adminIn a recent Phishing campaign in December 2022, Qbot used one of the longest series of stages to reach the malicious payload, starting from sending an email containing a PDF which upon user click opens a URL that directly downloads a password-protected zip file, which contains an ISO file that after mounting it, it shows to the user a WSF file that run a job containing VBScript and Jscript code which invokes another Jscript code.
In this blog post, we will go through the analysis of every stage of the above attack chain, and then see how to emulate the same techniques to check the efficency of the secuirty controls and the awarness of the employees
Analysis
1. PDF File
The PDF file attached in the email, contains a message that try to decieve the user to click on a button to view the encrypted document.
if the user hovers over the button – or any place in the pdf – he will notice the redirection to a website to download a ZIP file. This data also could be extracted using peepdf and pdf-parser tools.
peepdf toll shows that there is URL object in Object number 5.
Extracting this Object using pdf-parser will show out the URL that the user will be redirected to upon clicking anywhere inside the pdf file.
The link inside the pdf will directly download a compressed file (ZIP format)
2. ZIP File
The ZIP file is regular Password-Protect zip file, and the password is mentioned in the PDF which is “10900”, when the user extract the ZIP file it will result into an ISO file.
3. ISO File
The resulting ISO File could be extracted using any archive extractor or mounted using any image mounting utility, and from the victim point of view, it’s just one click on the file, and windows will mount it automatically.
The ISO file contains a WSF file and a Folder named “flasks”.
4. WSF File
Windows Script File (WSF) is an XML file that capable of merging multiple windows scripting languages in one file in a defined Job. User can define multiple script tag where every tag contain code for a specific language, like that, the user can run JScript and VBScript codes in one file. Qbot used the WSF to run VBScript code and JScript code simultaneously.
the first script tag contains a VBScript function that only reverses the string provided to it., the second script tag contains a JScript function that read a file and then uses the reverse string function defined in the VBScript to reverse it and then executes it.
4.1 JScript Code | data.txt
the Jscript code inside the WSF file reads a file named “data.txt”, then reverse its content and execute it.
The following is the content of data.txt
Reversing the string, resulting in the following code
The file contains 3 simple functions for reading and decoding files.
this code reads the content of tempers.txt which is encoded as hex bytes then it will be converted into ASCII string which will result in a base64code, upon decode it will result in a DLL file that will be dropped inside c:\users\<username>\i.txt and then will be executed via rundll32 utility.
IOCs
| Value | Type | Description |
| F259653033CB741FA326442C22F58E23F36A047B | SHA1 | Hash of the PDF File |
| 11DF47A16ED5FB2645CAE2AB10A8F65BE8C0FCAC | SHA1 | Hash of the Compressed File |
| 66908DAD3970AC53543E0FE9D15DBD5744D92112 | SHA1 | Hash of the ISO file |
| B597361729CF1C73234047A8F4B66E19A6734B15 | SHA1 | Hash of the dropped DLL |
| 5C7F19E00FFBA39115375A8466345E5E2EC0D551 | SHA1 | Hash of the WSF File |
| c:\users\<username>\i.txt | Path | Path of the dropped DLL |
Emulation
Emulation is the most reliable method for evaluating the efficiency of the security controls and the awareness of the employees, as by emulating the threat actor techniques every defense line will be truly measured for the ability to distinguish between malicious and benign content.
Now, we will see how to emulate the above technique, then try the automation of it via dPhish
1. Requirements
The following are the requirements for the emulation
1. The Samples used in the Technique.
2. Payload Server to host the Zip File.
3. DLL file that will be executed | Could be a Simple DLL that only send tracking to your Phishing server.
2. Steps
The process of producing a new safe sample -but using the same techniques as the malicious sample- consists of three main steps
1. Change the malicious binaries with safe binaries.
2. Change the hash of the stagers to not be detected by its signature and lose the reliability of the emulation.
3. Add your tracker so you know about every action the user does.
2.1 Change the malicious content with safe content
In This example we only have three malicious content (the URL of the ZIP file, the ZIP file, and the dropped DLL)
1. For the Malicious URL, Replace the URL inside the Original PDF with a URL that points to your Payload server. | String replacement will be efficient instead of designing the PDF from scratch.
2. Compile a new DLL the do whatever you want, it could only contains a simple tracker or you can make it a reverse shell, it’s up to you as long as it’s delivered and executed with a non traditional method.
Convert the DLL to base64 then convert it to HEX string then place the output in the tempers.txt
3. When you change the DLL, and change the hash of the stagers, this will result in changing the ZIP file.
2.2 Change the hash of the stagers
Email security and Endpoint protections and every security control nowadays have a massive database of malicious payloads, so if your sample, even the stagers that itself is not malicious, must have a different hash so your test can have higher reliability and can truly evaluate the efficiency of your security controls detecting the emulated technique and the differentiate between the efficiency of different vendors.
Accordingly, make some modifications to the following files
1. WSF File
Change the name of the variables or the Job name, and you can go more than that by changing the way that the code achieves its objects.
2. data.txt
same as WSF File
3. ZIP and ISO Files will have different hashes as the content already changed.
dPhish Emulation
Using the dPhish Platform, you can do the emulation with tracking for every step with simple clicks.
The following tracking are supported for this emulation test
1. Email Sent
2. Email Opened
3. Stager downloaded –> When the ZIP file is downloaded
4. WSF executed
5. Target Exploited –> When the DLL is successfully loaded