Header Monthly Email Threat Review

QakBot distributed by XLSB files

Written by Security Lab / 15.10.2020 /
Home » Blog » QakBot distributed by XLSB files

Summary

The Hornetsecurity Security Lab has detected usage of XLM macros within XLSB documents to distributed the QakBot malware. Because both XLM macros as well as the XLSB document format being uncommon these new malicious documents have a very low static detection rate by current anti-virus solutions.

Background

QakBot (also known as QBot, QuakBot, Pinkslipbot) has been around since 2008. It is distributed via Emotet, i.e., Emotet will download the QakBot loader onto victims that are already infected with Emotet. But it is also distributed directly via email. To this end, it uses email conversation thread hijacking in its campaigns1, i.e., it will reply to emails that it finds in its victim’s mailboxes. QakBot is known to escalate intrusions by downloading the ProLock ransomware2.

The following timeline shows recent events relating to QakBot:

QakBot’s chain of infection is as follows:

QakBot has been using XLM macros (also known as Excel 4 macros) for quiet sometime.

Technical Analysis

On 2020-10-15 at around 12:40 UTC a malspam campaign distributing QakBot using XLSB documents was observed.

XLSB is an Excel Binary Workbook file. Its main use is to make reading from and written to the file much faster and reducing the size of very large spreadsheets. However, with current computing power and storage availability the need for this binary format diminished and today they are seldom used.

Combining this with the ancient and thus also not very well detected XLM macros causes the current documents to not be recognized by any AV listed on VirusTotal:

Also common document malware analysis tools such as OLEVBA do not recognize the XLM macros in the XLSB format:

Though, support for XLM macros in XLSB files is on OLEVBA’s roadmap2.

Even the tool XLMMacroDeobfuscator (specialized on analyzing malicious XLM macros), which supports the XLSB format3, has problems with QakBot’s XLSB file:

But as usual the bug in XLMMacroDeobfuscator was quickly worked on4.

The QakBot XLSB files are delivered via the classic QakBot email conversation thread hijacking1 in an attached ZIP file:

The ZIP file contains the XLSB document, which when opened pretends to be a encrypted by DocuSign and the user needs to “Enable Editing” and “Enable Content” to decrypt it:

When the user does so a Auto_Open XLM macro in the document is launched, which will download the QakBot loader:

The URL is a assembled via the XLM macro and pretends to download an PNG file:

In reality the PNG file is the QakBot loader executable. Hornetsecurity has previously reported on the QakBot loader and follow up malware such as ProLock ransomware2.

Conclusion and Countermeasure

Like the reemergence of the ancient and nowadays less common XLM macros used by malicious actors, the use of the uncommon XLSB documents again leads to lower detection rates by security solutions, which are mostly focused on the more common modern VBA macro malware.

However, Hornetsecurity’s fast response time to new emerging threats and zero-day malware protection provides its customers a robust shield against never-before-seen malspam campaigns and new attack types. Users of Hornetsecurity’s Spam Protection and Malware Protection are protected against the QakBot XLSB document.

References

Indicators of Compromise (IOCs)

Hashes

MD5Filename
ebd0e8581800059d451ed9969502ba53Comission_1587332740_10142020.xlsb
80fd1750532ebb8d148cd9916e621dbaComission_1587332740_10142020.zip

URLs

  • hxxp[:]//thomastongralestate[.]com/skywkc/3415201.png

DNSs

  • thomastongralestate[.]com

MITRE ATT&CK

MITRE ATT&CK Tactics and Techniques used by QakBot:

TacticTechnique
TA0001 – Initial AccessT1566.001 – Spearphishing Attachment
TA0001 – Initial AccessT1566.002 – Spearphishing Link
TA0002 – ExecutionT1027 – Obfuscated Files or Information
TA0002 – ExecutionT1059.005 – Visual Basic
TA0002 – ExecutionT1204.002 – Malicious File
TA0003 – PersistenceT1053.005 – Scheduled Task
TA0003 – PersistenceT1547.001 – Registry Run Keys / Startup Folder
TA0004 – Privilege EscalationT1053.005 – Scheduled Task
TA0005 – Defense EvasionT1027.002 – Software Packing
TA0005 – Defense EvasionT1055 – Process Injection
TA0005 – Defense EvasionT1055.012 – Process Hollowing
TA0005 – Defense EvasionT1497.001 – System Checks
TA0006 – Credential AccessT1003 – OS Credential Dumping
TA0006 – Credential AccessT1110.001 – Password Guessing
TA0006 – Credential AccessT1555.003 – Credentials from Web Browsers
TA0007 – DiscoveryT1016 – System Network Configuration Discovery
TA0011 – Command and ControlT1071.001 – Web Protocols
TA0011 – Command and ControlT1090 – Proxy
TA0011 – Command and ControlT1090.002 – External Proxy

You might also be interested in: