QBot returns for a new wave of infections using Squirrelwaffle

by | Nov 15, 2021 | News

 

Reading Time: 1 Minute

 

The activity of the QBot (also known as Quakbot) banking trojan is spiking again, and analysts from multiple security research firms attribute this to the rise of Squirrelwaffle.

 

 
 

Squirrelwaffle emerged last month as one of the most likely candidates to fill the void left by the take-down of Emotet, and unfortunately, these predictions are quickly being confirmed.

 

A new wave of attacks

 

Researchers at TrendMicro have observed a new distribution campaign for QBot relying on Visual Basic Macros (VBA) macros in Microsoft Word documents sent as attachments in phishing emails.

Previous Qbot campaigns used Excel macros, which are still present in some cases, even if they are more scarce now.

 

All of QBot's arrival variations
All of QBot’s arrival variations 
Source: TrendMicro

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

The victim still has to manually open the document and “Enable Content” on their Microsoft Office suite to let the macro code run, dropping a QBot payload on the system.

The rest of the process chain hasn’t changed much compared to previous versions, still downloading a DLL file as the core payload and setting the same scheduled task for persistence as before.

Qbot is also known to partner with ransomware operations to provide them with initial access to a network. QBot has previously collaborated with ransomware gangs to deploy REvil, EgregorProLock, PwndLocker, and MegaCortex strains.

We shouldn’t forget that even if these compromises never evolve to file-encryption events, QBot can do significant damage on its own.

The additional modules downloaded by the QBot malware can grab browser cookies, passwords, emails, drop Cobalt Strike, enable lateral movement, and turn the infected machine into a proxy for C2 traffic.

 

 

See Also: All Windows versions impacted by new LPE zero-day vulnerability

 

Riding the Squirrel

 

Sentinel Labs published a report on the rise of the SquirrelWaffle malware loader, linking it directly to QBot, which is dropped as second stage malware.

Researchers at Minerva Labs have also drawn a similar conclusion, seeing the following delivery scheme:

 

SquirrelWaffle's infection chain
SquirrelWaffle’s infection chain
Source: Minerva Labs
 
 

 

 

See Also: Offensive Security Tool: Pentesting Tools

 

 

SquirrelWaffle also uses VBA macros to execute a PowerShell command that retrieves its payload and launches it.

Unlike Emotet, who used a wide range of phishing lures, the SquirrelWaffle is not doing a great job creating convincing spam mails, keeping the infections in check.

The creation of more convincing phishing emails could be outsourced or quickly resolved by contacting an expert in that part of phishing operations, leading to a more significant number of SquirrelWaffle infections.

 
 

 

 

See Also: Hacking stories – Operation Troy – How researchers linked the cyberattacks

 

 

Source: www.bleepingcomputer.com

 

(Click Link)

 

 


store

Share This