QBot Cyber Attack Demo

Juniper Threat Labs TopicsSecurity
The words “Qbot Attack Demo” and “Juniper Threat Labs” are displayed with a graphic logo that is a hexagon with a lock inside.

The keys to thwarting QBot malware attacks

Malicious threat actors can wreak havoc on your organization’s network if it’s unprotected. Watch this video to see Juniper Networks’ Connected Security solutions defend against a multistage QBot malware attack.

Show more

You’ll learn

Who is this for?

Security Professionals Network Professionals


0:02 welcome to the Juniper threat Labs

0:04 attack demo series today's subject is

0:06 cubot malware this video will

0:09 demonstrate how malicious threat actors

0:10 conduct this multi-stage malware attack

0:13 but let's first begin with an

0:15 introduction to cubot malware in use by

0:18 malicious threat actors for well over a

0:20 decade cubot also known as quackbot

0:23 began its days wreaking havoc as a

0:25 banking Trojan it has since evolved

0:27 because cubot acts as a downloader it

0:30 has become a means by which malicious

0:31 threat actors can drop additional

0:33 malware onto the victim's system

0:36 for example ransomware gangs such as

0:39 black Basta Revel boned locker egregor

0:42 and mega cortex among others are using

0:45 tools like Cobalt strike and brute ratel

0:48 also known as brc4 following cubot

0:51 malware related Enterprise breaches in

0:54 some cases to begin a ransomware attack

0:55 and others for lateral movement across

0:58 the now breached Network and instill

1:00 others to steal victim credentials

1:03 though intended for use in red team and

1:05 adversary simulations these tools are a

1:07 tremendous Aid to malicious threat

1:09 actors such as these gangs as they're

1:12 effectively weaponized command and

1:13 control center tools further escalating

1:15 the attack surface and Damage Done

1:18 these tools make it possible for

1:20 ransomware as a service gangs to deploy

1:22 beacons on cubot victim systems that can

1:25 home to an attacker-controlled server

1:27 for the purposes of actual trading

1:29 information and or receiving next stage

1:31 instructions

1:33 though in existence since 2007 cubot

1:36 malware is making news now in 2023. in

1:39 recent months there's been an increase

1:41 in this malware being delivered via

1:43 phishing attacks notably the black pasta

1:46 ransomware Gang has been using cubot

1:48 when infiltrating networks in doing so

1:50 these malicious threat actors have

1:52 furthered the attack by installing brute

1:54 Motel as a second stage malicious

1:56 payload finally there has also been news

1:58 of cubot email phishing attacks having

2:01 an attached PDF file that links to a zip

2:03 file archive containing a Windows

2:05 scripting file that is being used to

2:07 install cubot malware and potentially

2:10 other next stage malicious threats in

2:12 fact this is the kind of cubot malware

2:15 attack you are about to see

2:17 here you can see the cubot or crackbot

2:19 attack chain

2:20 the first stage is a phishing campaign

2:22 it begins with an email sent to the

2:24 prospective victim to make it more

2:26 convincing and to seem less like spam

2:28 the email is often in response to a

2:30 legitimate email to which the attacker

2:32 had access it may even use the real

2:35 sender's name except that the sending

2:37 email address has been altered by the

2:38 attacker the email contains a PDF

2:40 attachment the contents of that

2:42 attachment lead the victim to believe

2:44 that something is wrong with the file

2:46 and that in order to view it he or she

2:48 needs to click the download button doing

2:51 so the victim retrieves a zip file with

2:54 a long random number for a name when the

2:56 victim opens the zip archive file he

2:58 extracts a Windows script file or wsf

3:01 file typically a wsf file contains code

3:04 written in jscript and or vbscript that

3:08 is executed when opened when the script

3:10 file is executed it downloads the cubot

3:12 dll in the form of a DOT DAT file the

3:15 dll is executed using run

3:19 dll32.exe in the miter attack framework

3:22 this is an example of system binary

3:24 proxy execution

3:26 the cubot malware then injects itself

3:28 into the Microsoft Windows error

3:30 reporting manager executable

3:33 wermgr.exe allowing it to remain

3:36 persistent on the victim system

3:38 now with the background on qbot Mill

3:40 we're out of the way next up in this

3:42 video Juniper threat Labs demonstrates

3:44 the stages of this attack

3:46 here is an example of a phishing email

3:48 with a PDF attachment sent to the victim

3:50 the attachment name begins with ERC 1337

3:54 if this was a forged reply to a once

3:56 valid email the discussion may have been

3:59 about blockchain or cryptocurrency as

4:01 ERC 1337 means ethereum request for

4:04 comment 1337 and is a technical standard

4:08 stock intended to support businesses

4:09 with decentralized apps or dapps on the

4:12 ethereum blockchain

4:14 and again 1337 is also hacker speak for

4:17 elite as in Elite

4:19 so the file name may just coincidentally

4:21 correspond to something blockchain

4:23 related opening the PDF we the victim

4:26 are shown a message suggesting that

4:28 there is some kind of problem and that

4:30 we need to download the file another way

4:32 when we are duped into doing this the

4:34 hyperlink directs the victim to download

4:36 a zip archive from an

4:38 attacker-controlled server

4:47 the victim then extracts the contents of

4:50 the zip file containing a file named ERC

4:52 underscore f913 underscore m a y 3 dot

4:57 at wsf

4:59 let's look under the hood and examine

5:01 part of this wsf file in more detail

5:04 tries in succession to download the qbot

5:07 malware from each one of the URLs listed

5:09 in the code iterates down through the

5:11 list stopping only after having

5:13 succeeded

5:14 ultimately the script downloads a dll

5:16 masquerading as a dot dot file

5:19 when the victim double clicks on the

5:21 script file we see in the process

5:22 monitor that the process W script.exe is

5:26 spawned

5:30 we also see through Wireshark that it is

5:33 iterating through each of the URLs we

5:35 had shown you in the script file

5:42 [Music]

