Qakbot 🐎 ->Prolock ☠️-> Egregor 👹

Group-IB discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe.

Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand was at $4 million worth of BTC till now.

Egregor operators in a spam of 3 months have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password.Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.

Bazar Backdoor 🚪✴️

TrickBot trojan has survived the massive takedown operation! While the trojan is set to reboot its operations with a new bunch of backend infrastructure, the operators are making headway with another creation dubbed BazarLoader/BazarBackdoor.

BazarLoader is the newest preferred stealthy covert malware added to the TrickBot group toolkit arsenal. It came to the limelight in July when researchers were investigating a particular attack campaign against targets across the U.S. and Europe. BazarLoader consists of two components: a loader and a backdoor.

The malware uses legitimate file-sharing services, as well as phishing emails, as part of the infection chain. The group behind the malware takes advantage of certificate signing to evade antivirus and software products.

Key Strengths

  • BazarLoader’s strength lies in its stealthy core component and obfuscation capabilities. Such obfuscation qualities allow the crime group to maintain persistency on the host even if the third-party software gets detected by antivirus software. 
  • Moreover, the ingenious use of blockchain by BazarLoader operators displays their ability to abuse legitimate services for nefarious activities. 

Essence

Loaders are becoming an essential part of any cybercrime campaign. They start the infection chain by distributing the payload. In essence, they deploy and execute the backdoor from the C2 server and plant it on the victim’s machine.

BazarLoader demonstrates tha alarming trend. Furthermore, the abuse of legitimate services and digital signatures for obfuscation represents the widespread use of deception techniques

Lauda (Loda) RAT

Lauda RAT is a RAT (Remote Access Trojan) that has been working as malware analysts in recent years and was first spotted back in 2017. The Lauda RAT is a simple RAT, but that does not mean that it cannot work. This trojan is written in the AutoIT programming language, which is not uncommon. Once the LODA RAT compromises a system, it is able to perform a long list of tasks.

Loda RAT appears to primarily target users in the United States, Central America, and South America. The creators of Loda RAT are promoting it through fake emails that link users to a link that will launch a fake page that relates to the attackers. This page hosts various macro-laced documents that are designed to target a known vulnerability – CVE-2017-11882. Upon infecting the target computer, Loda RAT will establish a connection with its operators’ C&C (Command and Control) server.

The abilities

Once the Loda RAT is successfully connected to the C&C server, it will wait for commands from the attackers. Lauda can collect information such as RAT password and login credentials. In addition to collecting login credentials, Loda RAT can also:

  • Take screenshots of the user’s desktop and active window.
  • Launch a keylogger that will collect keystrokes.
  • Use the victim’s microphone to record audio.

Recently, the creators of Loda RAT have updated this trojan to include several self-preservation features. Loda RAT code has been circumvented to avoid detection by anti-malware tools. Code bottlenecks make it even more difficult for cyber security researchers to study threats. Lauda can also scan processes running on the RAT compromised system and detect whether an anti-virus application is running. Loda RAT persistence on compromised computers using two common tricks:

  • It uses the Windows Task Scheduler to ensure that its components will start with Windows.
  • It inserts a new Autorun Windows registry key that commands Windows to execute Loda RAT at launch.

Red Dawn 👹 Emotet 🎃

The notorious Emotet went into the dark since start ofc 2020, but after months of inactivity, the infamous trojan has surged back in 2nd half of this year with a new massive spam campaign targeting users worldwide.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be invoices, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

Upon opening the documents, they will prompt a user to ‘Enable Content’ to execute that malicious embedded macros that will start the infection process that ends with the installation of the Emotet malware.

Emotet botnet

To trick a user into enabling the macros, Emotet botnet operators use a document template that informs them that the document was created on iOS and cannot be properly viewed unless the ‘Enable Content’ button is clicked.

The Red Dawn template displays the message “This document is protected” and informs the users that the preview is not available in the attempt to trick him/her to click on ‘Enable Editing’ and ‘Enable Content’ to access the content.

Emotet malware is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet continues to be one of the most widespread botnets and experts believe it will continue to evolve to evade detection and infect the larger number of users as possible.