Researchers from Cyberreason team had identified the rise in Qakbot infection targeting multiple US organisation. On Successful infection, it depoys black basta ransomware program on the compromised machines in the target network.

The attack is delivered as a malicious link to the end users via spear phishing attack. and used Qakbot for initial attack method to gain control over the network.

The Cybereason Managed Services team observed multiple infections of Black Basta using QakBot beginning on November 14, 2022. These QakBot infections began with a spam/phishing email containing malicious URL links. Qakbot was the primary method Black Basta used to maintain a presence on victims’ networks. 

That said, we also observed the threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller. Finally, ransomware was deployed and the attacker then disabled security mechanisms, such as EDR and antivirus programs, reads the report.

Researchers also confirms that this attack is divided into three parts such as:

  1. Initial Infection vector, where the Qakbot malware was used for initial access and post-exploitation related activities conducted.

2. Key machines where identified to compromise the domain controllers

3. Black Basta ransomware was deployed on identified machines.

One of the interesting fact about this campaign is that , the attackers are so fast that it took 2hours to compromise domain controllers and proceeded with ransomware deployment within 12hrs of infection.

Researchers also observed that the threat actors are locking out victim machines by disabling DNS services.

“Using this source to infer the original phishing vector, we concluded that the attacker uses an IMG file (Disk Image File, similar to the ISO format) as the initial compromise vector. We also identified other QBot infection vectors starting from ISO files, depending on the campaign. Prior to Microsoft patch regarding MOTW (Mark of the web), files inside of these types of image files (ISO/IMG) were not marked properly with Mark of The Web, a system to allow Windows to flag a file with metadata such as download URL, and warn users prior to opening the file. ” reads the report.

Indicators of Compromise:

Associated Domains:

  • jesofidiwi[.]com (Cobalt Strike C2)
  • dimingol[.]com (Cobalt Strike-related domain used for DNS exfiltration)
  • tevokaxol[.]com (Cobalt Strike C2)
  • vopaxafi[.]com  (Cobalt Strike C2)

Associated IPs: 

  • 108.177.235.29 
  • 144.202.42.216
  • 108.62.118.197 

Qakbot C2 addresses

Server addressPort Number
94.70.37.1452222
172.90.139.1382222
70.50.3.2142222
90.89.95.1582222
200.93.14.2062222
142.161.27.2322222
82.127.174.332222
92.207.132.1742222
92.189.214.2362222
24.64.114.592222
82.31.37.241443
87.223.80.45443
76.9.168.249443
174.115.87.57443
82.41.186.124443
131.106.168.223443
75.98.154.19443
170.253.25.35443
86.133.237.3443
73.88.173.113443
84.209.52.11443
180.151.104.143443
105.184.161.242443
24.49.232.96443
157.231.42.190443
75.143.236.149443
70.64.77.115443
137.186.193.2263389
91.165.188.7450000

Add the following hashes to the blocklist in your Cybereason environment:

Associated Hashes (SHA1): 

  • 75b2593da627472b1c990f244e24d4e971c939e7 (aficionado.tmp)
  • 3a852c006085d0ce8a18063e17f525e950bb914c (cob_54.dll)
  • 4202bf2408750589e36750d077746266176ac239 (cob_56.dll)

Hunt for the following files (those are also mentioned in the Hunting Queries chapter):

Associated file names: 

  • Aficionado.tmp (Qbot loader)
  • fwpolicyiomgr.dll (Qbot module)
  • plugin_payload54.dll
  • Plugin_payload55.dll
  • cob_54.dll

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s