Guest Post: New DatopLoader Delivers Qakbot Trojan According To Minerva Labs 

Via Minerva Labs (www.minerva-labs.com)

A new phishing campaign delivers a Qakbot (also known as Qbot or Quakbot), using DatopLoader(aka Squirrelwaffle). 

DatopLoader( aka Squirrelwaffle) compromises victims via a malspam campaign and provides threat actors with the initial foothold into systems and victims’ network environments. This can then be used to facilitate further compromises or additional malware infections, which depends on how adversaries wish to monetize their access.

Yesterday (November 8, 2021), we spotted a malicious excel file trying to execute three different files using regsvr32.exe:

malicious excel file

Figure 1 Malicious Excel File

At first glance, this excel file contains one sheet which guides the user to enable the macro, ultimately leading to a network connection and eventual delivery of QakBot. Uncharacteristically, this sheet does not contain the usual culprits of a malicious file i.e. Excel Macro 4, sheet password protection, etc. This makes us suspicious. We enabled a Developer Tab in excel and checked this file’s VBA project.

To learn more about our malware solution, request a demo

We found three more sheets that were hidden, and switched them to visible mode. All three sheets contained Excel Macro 4; one of the sheets contained letters, numbers, and symbols, and two others seemed to be responsible for creating a new folder using kerner32.dll!CreateDirectoryA, downloading three files from three different domains, saving those files on a local disk in a create folder , and executing each one of them using regsvr32.exe:

excel macro
excel macro 4
excel macro
  • The folder created was named “Datop” under a C:\. 
  • The downloaded files were named C:\Datop\good.good, C:\Datop\good1.good and C:\Datop\good2.good. 

All three downloaded files were found to be Qakbot banking trojans’ DLLs. Qakbot, also known as Pinkslipbot, Qbot, and Quakbot. This is a notorious Banking Trojan designed to steal account credentials and online banking session information, leading to account takeover fraud.

This Squirrelwaffle sample employs the same delivery scheme as the one that was posted by Malware Traffic earlier this month. 

Squirrelwaffle malware

Figure 2 Squirrelwaffle delivery scheme by Malware Treaffic

Minerva Lab’s Malicious Document Protection module prevents the execution of Squirrelwaffle-like malware, safeguarding the organization from a mass infection:

Malicious Document Protection

IOC’s 

Domains:

Hashes:

  • good.good – 9E27F618EC40BEDBAFBA4FECC1EE84A8 – QakBot
  • good1.good – D5A5FB1FBDFEF257653D08A65AC7730A – QakBot
  • good2.good – 8EC26FF6330BF890190944DE65BD2B6B – QakBot

Resources

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: