Qbot and IceID infection chains
As Microsoft decided to disable macros [1] threat actors started to investigate new ways of distributing malware. To replace the delivery method of macros a lot of new and old infection chains is used by the malware authors.
To follow the evolution of the payload delivery, we take a look at the infection chains of the malware families Qbot and IcedID.
Qbot & IcedID
Both Qbot and IcedID started as banking trojans and have now evolved to droppers. The danger of these malware malware famalies is that they can drop a second stage malware. A lot of different kind of payloads have been delivered by Qbot and IcedID, as Cobaltstrike, ransomware, exfiltration, stealers, etc. Or they can be used as endpoint delivering mail spam for their new campaigns. They can also be human operated as can be seen on DFIR report [2]
These kinds of malware also sell access to the victims to other threat actors [3]. Selling access to the infiltrated network generates more revenue this also applies to selling data. The sold access can then lead to for example human operated ransomware. Also seen from DFIR report it looks like they were used for exfiltration [4, 5].
That’s why we need to keep an eye on these malware families, so they don’t get a foothold on our endpoints.
Example of infection chains Qbot and IcedID
Qbot and IcedID has been seen with the follwing infection chains. If you wan’t to see the latest delivery chains I recommend that you follow pr0xylife on twitter [6], as that is an great source for information.
.one -> .jse -> .bat -> .ps -> .dll
.one -> .wsf -> .cmd -> ps -> .dll
.one -> .cmd -> .ps -> .dll
.one -> .hta -> .curl -> .dll
.one -> .hta -> .url -> .dll
.pdf -> .url -> .zip -> .iso -> .lnk -> .cmd -> .dll
.pdf -> .zip -> .iso -> .lnk -> .dll
.zip -> .iso -> .lnk -> .dll
Image-files
ISO, IMG files are disc-image files. Usually used for distributing OS-images. The ISO, IMG files themselves were marked with a MoTW flag, but the files in the image files were not marked. This were widely used by threat actors. This was patched by Microsoft in November 2022 [7], so now the files in the ISO-file also got marked with MoTW and therefore produces a warning when opening.
Mark of The Web is a Windows security feature that flag files. When downloading files Windows creates an ADS named Zone.Identifier or more commonly used MoTW. If you want to check a file for the Zone.Identifier, PowerShell can be used. For checking a file identifier, you can use:
Get-Content .\file -Stream Zone.Identifier.
As can been seen below:
Figure 2, ZoneID within MoTW
The following ZoneId values may be used in a Zone.Identifier ADS:
0. Local computer
1. Local intranet
2. Trusted sites
3. Internet
4. Restricted sites
The structure of the stream can also change depending on the application which performed the download. There are more attributes that can be added like the ReferrerUrl and HostUrl.
Figure 3, example of MoTW
But the image-files cannot contain any payload themselves as you can see in the picture below this image-file contains and windows shortcut file:
Figure 4, Image file containing .lnk file and hidden folder
The image file is just a container to deliver the payload. A way for the malware to get delivered and avoid infection.
The Windows Shortcuts (lnk-files)
Shortcuts is a proprietary file used by Microsoft Windows. Shortcuts allow you to create a pointer to a file. The files usually contain shortcuts to commonly used program within the operating system. They use the .lnk extension.
But they can also contain commands to for example command prompt. Usually, the command is loaded by a windows command file.
Figure 5, Shortcut file running a windows command file.
Onenote
OneNote is a note-taking software from Microsoft and included in the office suite. OneNote did not propagate MOTW on its attachments [8]. That made OneNote the new perfect candidate for malware delivery. One note does now mark attachment with MoTW flags [8]. OneNote can contain attachments for example .hta, .cmd, .jse, wsf, etc. Usually, the attachments are hidden behind an image.
As we can see on Malware Bazar [9] that the samples with the OneNote extension is on the rise.
Figure 6, .one malware submitted to Malware Bazar
An example of a one note document. Here the document opens a command file attached to OneNote.
Figure 7, OneNote file with hidden .cmd file under the image Open.
Opening the attached file leads to a download of .jpg file which is in this case a DLL-file and loading the DLL by rundll.
Figure 8, OneNote process tree after execution.
Analyzes of a payload chain .one > .cmd > .ps > .dll
In this case we’ve got a delivery of a OneNote file. The document looks like this:
Figure 9, OneNote, malicious document
Opening the cmd-file gives us a warning that we accept:
Figure 10, Warning when opening the attachment within the OneNote document.
The cmd file opens PowerShell and try to download the payload. In this case the payload URL was not online. And then the payload in this case (XQym.jpg) is loaded with rundll.
Figure 11, Windows commando file downloading a file via PowerShell and loading the DLL.
Analyzes of a payload chain URL->.zip->.iso->.lnk->.dll
The mail that we received led to an URL that server a password protected zip-file.
Figure 12, Domain delivering password protected zip file
Nothing suspicious here, lets open that zip-file. The zip-file contains an ISO file, that windows auto mount:
The disc-image contains a shortcut file and a hidden directory.
Figure 13, disc image with shortcut file and hidden folder
The shortcut file runs cmd.exe with the windows command file poky.cmd for the payload delivery.
Figure 14, Shortcut file and script ran
The .cmd file in the hidden directory contains a script that copy’s the REGSVR32 to C:\Users\user\AppData\Local\Temp\6.exe and loads the DLL file from the hidden directory.
Summary
One interesting take away from this blog is that each delivery of the malware payload, we always end up with a DLL file. They are loaded with rundll or regsvr. Qbot and IcedID is actively changing their delivery methods and trying to evade detection.
In the next blog we’ll start the hunt for malicious DLL files. Until then. Happy hunting!
References
[1]. https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked
[2] https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
[4] https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour
[5] https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/