{"id":91153,"date":"2022-11-11T16:32:59","date_gmt":"2022-11-11T11:02:59","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=91153"},"modified":"2023-06-17T16:41:50","modified_gmt":"2023-06-17T11:11:50","slug":"qbot-a-html-smuggling-technique-to-target-victims","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/qbot-a-html-smuggling-technique-to-target-victims\/","title":{"rendered":"QBOT \u2013 A HTML Smuggling technique to target victims"},"content":{"rendered":"

QBot, also known as Qakbot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a vicious and persistent threat to organizations and has become one of the leading Banking Trojans globally. Over the years, it has changed its initial techniques to deliver payloads like using VBA macros, Excel 4 macros, VBS files, exploits like Follina, etc. Recently in Quick Heal’s Security Labs<\/a>, we have come across a new technique that QBot leverages for its attack. It is called an “HTML Smuggling attack.”<\/p>\n

What is HTML Smuggling attack?<\/strong><\/h3>\n

HTML Smuggling is an attack vector in which the attacker smuggles encoded malicious script or payload embedded uniquely. It uses HTML 5 and JavaScript to accomplish its task. There are multiple ways to attack with this technique. Some common techniques are:<\/p>\n

    \n
  1. Use of anchor tag
    \n<\/strong><\/strong>The HTML anchor tag \u201c<a>\u201d defines a hyperlink that links one page to another. It can create a hyperlink to other web pages, files, locations, or any URL. Also, if we want to download any file hosted on any server, we can use an anchor tag. For example,\"\"<\/li>\n
  2. Use of JavaScript Blob
    \n<\/strong><\/strong>JavaScript blobs are objects that are a collection of bytes that contain data stored in a file. Blob data is stored in the user\u2019s memory. This collection of bytes is used in the same places where an actual file would have been used. In other words, blobs can be used to construct file-like objects on the client that can be passed to JavaScript APIs that expect URLs.For example, the bytes of the file payload.exe can be provided as input in JS code as a JS blob; it can be compiled and downloaded at the user end.<\/li>\n
  3. Use of embed element
    \n<\/strong><\/strong>It is used for embedding external applications, which are generally multimedia content like audio or video, into an HTML document. It is used as a container for embedding plug-ins such as flash animations.<\/li>\n<\/ol>\n

    Why is this technique used?<\/strong><\/h3>\n

    When the victim opens the HTML attachment, it decodes embedded files and saves them locally. Due to encoded patterns, no malicious content passes through the network, bypassing network filters and firewalls<\/a>; hence this attack method is gaining popularity among cybercriminals.<\/p>\n

    QBot Attack Flow:<\/strong><\/h4>\n

    \"\"<\/p>\n

     <\/p>\n

    In one of the documents we analyzed, an embedded HTML element was found to be created with the \u201cdocument.createElement\u201d<\/i><\/em>\u00a0method. Attackers took advantage of this tag to distribute payloads in zip archives. We can see in the below image base64 encoded data for the zip file:-<\/p>\n

    \"\"<\/p>\n

    Fig.1- HTML Smuggling Template<\/em><\/p>\n

    While opening an HTML file, it tricks the user as if it is downloading a zip file, whereas the zip is already embedded in an HTML file. The password is highlighted in the image below, \u201cabc555\u201d.<\/p>\n

    \"\"<\/p>\n

    Fig.2 – Zip Download<\/em><\/p>\n

    After extracting the zip file, we get the\u201dREJ_2975\u201d disk image file, which again contains several files.<\/p>\n

    \"\"<\/p>\n

    Fig.3 – Extracted files from iso<\/em><\/p>\n

    Shortcut file \u201cREJ\u201d is then responsible for conducting the further attack. This file\u2019s task is to execute the \u201creprocesses\u201d command script in the \u201coslo\u201d folder. Subsequently, the command script will execute the final QBot loader DLL file having the name \u201ccounteractively.dat\u201d as shown in the following figure:-<\/p>\n

    \"\"<\/p>\n

    Fig.4 – Execution Commands<\/em><\/p>\n

    Later, the payload is injected in wermgr.exe via process hollowing:-<\/p>\n

    \"\"<\/p>\n

    Fig.5 – Execution Commands<\/em><\/p>\n

     <\/p>\n

     <\/p>\n

    DLL Analysis:<\/strong><\/h4>\n

    This Qbot loader DLL is an x32 bit Delphi compiled binary with no export functions.<\/p>\n

    \"\"<\/p>\n

    Fig. 6- QBot loader information<\/em><\/p>\n

     <\/p>\n

    Defense Evasion checks are being used by Qbot; in this case, it is for windows defender simulation by checking the file \u201cC:\\INTERNAL\\__empty.\u201d<\/p>\n

    \"\"<\/p>\n

    Fig. 7 – QBot checking Windows Defender<\/em><\/p>\n

    Gaining Persistence:<\/strong><\/h4>\n

    Qbot uses registry entries and self-replication to attain persistence. As the payload gets executed, the Qbot gains its persistence in 2 steps:<\/p>\n

      \n
    1. Copying itself to the below-mentioned folder:
      \n%AppData%\\Roaming\\Microsoft\\{RandomStrings}<\/li>\n
    2. \u00a0Creating a registry value pointing to the above payload<\/li>\n<\/ol>\n

      Folder Creation and Dropped DLLs are loaded via regsvr32.exe, as shown below:<\/p>\n

      \"\"<\/p>\n

      Fig. 8- Folder Creation with a random name<\/em><\/p>\n

      Dumping config data in Registry. In the latest payload versions, Qbot has moved from creating its config file in \u201c.dat\u201d format. Now, it writes its cloned DLL entry in the victim as encrypted registry keys to the \u2018HKCU\\Software\\Microsoft\\[RandomString]\u2019 Hive.<\/p>\n

