There’s been a recent increase in the distribution of malware using disk image files. Out of these, the Qakbot malware has been distributed in ISO and IMG file formats, and the ASEC analysis team discovered that it has recently changed its distribution to the use of VHD files. Such use of disk image files (IMG, ISO, VHD) is seen to be Qakbot’s method of bypassing Mark of the Web (MOTW). Disk image files can bypass the MOTW feature because when the files inside them are extracted or mounted, MOTW is not inherited to the files.
- Related webpage: https://attack.mitre.org/techniques/T1553/005/
The phishing email that distributes Qakbot is shown below. Like in previous cases, it has an HTML file attachment which generates a compressed file.
When the attached HTML file is executed, a page that imitates Google Drive is loaded. At this stage, a compressed file contained in the HTML script is automatically created by the script. The compressed file is password-protected, and the password can be found on the HTML page.
The compressed file contains a VHD file, which is the virtual disk file.
VHD files can be automatically mounted on Windows 8 and onwards, and files are created internally as shown below.
The properties of the created LNK file are as below, and it executes the reserved.cmd file created alongside it.
The reserved.cmd command is shown below. It executes the resting.cmd file, parses a certain string, and transmits it as an argument.
The resting.cmd command is as follows. This command combines the string received as an argument and loads the hogs.tmp file through rundll32. The hogs.tmp file is a DLL file and is the Qakbot malware.
Qakbot is a banking malware that executes the normal process wermgr.exe before injecting malicious data. The injected process attempts to establish a connection to the C2, and when the attempt is successful, it performs additional malicious behaviors such as downloading malicious modules and extorting financial information. The process tree from the execution of LNK to the execution of Qakbot is as follows.
- C2 : 2.14.82[.]210:2222
Recently, there has been a surge in malware using disk image files and various methods of distribution to bypass security features. Users should refrain from opening emails from unknown sources and should not execute their attachments. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.