbued.cmd and broadsheets.dat look particularly interesting
Imbued.cmd is a dos batch file that seems to be doing some string obfuscation.
It seems to be building the string “copy %systemroot%\System32\1vr32.exe %temp\givenBind.com” and it appears to be also running broadsheets.dat
ooh! Juicy Windows PE32 executable. Love to see it. Let’s upload it to Virustotal to see if it is able to catch something.
Woah. That escalated quickly :))
Most of the AVs identify the executable as Qbot.
QBot, a modular information stealer, has been a persistent threat to organizations for over a decade since its inception in 2007. This malicious software has been historically known for its ability to steal financial data from infected systems and as a loader that uses C2 servers for targeted payloads and downloads.
Despite being active for so many years, QBot remains a dangerous threat and has become one of the leading banking trojans worldwide. It operates as a modular threat that can be customized to fit the attacker’s needs, making it highly adaptable and difficult to detect.
QBot has evolved over the years, with newer versions incorporating advanced features such as the ability to steal sensitive information beyond just banking data. It can now also spread itself through network shares, using tactics such as brute-forcing credentials, and it can even disable security software on the infected system.
To protect against QBot, organizations must employ robust security measures such as regularly updating software, using strong passwords and two-factor authentication, and monitoring networks for any suspicious activity. It is also essential to educate employees about the dangers of phishing emails and the importance of being vigilant while using the internet.
QBot, also known as Qakbot, QBot, QuackBot, and Pinkslipbot is still a dangerous and persistent threat to organizations and has become one of the leading Banking Trojans globally.
Toodaloo. Happy Hacking!