The ASEC analysis team has identified the Qakbot malware that was introduced in the past is being distributed to Korean users. The overall operation process, including the fact that it uses ISO files, is similar to the previous version, but a process to bypass behavior detection was added.
The email distributed to Korean users is as shown below. It has hijacked a normal existing email and replied to it with a malicious file in the attachment, and this distribution process is the same as Bumblebee and IceID which had been introduced in one of the previous ASEC blogs. Users can mistake the email for a normal reply email, because it contains the content of a previous email. It can be seen recently that such email hijacking methods have been increasing.
The HTML file attached to the email, like past versions, generates a compressed file that exists within the script. The compressed file is password protected, and the act of securing the compressed file with a password seems to be for the purpose of bypassing detection. The password can be seen on the HTML page, as shown below.
The generated compressed file contains an ISO file, and similar to past versions, the ISO file contains an LNK file, a CMD file and a malicious DLL.
The properties of the LNK file are as below, and it executes the CMD file created alongside it.
The CMD file copies a normal program (regsvr32.exe) inside the system folder to the “C:\\Users\\Public\\re.exe” path and loads the malicious DLL through the file in this path. It is likely that the process above is an attempt to bypass behavior detection.
The loaded DLL is Qakbot, a banking malware, which executes a normal process (wermgr.exe) before injecting malicious data. The injected process decodes multiple C2 and attempts connection, and when connection is established to C2, additional malicious behavior such as downloading malicious modules and stealing financial information can be performed.
- C2
197.158.89[.]85:443
105.69.155[.]85:995
41.248.72[.]229:8443
8.246.161[.]254:80
There is a recent increase in the distribution of malware through ISO files. Also, there have been multiple detections of phishing methods where normal emails are hijacked before being replied with malicious file attachments, so users are advised to refrain from opening attachments in emails from unknown senders. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
[File Detection]
Dropper/HTML.Qakbot.SC183805 (2022.10.11.03)
Malware/Win.Possible_smhpqakbottha.R525663 (2022.10.08.01)
Trojan/CMD.Runner (2022.10.20.03)
[IOC]
00a12831f1f2d1b6375c2da6725148b5
3c6ca0315dd040d5752e488c743c17c2
d92fe35ba1c68a744f5f73e40469390a
197.158.89[.]85:443
105.69.155[.]85:995
41.248.72[.]229:8443
8.246.161[.]254:80
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information