Tracking down a trojan: An inside look at threat hunting in a corporate network

At Malwarebytes, we talk a lot about the importance of threat hunting for SMBs—and not for no good reason, either. Just consider the fact that, when a threat actor breaches a network, they don’t attack right away. The median amount of time between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed.

Threat hunting helps find and remediate highly-obfuscated threats like these that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

The bad news for small-to-medium sized businesses (SMBs): Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC).

That’s where Malwarebytes Managed Detection and Response (MDR) comes in.

Malwarebytes MDR is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack.

But talk is cheap: let’s look at a real time where Malwarebytes MDR successfully helped a company detect and respond to a potent banking Trojan known as QBot.

The Incident

On a date left undisclosed for security reasons, a reputable oil and gas company we’ll refer to as Company 1 experienced an intrusion in their network. The culprit was Qakbot (also known as QBot).

QBot is notorious for its abilities to steal sensitive information, like login credentials, financial data, and personal information, and even create backdoors for additional malware to infiltrate the compromised system. What’s more, it also facilitates remote access to the compromised machines.

QBot has recently been observed being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF).

easset upload file47677 266184 e

The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs)

QBot attacks start with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment.

easset upload file89775 266184 e

A sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. (Source: BleepingComputer)

Once someone in the email chain opens the attached PDF, they see a message saying, “This document contains protected files, to display them, click on the ‘open’ button.” Clicking the button downloads a ZIP file containing the WSF script.

easset upload file55401 266184 e

The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed.

Once QBot runs, it issues a PING command to check for an internet connection. It then injects itself into wermgr.exe, a legitimate Windows Error Manager program, to run quietly in the background.

The Infection

The initial infection at Company 1 was traced to a laptop in their network.The Qakbot malware used Windows Script File (WSF), executed by WSCRIPT.EXE, to launch a PowerShell script encoded in Base64.

easset upload file52946 266184 e

The Process Graph tile under the Suspicious Activity page in Nebula shows a visual representation of the files or processes touched by the suspicious activity.

easset upload file54071 266184 e

Clicking on the node to view more details, we see WSCRIPT.EXE was used to execute a Windows Script File, which spawned an instance of PS executing a Base64 encoded command.

easset upload file70676 266184 e

Node detail showing malicious encoded PowerShell script.

This script was designed to be patient and stealthy.

It first initiated a waiting period of 4 seconds before creating an array of URLs, presumably leading to malicious websites. The malware then attempted to download a file from each URL, with each file being checked for a minimum size of 100,000 bytes, implying a meaningful content requirement. If a download failed, the script would wait for 4 seconds before moving to the next URL.

The downloaded files were executed using the RUNDLL32.EXE Windows utility, which was invoked from the PowerShell instance. This allowed the downloaded file, dubbed “FreeformOzarkite.marseillais,” to load and execute its malicious payload.

easset upload file29101 266184 e

RUNDLL32.EXE was invoked from the previous instance of PowerShell to execute a malicious payload or module that is stored in the file “FreeformOzarkite.marseillais” in the temporary folder of the infected user. 

The Malicious DLL

A specific DLL file, identified as zibkwyxdtpcrqshpuqkoomcoba.dll, was found to be one of the malicious codes executed by the Qakbot infection.

easset upload file13711 266184 e

Node detail showing the malicious DLL is executed (zibkwyxdtpcrqshpuqkoomcoba.dll).

Decomposition of this DLL revealed several nefarious functions, including:

  • Code injection into other processes.
  • Harvesting of sensitive data, like Chrome and Outlook passwords, Wi-Fi passwords, and Bitcoin wallets.
  • Capturing screenshots.
  • Modifying system settings, like disabling the User Account Control (UAC), to make the system more vulnerable to further attacks.
  • Communication with a remote command and control (C&C) server for data exfiltration and remote command execution.

The team also saw system enumeration utilizing WHOAMI.EXE and IPCONFIG.EXE:

  • whoami /all
  • ipconfig /all

Data Exfiltration and Remediation

The malware attempted to send the collected data to a known Qakbot C2 IP address. This is presumably where the stolen data would be accumulated and analyzed by the malicious actors.

However, the Malwarebytes MDR team promptly detected and contained this threat, taking steps such as cleaning the system of the infection, informing Company 1 of the incident, and providing actionable recommendations to prevent future compromises.

Threat hunting with MDR

easset upload file38670 266184 e

How Malwarebytes MDR works

Threat hunting is essential for small-and-medium-sized businesses, as attackers can potentially remain undetected for over two weeks after compromising a network.

Unfortunately, threat hunting is complicated and requires a dedicated SOC and seasoned cybersecurity staff, barring most SMBs from utilizing this important security practice. 

In this article, we’ve outlined the significant role that Malwarebytes MDR can play in uncovering, managing, and remediating threats like Qakbot, helping you avoid business disruption and financial loss.

Want to learn more about Malwarebytes MDR and threat hunting? Click the link below for a quote. 

Stop Qbot attacks today