5:51 next we see the victim downloading the

5:53 malicious cubot.dat file

5:56 and a few moments later

5:58 wrmgr.exe is spawned

6:05 here it is highlighted

6:07 looking into the system's memory we see

6:09 that qbot has been injected into it

6:21 foreign

6:25 we can dump this memory to a file this

6:28 is useful in part because it's already

6:30 unpacked such that most antivirus

6:32 Solutions can examine a file like this

6:39 foreign

6:55 if we upload this memory dump file to

6:58 virus total you can readily see that

7:00 most AV engines identify the file as the

7:03 malicious cubot Trojan

7:28 of course not every anti-malware engine

7:30 detected cubot

7:34 let's now look and see whether or not

7:36 this attack works as successfully with

7:39 the Juniper SRX firewall enhanced with

7:41 protection from Juniper's cloud-based

7:43 Advanced anti-malware solution Juniper

7:45 ATP

7:47 for the demo Juniper threat Labs is

7:49 using the following setup we have a vsrx

7:52 pictured in the center the vsrx is a

7:55 virtual SRX firewall providing network

7:57 security protection its purpose is to

7:59 inspect Network traffic and with the

8:02 assistance of juniper ATP Cloud to

8:04 detect malware like qbot

8:07 in addition to the virtual firewall and

8:09 cloud-based protections we are using

8:11 Juniper's security director which is a

8:13 centralized management system security

8:15 director facilitates our configuring and

8:17 monitoring of the vsrx firewall and we

8:20 are using Juniper's policy enforcer as

8:23 well

8:23 Juniper's policy enforcer enforces

8:26 security policies on endpoints and

8:28 ensures they comply with corporate

8:30 security standards pictured as well are

8:33 several Windows workstations Each of

8:35 which is connected to the vsrx there is

8:38 an Ubuntu Server which is acting as the

8:40 malware download server

8:42 before we proceed an attempt to use the

8:45 cubot malware in an attack with juniper

8:48 connected Security Solutions in place

8:49 providing protection let's first take a

8:52 look at the threat prevention policy

8:53 that we've set up on our security

8:55 director and applied to the vsrx

8:58 to access the policy we'll navigate to

9:00 the configure Tab and then we select

9:02 threat prevention and policies

9:06 as you can see we already have an

9:08 existing policy in place let's further

9:10 inspect the protections being enforced

9:12 by the applied policy

9:14 for this demo our policy is configured

9:16 to block command and control traffic at

9:18 Threat Level 8 and above

9:19 we've also set it up to block infected

9:21 hosts at Threat Level 8 and above

9:24 additionally we've configured our policy

9:27 to use ATP Cloud for malware detection

9:29 and as you can see we've elected to scan

9:31 both HTTP downloads and email

9:33 attachments

9:35 finally we've chosen to block any and

9:37 all threats rated at level 7 and above

9:40 this threat prevention policy applied to

9:43 the Juniper vsrx firewall is a critical

9:46 component of our defenses protecting our

9:48 systems against malware related attacks

9:49 including cubot

9:51 it allows us to detect and block

9:53 malicious traffic as well as the

9:55 activity of potentially infected hosts

9:57 which will then prevent the spread of

9:59 malware throughout our Network in the

10:01 event that one of our systems gets

10:02 compromised

10:04 so to begin we'll log into our Target

10:06 victim system using RDP

10:12 and we'll verify that our target has an

10:14 internet connection by opening a browser

10:16 and going to Wikipedia after all without

10:18 an internet connection the victim's PC

10:20 would be unable to download the cubot

10:22 malware

10:30 as explained earlier for the cubot

10:32 attack our targeted victim was sent a

10:34 phishing email with a PDF attachment and

10:36 opening the victim's email here it is

10:39 next acting as the victim we open the

10:41 malicious PDF attachment

10:43 soon we'll click the malicious download

10:45 URL that's in the file here when we do

10:48 the system will attempt to download the

