Active Campaign delivering QakBot

Started tracking this activity when I observed a lot of malicious doc files submitted in VT with dhash value 6801012121018101.

6801012121018101 is the dhash value of the image file (mentioned below) that’s used in the DOC file and all files having this image can be searched in VT using main_icon_dhash:6801012121018101

More info about main_icon_dhash https://blog.virustotal.com/2019/03/time-for-vt-enterprise-to-step-up.html

A search in VT with the dhash gives 307 Files as of today (16th April 2020) and the first file submission was on 2020-04-01 17:28:44.

Taking a look at one of the recent samples c274495c33118c48992cf25a68272d5d3b6030f5bf9f6aa917cf885c0d807b51 we can see that once macro is enabled, the below PowerShell code gets executed:

The Base64 Strings are decoded to below:

aHR0cDovL3JldHJvYmFuZC51ay93cC1jb250ZW50L3VwbG9hZHMvMjAyMC8wNC9zbGlkZXIvNDQ0NDQ0LnBuZw Decodes to hxxp://retroband[.]uk/wp-content/uploads/2020/04/slider/444444[.]png

QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl Decodes to C:\Users\Public\tmpdir\file

PE File is downloaded from hxxp://retroband[.]uk/wp-content/uploads/2020/04/slider/444444[.]png , gets moved to c:\users\public\tmpdir\file1.exe and is executed. From the below connection, we can see that there is no ‘User-Agent’ for this communication.

The PE file downloaded is QakBot sample afcaa6e39a0b282c4ddccbaaa3ea00d47aa4aaff6e8f43ae5ded2c988ebae412

IOCs

Taking look at the other malicious doc files, the samples are communicating to to below Malicious URLs (most of them pointing to 444444[.]png), verified that the active ones are still delivering QakBot samples:

retroband[.]uk/wp-content/uploads/2020/04/slider/444444[.]png
retroband[.]uk/wp-content/uploads/2020/04/silder/444444[.]png
decorenovacion[.]cl/wp-content/plugins/ziss/classes/cursors/444444[.]png
kritids[.]com/assets/style/images/gradient/cursors/444444[.]png
darcscc[.]org/wp-content/themes/twentytwenty/ktfguekknp/cursors/444444[.]png
greenmagicbd[.]com/wp-content/themes/calliope/previous/444444[.]png
sollight[.]com[.]hk/wp-content/uploads/2020/04/last/444444[.]png\nPlace
sollight[.]com[.]hk/wp-content/uploads/2020/04/last/444444[.]png
blog[.]buatvideomu[.]com/wp-content/uploads/2020/04/last/444444[.]png
wppunk[.]com/wp-content/uploads/2020/04/slider/444444[.]png
kramo[.]pl/wp-content/plugins/apikey/slider/444444[.]png
b[.]assignmentproff[.]com/amyceyaihd[.]png
4[.]unplugrevolution[.]com/189/24/4788[.]png/
automatischer-staubsauger[.]com/feature/777777[.]png
demo[.]caglificioclerici[.]com/feature/777777[.]png

DOC/PE File list is uploaded to https://pastebin.com/raw/319K9r7t

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s