Researchers from Cyberreason team had identified the rise in Qakbot infection targeting multiple US organisation. On Successful infection, it depoys black basta ransomware program on the compromised machines in the target network.
The attack is delivered as a malicious link to the end users via spear phishing attack. and used Qakbot for initial attack method to gain control over the network.
The Cybereason Managed Services team observed multiple infections of Black Basta using QakBot beginning on November 14, 2022. These QakBot infections began with a spam/phishing email containing malicious URL links. Qakbot was the primary method Black Basta used to maintain a presence on victims’ networks.
That said, we also observed the threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller. Finally, ransomware was deployed and the attacker then disabled security mechanisms, such as EDR and antivirus programs, reads the report.
Researchers also confirms that this attack is divided into three parts such as:
- Initial Infection vector, where the Qakbot malware was used for initial access and post-exploitation related activities conducted.
2. Key machines where identified to compromise the domain controllers
3. Black Basta ransomware was deployed on identified machines.
One of the interesting fact about this campaign is that , the attackers are so fast that it took 2hours to compromise domain controllers and proceeded with ransomware deployment within 12hrs of infection.
Researchers also observed that the threat actors are locking out victim machines by disabling DNS services.
“Using this source to infer the original phishing vector, we concluded that the attacker uses an IMG file (Disk Image File, similar to the ISO format) as the initial compromise vector. We also identified other QBot infection vectors starting from ISO files, depending on the campaign. Prior to Microsoft patch regarding MOTW (Mark of the web), files inside of these types of image files (ISO/IMG) were not marked properly with Mark of The Web, a system to allow Windows to flag a file with metadata such as download URL, and warn users prior to opening the file. ” reads the report.
Indicators of Compromise:
Associated Domains:
- jesofidiwi[.]com (Cobalt Strike C2)
- dimingol[.]com (Cobalt Strike-related domain used for DNS exfiltration)
- tevokaxol[.]com (Cobalt Strike C2)
- vopaxafi[.]com (Cobalt Strike C2)
Associated IPs:
- 108.177.235.29
- 144.202.42.216
- 108.62.118.197
Qakbot C2 addresses
| Server address | Port Number |
| 94.70.37.145 | 2222 |
| 172.90.139.138 | 2222 |
| 70.50.3.214 | 2222 |
| 90.89.95.158 | 2222 |
| 200.93.14.206 | 2222 |
| 142.161.27.232 | 2222 |
| 82.127.174.33 | 2222 |
| 92.207.132.174 | 2222 |
| 92.189.214.236 | 2222 |
| 24.64.114.59 | 2222 |
| 82.31.37.241 | 443 |
| 87.223.80.45 | 443 |
| 76.9.168.249 | 443 |
| 174.115.87.57 | 443 |
| 82.41.186.124 | 443 |
| 131.106.168.223 | 443 |
| 75.98.154.19 | 443 |
| 170.253.25.35 | 443 |
| 86.133.237.3 | 443 |
| 73.88.173.113 | 443 |
| 84.209.52.11 | 443 |
| 180.151.104.143 | 443 |
| 105.184.161.242 | 443 |
| 24.49.232.96 | 443 |
| 157.231.42.190 | 443 |
| 75.143.236.149 | 443 |
| 70.64.77.115 | 443 |
| 137.186.193.226 | 3389 |
| 91.165.188.74 | 50000 |
Add the following hashes to the blocklist in your Cybereason environment:
Associated Hashes (SHA1):
- 75b2593da627472b1c990f244e24d4e971c939e7 (aficionado.tmp)
- 3a852c006085d0ce8a18063e17f525e950bb914c (cob_54.dll)
- 4202bf2408750589e36750d077746266176ac239 (cob_56.dll)
Hunt for the following files (those are also mentioned in the Hunting Queries chapter):
Associated file names:
- Aficionado.tmp (Qbot loader)
- fwpolicyiomgr.dll (Qbot module)
- plugin_payload54.dll
- Plugin_payload55.dll
- cob_54.dll
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 