10:49 zip archive containing the wsf script

10:51 file

10:53 but before we do that let's look what

10:56 happens in Wireshark to monitor what

10:57 happens next

11:02 clicking the download button like URL in

11:04 the PDF the victim's PC retrieves the

11:07 zip archive from the malware server to

11:09 his or her system and opens the folder

11:11 that contains the downloaded zip file

11:20 now here is where the rubber meets the

11:21 road and things get very interesting

11:23 let's see what happens when the victim

11:25 attempts to open the malicious wsf

11:27 script file

11:33 foreign

11:37 popping over to our Wireshark output

11:39 let's see what just happened when our

11:41 would-be victim attempted to extract the

11:43 malicious file

11:47 [Music]

11:49 though the victim extracts the wsf file

11:52 the Juniper connected Security Solutions

11:54 correctly recognized that the script's

11:56 attempt to retrieve the cubot.dat

11:58 payload was malicious activity and

12:01 thankfully the would-be victim was

12:02 prevented from doing so this message

12:04 from the SRX provides pretty much that

12:06 same information if more succinctly

12:09 to show that the attack was detected by

12:11 Juniper we go to Juniper's ATP cloud

12:13 from the monitor tab we navigate to

12:15 files and then to http file downloads

12:19 Atop The resulting list on the right we

12:21 see that there was an attempt to

12:22 download something malicious from

12:25 cinnamonconnection.com.au that was

12:26 detected at Threat Level 10.

12:30 clicking on that topmost row we see

12:33 detailed information about this malware

12:35 including static analysis that Juniper

12:38 performs on the malware

12:42 foreign

12:47 and network activity

12:51 genover ATP also captures behavioral

12:54 details as well as the minor attack

12:57 vectors involved

12:58 and of course Juniper tells the customer

13:00 that the threat detective was a

13:02 malicious cubot Trojan returning to

13:04 security director Cloud we want to see

13:06 what action if any Juniper's policy

13:08 enforcer took on the would-be victims

13:10 system to do so we navigate to the

13:12 monitor tab then under threat prevention

13:14 we choose ATP Cloud hosts and there Atop

13:17 The List is the victim's host

13:19 security director indicates that the

13:21 victim host has been blocked from the

13:22 network as something on it was detected

13:24 at Threat Level greater than equal to

13:26 seven

13:27 of course we know the reason that the

13:29 host was blocked was because that it

13:31 attempted to download the cubot.dat

13:33 malicious file

13:35 to confirm that this PC has been blocked

13:37 from the network we first tried RDP to

13:40 it when that fails we'll try

13:42 unsuccessfully as you'll see to Ping the

13:45 host's IP address

13:49 foreign

13:56 foreign

14:02 [Music]

14:12 once the security admin is sure that the

14:14 qbot impacted host is indeed free from

14:16 infection he or she will want to restore

14:18 the block system back to the network to

14:20 do so she goes to security director and

14:22 clicks on the blocked host and then to

14:24 the right of Investigation status she

14:26 then selects resolve fixed afterwards

14:29 the blocked host will be restored back

14:30 to the network and able to operate as

14:32 before

14:45 now that it is no longer blocked we can

14:47 verify that the host is back online

14:49 let's try to Ping that PC again

14:56 looks like it's up and connected to the

14:58 network so let's try again an RDP to it

15:00 and make sure that the host can use the

15:02 network as well

15:04 bringing up the browser we navigate to

15:06 Wikipedia which demonstrates restored

15:09 connectivity

15:15 after disconnecting the RDP session we

15:17 check one last thing on security

15:18 director that is to show you that the

15:21 restored host has a clean bill of health

15:22 with the threat level of zero

15:26 that completes our demo of cubot malware

15:28 check out more videos from the Juniper

15:30 threat Labs attack demo series by

15:31 visiting juniper.net thanks for watching

Show more