      \"\"<\/p>\n

      Fig. 9 – Registry Entries<\/em><\/p>\n

       <\/p>\n

      C2 Communication: <\/strong><\/h4>\n

      As shown in the following figure, injected process \u201cwermgr.exe\u201d is making a connection to hardcoded Ips:-<\/p>\n

      \"\"<\/p>\n

      Fig. 10 – C2 Communication IPs<\/p>\n

       <\/p>\n

      Conclusion:<\/strong><\/h3>\n

      Disabling JavaScript in most environments is not feasible as too many legitimate systems and web applications require its use. In addition to that, many legitimate JavaScript frameworks make use of obfuscation techniques in order to minimize file sizes and improve the speed of web applications. Hence blocking obfuscated JavaScript is not a practical option. Therefore, users are advised to take utmost care while handling suspicious emails with HTML attachments. Quick Heal customers are already protected from these types of attacks<\/a>.<\/p>\n

       <\/p>\n

      IoCs:<\/strong><\/h3>\n

      Html attachment<\/p>\n

      Md5: 6783003a0737331c66a0b8fc0a35754d<\/p>\n

      Detection name: HTML.QBot.47153<\/p>\n

       <\/p>\n

      QBot loader DLL<\/p>\n

      MD5: 52EC63A6F7F089862E648112FE8E9F1D<\/p>\n

      Detection name: Trojan.Qakbot<\/p>\n

      URLs:<\/strong><\/h3>\n

      http:\/\/156.221.50.70:995<\/p>\n

      http:\/\/190.26.159.108:995<\/p>\n

      https:\/\/82.205.9.83<\/p>\n

      https:\/\/14.54.83.74<\/p>\n

      http:\/\/190.199.186.80:2222<\/p>\n

      https:\/\/134.35.3.115<\/p>\n

      https:\/\/176.44.119.201<\/p>\n

      https:\/\/45.160.33.131<\/p>\n

      http:\/\/37.245.136.224:2222<\/p>\n

      https:\/\/132.251.244.3<\/p>\n

      http:\/\/206.1.216.174<\/p>\n

      https:\/\/1.20.185.200<\/p>\n

      http:\/\/196.89.213.210:995<\/p>\n

      http:\/\/182.183.211.179:995<\/p>\n

      https:\/\/163.182.177.140<\/p>\n

      http:\/\/190.26.159.29:995<\/p>\n

      https:\/\/197.205.161.175<\/p>\n

      http:\/\/91.171..72.224:32100<\/p>\n

      http:\/\/101.109.135.92:995<\/p>\n

      https:\/\/41.97.56.148<\/p>\n

      https:\/\/14.246.151.165<\/p>\n

      https:\/\/94.36.5.99<\/p>\n

      https:\/\/186.18.210.235<\/p>\n

      https:\/\/79.155.159.202<\/p>\n

      http:\/\/190.204.112.15:2222<\/p>\n

       <\/p>\n

      MITRE Mapping:<\/strong><\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      MITRE ID<\/strong><\/td>\nTechnique<\/strong><\/td>\n<\/tr>\n
      T1566<\/b><\/strong><\/td>\nPhishing<\/td>\n<\/tr>\n
      T1027.006<\/b><\/strong><\/td>\nHTML Smuggling<\/td>\n<\/tr>\n
      T1553.005<\/b><\/strong><\/td>\nMark of the web bypass<\/td>\n<\/tr>\n
      T1574.002<\/b><\/strong><\/td>\nDLL Sideloading<\/td>\n<\/tr>\n
      T1055<\/b><\/strong><\/td>\nProcess Injection<\/td>\n<\/tr>\n
      T1112<\/b><\/strong><\/td>\nModify Registry<\/td>\n<\/tr>\n
      T1027<\/b><\/strong><\/td>\nObfuscated Files or Information<\/td>\n<\/tr>\n
      T1218.010<\/b><\/strong><\/td>\nSystem Binary Proxy Execution: Regsvr32<\/td>\n<\/tr>\n
      T1010<\/b><\/strong><\/td>\nApplication Window Discovery<\/td>\n<\/tr>\n
      T1082<\/b><\/strong><\/td>\nSystem Information Discovery<\/td>\n<\/tr>\n
      T1071.001<\/b><\/strong><\/td>\nApplication Layer Protocol: Web Protocols<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

       <\/p>\n

      Subject Matter Experts:<\/strong><\/h3>\n

      Anjali Raut<\/strong><\/p>\n

      Nihar Deshpande<\/strong><\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n","protected":false},"excerpt":{"rendered":"

      QBot, also known as Qakbot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a vicious and persistent threat to organizations and has become one of the leading Banking Trojans globally. Over the years, it has changed its initial techniques to deliver payloads like using VBA macros, […]<\/p>\n","protected":false},"author":62,"featured_media":91211,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,1611,24,303,910,5],"tags":[1934,1935,1937,1933,1910,1925,1362,58,1939,1940,247,1503,49,25,1941,1923,61,40],"class_list":["post-91153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-banking-trojan","category-malware","category-phishing","category-ransomware","category-security","tag-bankingtrojan","tag-financialfraud","tag-htmlsmuggling","tag-pinkslipbot","tag-qbot","tag-cyberawareness","tag-cybercrime","tag-hacking","tag-hmtl-smuggling","tag-html-attack","tag-javascript","tag-malspam","tag-malware","tag-phishing","tag-quackbot","tag-quickheal","tag-smartphone-security","tag-trojan"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91153"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/62"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=91153"}],"version-history":[{"count":12,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91153\/revisions"}],"predecessor-version":[{"id":91752,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91153\/revisions\/91752"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/91211"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=91153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=91153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=91153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}