In late Q4 2022, ReliaQuest, a leading provider of enterprise security solutions, uncovered a security incident in a customer's environment. The attack was initiated by a threat actor using the QBot banking trojan, a well-known malware strain that has been active since 2007. The attacker gained initial network access through a phishing email that had an attached malicious file named REF#6547_SEP_28.HTML. The email was delivered to end-user inboxes and slipped past an overly permissive security solution, highlighting the importance of robust security solutions to prevent threat actors from gaining initial access and moving laterally within the environment.
The attacker then used the hidden window technique, specifically HTML smuggling, to execute the malicious payload. The user was asked to download a fake Adobe Acrobat update image, which, upon download, surfaced the BLOB and constructed an automatically downloaded ZIP file to the user's disk. This allowed the attacker to establish a foothold in just 77 minutes, far quicker than most cases of this kind that usually have a breakout time of around 2 hours.
The attacker's actions were assisted by an accepted risk that could have been avoided, emphasizing the need to avoid accepted risks to prevent their advances. The attacker used the QBot C2 channel to pivot to their newly established Cobalt Strike beacon channel, which used HTTPS to communicate with its team server. The attacker also used alternative HTTPS channels to communicate and maintain their foothold. They deployed and configured remote-access software AnyDesk, Atera, and Splashtop, which use the HTTPS protocol.
The attacker used the Data Protection Application Programming Interface (DPAPI) to interact with a credential key for an account to harvest credentials, highlighting the importance of credential management. The attacker primarily made use of a service account with domain administrator privileges during the intrusion to carry out their objectives. Upon disabling the primary account, the attacker pivoted to another valid account that was also a member of the domain administrators’ group. The attacker also attempted to add an account named OLDADMINISTRATOR to the Local Administrators group, on hosts where a local account named ADMINN had been previously created, as directed in the Conti affiliate manual.
The attacker used various Windows binaries for network discovery, including NET, ARP, ROUTE, NETSTAT, IPCONFIG, and WHOAMI. These were seen as children processes of WERMGR.EXE. The QBot infection was responsible for these discovery operations, as the QBot payload was executed first.
 |
| QBOT TTP Source: https://www.reliaquest.com/blog/qbot-black-basta-ransomware/ |
Based on the tactics, techniques, and procedures (TTP) observed in this attack, the following TTP MITRE were identified:
- Initial Access: Spearphishing Attachment (T1566.001)
- Execution: Hidden Window (T1055.012)
- Command and Control: Commonly Used Port (T1043.001)
- Credential Access: Data from Local System (T1003)
- Privilege Escalation: Abuse Elevation Control Mechanism (T1548.002)
- Discovery: System Information Discovery (T1082)
To prevent such attacks, it is essential to implement proactive security measures, such as:
- Regular employee training on identifying and reporting phishing emails
- Implementing robust security solutions that can detect and prevent phishing attacks
- Updating and patching systems regularly to mitigate vulnerabilities
- Implementing multifactor authentication and access controls to prevent unauthorized access to critical systems
- Regularly reviewing and updating security policies to account for emerging threats
- Conducting regular security assessments to identify and remediate potential security gaps
In conclusion, as ransomware continues to pose a significant threat to businesses, it is essential to remain vigilant and take proactive measures to prevent security incidents from occurring. By implementing the TTP MITRE and following the recommended preventive measures, businesses can better secure their
0 Comments