July 28, 2022
Qbot Reappears, Now Leveraging DLL Side Loading Technique To Bypass Detection Mechanisms
Research by: Karthickkumar K
Qbot (a.k.a. Qakbot or Pinkslipbot) is a banking trojan that steals sensitive information from victims’ machines and sends it to a Command and Control (C2) server. This threat was identified in 2007 and is still active with different variants.
The Uptycs Threat Research team recently observed a few changes in the infection flow of Qbot. A DLL side-loading method to execute malicious code helps malware bypass detection mechanisms. Another technique we’ve observed in the Qbot binary is self-debugging (using environment variables) which it uses to check if the system is already infected. Further, some new versions of Qbot binary target the wermgr.exe process to inject the malicious code.
The below figure shows the infection chain of the newer versions of Qbot binary (Figure 1):
Figure 1: Infection chain
As we can see in the above diagram, the infection chain for newer binaries includes trusted apps like calc.exe for DLL side-loading.
Upon opening the HTML file which comes via spam email, it drops a password-protected ZIP file named “TXRTN_2636021.zip” into the local system. The below screenshot (Figure 2) shows the HTML page from spam email.
Figure 2: HTML file
By extracting the ZIP file using the password mentioned in the HTML page, we can get an ISO file. The ISO file contains the following:
- LNK file : TXRTN_8468190 - This is LNK file is the execution trigger point
- WindowsCodecs.dll - Windows file (masqueraded name) for executing malicious payload
- Calc.exe - Legitimate windows file with hidden attribute
- 102755.dll - Qbot DLL with hidden attribute
The below screenshot shows the files inside the ISO file.
Figure 3: Inside the ISO file
Upon executing the LNK file, it launches the “Calc.exe”. On execution of “Calc.exe”, it loads the file named “WindowsCodecs.dll” (name masquerading) which contains the malicious code. This creates a new process with malware payload “102755.dll” and the below command line:
- “C:\Windows\Syswow64\regsvr32.exe 102755.dll” (see Figure 4)
Figure 4: Regsvr32 execution
The below screenshot shows the process chain of Qbot.
Figure 5: Process execution flow
This way the malware uses the DLL side-loading technique to execute malicious payloads without being detected—unless you know what you’re looking for.
The DLL file (102755.dll) is a x32 bit Delphi compiled binary, which has no export functions.
Figure 6: Initial Qbot payload
Upon execution of the DLL file, it decrypts the XOR encoded payload in memory. The payload is a VC compiled binary. The Dump 1 (see Figure 7) shows the payload along with an API function.
Figure 7: Decryption loop and the dumped payload binary
The Qbot payload first checks for the Microsoft Defender emulation folder using GetFileAttributes API. This condition is checked with the string “C:\INTERNAL\__empty”. If the condition is satisfied, the payload gets terminated.
Figure 8: Emulation check
Next, the payload checks for the environment variable “SELF_TEST_1” to check if the victim is already infected. If the flag is set, it will clear the memory and terminate itself.
Figure 9: Self check
If the victim PC is not already infected, the payload binary creates a new thread and starts the execution.
Figure 10: Thread Creation
The first thread function runs an API hashing function that restructures the new IAT table as follows:.
Figure 11: Restructured IAT table
The payload also involves the anti-debug check using GetTickCount() API. After the anti debug check, it collects the sensitive system information from the victim PC such as Computer name, GetVolumeInformation, User Account name, Module Name, Type of process, and OS version info.
The payload contains the XOR encoded AV process names in a list. After decoding, the payload checks against the running processes in the system. The payload uses a combination of CreateToolhelp32Snapshot,Process32First and Process32Next APIs.
Figure 12: Decryption loop for AV name check list
Below is the list of process names checked by the payload:
Previously, the Qbot malware tried to inject malicious content in any of the processes from the list below:
- %ProgramFiles%\Internet Explorer\iexplorer.exe
- %ProgramFiles(x86)%\Internet Explorer\iexplorer.exe
This time Qbot changes the list of target processes.
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
Once the target process is chosen (in our case wermgr.exe), the payload uses a process-hollowing technique to inject into the legitimate target process.
Conclusion: Detect and Stop Qbot Attacks
Our research on Qbot showed the advancements in its attack chain. Enterprises must have tight security controls and multi-layered visibility and security solutions to identify and detect malware like Qbot. Uptycs’ EDR correlation engine detected the Qbot activity by correlating generic behavioral rules and YARA process scanning capabilities.
Uptycs EDR Detection
Uptycs EDR—armed with YARA process scanning, advanced detections, and the ability to correlate Registry Events, Process File Events, Process Events and API Events—successfully detects different types of tactics carried out by Qbot.
Additionally, Uptycs EDR contextual detection provides important details about the identified malware. Users can navigate to the toolkit data section in the detection alert and click on the name to find out the behavior as shown below (Figures 13 & 14).
Figure 13: Uptycs EDR detection
Figure 14: Uptycs EDR detection
To learn more about the latest threat research conducted by the Uptycs Team, check out our most recent threat bulletin below.
Research and updates from the Uptycs Threat Research team.
Other posts you might be interested in
6 min read | December 17, 2020
Detecting the SolarWinds supply chain attack using osquery and UptycsRead More
22 min read | September 1, 2021
LOLBins Are No Laughing Matter: How Attackers Operate QuietlyRead More
6 min read | February 9, 2022