fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

QBot Malware Is Back Replacing IcedID In Malspam Campaigns

QBot Malware Is Back Replacing IcedID In Malspam Campaigns

Malware distributors are rotating payloads once again, switching between trojans that are many times an intermediary stage in a longer infection chain.

In one case, the tango seems to be with QBot and IcedID, two banking trojans that are often seen delivering various ransomware strains as the final payload in the attack.

Return to initial payload

Earlier this year, researchers observed a malicious email campaign spreading weaponized Office documents that delivered QBot trojan, only to change the payload after a short while.

In February, IcedID was the new malware coming from the URLs that used to serve QBot. Brad Duncan of Palo Alto Networks caught the change and notes in his analysis at the time:

“HTTPS URL generated by the Excel macro ends with /ds/2202.gif which normally would deliver Qakbot, but today it delivered IcedID” – Brad Duncan

Also Read: Practitioner Certificate In Personal Data Protection: Everything You Need To Know

Threat researcher James Quinn of Binary Defense makes the same observation in a blog post in March, as the company discovered a new IcedID/BokBot variant while tracking a malicious spam campaign from a QakBot distributor.

IcedID started as a banking trojan in 2017 and adjusted its functionality for malware delivery. It has been seen distributing RansomExx, Maze, and Egregor ransomware in the past.

After about a gap of a month and a half, the malware distributor switched the payload back to QBot (a.k.a. QakBot), which has been seen delivering ProLock, Egregor, and DoppelPaymer ransomware in the past.

Malware researcher and reverse engineer reecDeep spotted the switch on Monday, saying that the campaign relies on updated XLM macros.

source: reecDeep

As seen in the screenshot above, the malicious Office file poses as a DocuSign document to trick users into enabling macro support that fetches the payload on the system.

The same trick is seen in the analysis from both Binary Defense and Brad Duncan on the malware distributor’s switch to delivering IcedID in February 2021.

Recently, security researchers at threat intelligence firm Intel 471 published details about EtterSilent, a malicious document builder that’s been gaining in popularity due to its constant development and ability to bypass several security mechanisms (Windows Defender, AMSI, email services).

One feature of the tool is that it can create malicious documents that look like DocuSign or DigiCert-protected files that require user interaction for decryption.

According to Intel 471, multiple cybercriminal groups started to use EtterSilent services, including IcedID, QakBot, Ursnif, and Trickbot.

Also Read: The DNC Singapore: Looking At 2 Sides Better

Contacted by BleepingComputer about the recent switch to QakBot, James Quinn confirmed the campaigns, saying that all evidence points to “a fairly large update to QakBot” that comes with changed decryption algorithms for the internal configuration.

Quinn notes that this breaks the configuration extraction on many samples.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us