Threat Intel Digest

July 2020

A Bot that Quacks

Macro viruses are becoming a standard vehicle to transport other malware. When a document is opened, the macro virus commonly downloads the malicious executable file and executes it.

Qbot, also known as Qakbot, is originally downloaded as a PNG file, which is a graphics file, but it is actually the executable binary file that needs to be renamed as an EXE file. When the malware executes, it initially checks if it is running in a virtual environment. The malware assumes that it is being analyzed when it is running in a virtualized machine, and eventually exits. When everything checks out, the main payload is extracted from the resource sections of the malware. The resource sections contain information about the executable file, including icons, but malware uses them to store their payload mostly to avoid detections. Qbot tries to run within the explorer.exe process to be persistent and to make sure that it is active the entire time. This malware uses common tricks, but its use of macro code becomes the main vector that makes it come back.

References

Seasonal Spam

Spam and phishing campaigns are always present for every season and every event. The malicious actors are using these circumstances to spread their malicious intent.

Holidays and other seasons are the best time for attackers to send emails that contain malicious links. These are the times when people are more susceptible to clicking links that lead to downloading malware or merely going to malicious websites. The recent event regarding the Black Lives Matter movement is now being used by attackers to send emails with a malicious Microsoft Word document attachment. The document contains a macro that also downloads malicious files. The spam campaign uses several sender names and email subjects that pretend to be coming from legitimate sources. Always be wary during these times, be it Easter holiday or a global social event. The attackers are always there to be of service.

References