Qakbot (Qbot) activity, obama271 distribution tag
Introduction
Qakbot using the obama-series distribution tag has been active this week on Tuesday 2023-06-20 (obama269), Wednesday 2023-06-21 (obama270), and Thursday 2023-06-22 (obama271). Today's diary provides indicators from an infection and some samples collected today from the obama271 wave on Thursday 2023-06-22.
Shown above: Flow chart for today's obama271 Qakbot infection.
Initial Infection Traffic
The initial infection started with an HTTP URL ending in .gif that returned a zip archive. After extracting a .js file from the downloaded zip and running it, we see HTTPS traffic with the domain that returned our Qakbot DLL. Qakbot C2 traffic includes HTTPS requests to legitimate domains like oracle.com as noted below. Finally, we saw Qakbot HTTPS C2 traffic on 142.154.58[.]207 almost eight minutes after the Qakbot DLL was retrieved.
Shown above: Traffic from the infection filtered in Wireshark.
Indicators of compromise (IOCs)
2023-06-22 (THURSDAY): OBAMA271 QAKBOT (QBOT) ACTIVITY
INFECTION CHAIN:
email --> PDF attachment --> link from PDF --> downloaded zip --> extracted .js --> retrieves/runs Qakbot DLL
SIX EXAMPLES OF PDF ATTACHMENTS:
272ce466b3a6170c010806f207e3f69cb732c6d56d219e48c24f954378a044fb BSN-1123674130.pdf
06f3fc2a37fcc5785fcf482ff01f83e461be4ad55aa20abbbc6dbf3239a1eabd BSN-1606206602.pdf
c95a5ce6a5826df5ac6589a87faf3c67ff42f44dd4474c27a3eac13580329423 BSN-2057567741.pdf
dc8150390742b6d5c7a1c2d8c1f7291181382f1fa03dccb6cabd7e669e28640d BSN-235750987.pdf
622b1ca18203ea6203845df514442370f547bfd5fa9ca3efd8b947ad37ad37ef BSN-689895792.pdf
e032d480889727fb3fa5632084b4ce846b9a25fb855d1897977d0e155a472e2b BSN-773800054.pdf
LINKS FROM ATTACHED PDF FILES:
hxxps://brotherocean[.]com/bebarwlxbs/bebarwlxbs.gif
hxxp://garagedoorportsmouthnh[.]com/xnozmxusda/xnozmxusda.gif
hxxps://janakagroup[.]lk/dfvurstvvb/dfvurstvvb.gif
hxxp://pn-jayapura[.]go[.]id/rwhdnuavuo/rwhdnuavuo.gif
hxxp://rolopom[.]com/alfqtwrbcn/alfqtwrbcn.gif
hxxp://treegeyecare[.]com/ypsormkzyz/ypsormkzyz.gif
FILES USED FOR AN INFECTION RUN:
SHA256 hash: d32e1cc5c161ae0fd8ae6c11cb6df5bce79690d1c533b4a5b9140ed8cb005f21
File size: 79,478 bytes
Downloaded from: hxxp://rolopom[.]com/alfqtwrbcn/alfqtwrbcn.gif
File name: BSN-1226578580.zip
File description: Zip archive downloaded from link in PDF attachment
SHA256 hash: c465f039b08c3320fdce5f63992b5363b96c21d6e3b1da1df1e38caf65482caa
File size: 350,611 bytes
File name: BSN-1226578580.js
File description: JS file extracted from the above zip archive
URLS GENERATED BY THE ABOVE .JS FOR QAKBOT DLL:
hxxp://hevintar[.]com/0.38107541532568295.dat
hxxp://cehazik[.]com/0.8841605299322328.dat
hxxp://cosiruk[.]com/0.2959007454371704.dat
hxxp://swofacin[.]com/0.6385317941125832.dat
hxxp://tytrhel[.]com/0.8364758034624875.dat
hxxp://cgpersa[.]com/0.9934429799425988.dat
QAKBOT DLL SEEN DURING THE INFECTION RUN:
SHA256 hash: 98bf24844d138dfd50188f3325f13ea3a1cde4d650900ae1d6820a2b1d4a59fd
File size: 1,405,439 bytes
Downloaded from: hxxp://hevintar[.]com/0.38107541532568295.dat
File location: C:\VPNStors\Krosters\Spote.OCCXX
Run method: rundll32.exe [file name],zertc
Final Words
A pcap of the infection traffic, along the the associated malware and artifacts can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Comments