QBOT – A HTML SMUGGLING TECHNIQUE TO TARGET VICTIMS

0 0

QBot, also known as Qakbot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a vicious and persistent threat to organizations and has become one of the leading Banking Trojans globally. Over the years, it has changed its initial techniques to deliver payloads like using VBA macros, Excel 4 macros, VBS files, exploits like Follina, etc. Recently in Quick Heal’s Security Labs, we have come across a new technique that QBot leverages for its attack. It is called an “HTML Smuggling attack.”

What is HTML Smuggling attack?

HTML Smuggling is an attack vector in which the attacker smuggles encoded malicious script or payload embedded uniquely. It uses HTML 5 and JavaScript to accomplish its task. There are multiple ways to attack with this technique. Some common techniques are:

1. Use of anchor tag
   The HTML anchor tag “<a>” defines a hyperlink that links one page to another. It can create a hyperlink to other web pages, files, locations, or any URL. Also, if we want to download any file hosted on any server, we can use an anchor tag. For example,
2. Use of JavaScript Blob
   JavaScript blobs are objects that are a collection of bytes that contain data stored in a file. Blob data is stored in the user’s memory. This collection of bytes is used in the same places where an actual file would have been used. In other words, blobs can be used to construct file-like objects on the client that can be passed to JavaScript APIs that expect URLs.For example, the bytes of the file payload.exe can be provided as input in JS code as a JS blob; it can be compiled and downloaded at the user end.
3. Use of embed element
   It is used for embedding external applications, which are generally multimedia content like audio or video, into an HTML document. It is used as a container for embedding plug-ins such as flash animations.

Why is this technique used?

When the victim opens the HTML attachment, it decodes embedded files and saves them locally. Due to encoded patterns, no malicious content passes through the network, bypassing network filters and firewalls; hence this attack method is gaining popularity among cybercriminals.

QBot Attack Flow:

In one of the documents we analyzed, an embedded HTML element was found to be created with the “document.createElement” method. Attackers took advantage of this tag to distribute payloads in zip archives. We can see in the below image base64 encoded data for the zip file:-

While opening an HTML file, it tricks the user as if it is downloading a zip file, whereas the zip is already embedded in an HTML file. The password is highlighted in the image below, “abc555”.

After extracting the zip file, we get the”REJ_2975” disk image file, which again contains several files.

Shortcut file “REJ” is then responsible for conducting the further attack. This file’s task is to execute the “reprocesses” command script in the “oslo” folder. Subsequently, the command script will execute the final QBot loader DLL file having the name “counteractively.dat” as shown in the following figure:-

Later, the payload is injected in wermgr.exe via process hollowing:-

DLL Analysis:

This Qbot loader DLL is an x32 bit Delphi compiled binary with no export functions.

Defense Evasion checks are being used by Qbot; in this case, it is for windows defender simulation by checking the file “C:\INTERNAL\__empty.”

Gaining Persistence:

Qbot uses registry entries and self-replication to attain persistence. As the payload gets executed, the Qbot gains its persistence in 2 steps:

1. Copying itself to the below-mentioned folder:
   %AppData%\Roaming\Microsoft\{RandomStrings}
2.  Creating a registry value pointing to the above payload

Folder Creation and Dropped DLLs are loaded via regsvr32.exe, as shown below:

Dumping config data in Registry. In the latest payload versions, Qbot has moved from creating its config file in “.dat” format. Now, it writes its cloned DLL entry in the victim as encrypted registry keys to the ‘HKCU\Software\Microsoft\[RandomString]’ Hive.

C2 Communication:

As shown in the following figure, injected process “wermgr.exe” is making a connection to hardcoded Ips:-

Conclusion:

Disabling JavaScript in most environments is not feasible as too many legitimate systems and web applications require its use. In addition to that, many legitimate JavaScript frameworks make use of obfuscation techniques in order to minimize file sizes and improve the speed of web applications. Hence blocking obfuscated JavaScript is not a practical option. Therefore, users are advised to take utmost care while handling suspicious emails with HTML attachments. Quick Heal customers are already protected from these types of attacks.

Source: https://blogs.quickheal.com/qbot-a-html-smuggling-technique-to-target-victims/

Don’t hesitate to contact us:

Geetika Technosoft Pvt Ltd

E-mail: crm@gtechnosoft.in
T: 1800 212 6124
#GeetikaTechnosoft
#DasITCart
#DITC
#CustomerFirst
#ManagedITService
#FieldITService
#ITExpertsConsultation
#GloablITServiceProvider
#Quality
#Trustworthiness
#QuickHeal

About Post Author

Ishita Sen

ishita.sen@gtechnosoft.in

Happy

0 0 %

Sad

0 0 %

Excited

0 0 %

Sleepy

0 0 %

Angry

0 0 %

Surprise

0 0 %