This blog post was authored by Jérôme Segura and Hossein Jazi.
The 2020 US elections have been the subject of intense scrutiny and emotions, while happening in the middle of a global pandemic. As election night ended and uncertainty regarding the results began to creep in, threat actors decided to jump in on it too.
Those tracking the threat landscape know very well that major world events do not go unnoticed by criminals. In this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.
The QBot banking Trojan operators return with yet another themed spam wave using the same hijacked email thread technique enticing victims with malicious election interference attachments.
Hijacked email threads pushing bogus DocuSign documents
The malicious emails come as thread replies, similar to what Emotet does to add legitimacy and make detection harder. They contain zip attachments aptly named ElectionInterference_[8 to 9 digits].zip.
While the election results are still being evaluated and debated, victims are enticed to open up the document to read about alleged election interference:
Indicators of Compromise
Malicious Excel documents
b500a3c769e22535dfc0c0f2383b7b4fbb5eb52097f001814d8219ecbb3048a1
f2fb3e7d69bf1b8c0c20484e94b20be33723b4715e7cf94c5cbb120b800328da
0282a796dec675f556a0bf888eda0fe84f63558afc96321709a298d7a0a4f8e5
e800b0d95e02e6e46a05433a9531d7fb900a45af7999a262c3c147ac23cd4c10
7dec31d782ab776bcbb51bd64cbbd40039805ad94733d644a23d5cf16f85552c
0bec208127e4a021dccb499131ea91062386126b75d098947134a37e41c4b035
30de8dcd4e894549d6d16edb181dd1a7abec8f001c478cf73baf6075756dc8c2
a8329913c8bbccb86b207e5a851f7696b1e8a120929ca5c0a5709bd779babedf
ef8a17c3bb01d58bfea74a19f6cb8573cfb2d94d9e6159709ac15a7e0860dbce
7ddc225ad0ed91ce90b3bde296c5ce0b4649447fb3f02188e5303e22dc7cb5f0
QBot
china[.]asiaspain[.]com/tertgev/1247015.png
1edfe375fafa1f941dc4ee30702f4af31ba636e4b639bcbb90a1d793b5d4b06c 06be75b2f3207de93389e090afd899f392da2e0f1c6e02226db65c61f291b81b
QBot C2s
142.129.227[.]86
95.77.144[.]238
MITRE ATT&CK techniques
| Tactic | ID | Name | Details |
| Execution | T1059 | Command-Line Interface | Starts CMD.EXE for commands execution |
| T1106 | Execution through API | Application launched itself | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Persistence | T1050 | New Service | Executed as Windows Service |
| T1060 | Registry Run Keys / Startup Folder | Changes the autorun value in the registry | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Privilege Escalation | T1050 | New Service | Executed as Windows Service |
| T1055 | Process Injection | Application was injected by another process | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Defense Evasion | T1553 | Install Root Certificate | Changes settings of System certificates |
| T1055 | Process Injection | Application was injected by another process | |
| Discovery | T1087 | Account Discovery | Starts NET.EXE to view/change users group |
| T1135 | Network Share Discovery | Starts NET.EXE for network exploration | |
| T1069 | Permission Groups Discovery | Starts NET.EXE to view/change users group | |
| T1012 | Query Registry | Reads the machine GUID from the registry | |
| T1018 | Remote System Discovery | Starts NET.EXE for network exploration | |
| T1082 | System Information Discovery | Reads the machine GUID from the registry | |
| T1016 | System Network Configuration Discovery | Uses IPCONFIG.EXE to discover IP address |
World events are the best lure
At the core of the malware attacks we witness each day are typical social engineering schemes. Threat actors need to get victims to perform a certain set of actions in order to compromise them.
Spam campaigns routinely abuse email delivery notifications (Fedex, DHL, etc.) or bank alerts to disguise malicious payloads. But world events such as the Covid pandemic or the US elections provide ideal material to craft effective schemes resulting in high infection ratios.
Malwarebytes users were already protected against this attack thanks to our Anti-Exploit technology. Additionally, we detect the payload as Backdoor.Qbot.
Indicators of Compromise
Malicious Excel documents
b500a3c769e22535dfc0c0f2383b7b4fbb5eb52097f001814d8219ecbb3048a1
f2fb3e7d69bf1b8c0c20484e94b20be33723b4715e7cf94c5cbb120b800328da
0282a796dec675f556a0bf888eda0fe84f63558afc96321709a298d7a0a4f8e5
e800b0d95e02e6e46a05433a9531d7fb900a45af7999a262c3c147ac23cd4c10
7dec31d782ab776bcbb51bd64cbbd40039805ad94733d644a23d5cf16f85552c
0bec208127e4a021dccb499131ea91062386126b75d098947134a37e41c4b035
30de8dcd4e894549d6d16edb181dd1a7abec8f001c478cf73baf6075756dc8c2
a8329913c8bbccb86b207e5a851f7696b1e8a120929ca5c0a5709bd779babedf
ef8a17c3bb01d58bfea74a19f6cb8573cfb2d94d9e6159709ac15a7e0860dbce
7ddc225ad0ed91ce90b3bde296c5ce0b4649447fb3f02188e5303e22dc7cb5f0
QBot
china[.]asiaspain[.]com/tertgev/1247015.png
1edfe375fafa1f941dc4ee30702f4af31ba636e4b639bcbb90a1d793b5d4b06c 06be75b2f3207de93389e090afd899f392da2e0f1c6e02226db65c61f291b81b
QBot C2s
142.129.227[.]86
95.77.144[.]238
MITRE ATT&CK techniques
| Tactic | ID | Name | Details |
| Execution | T1059 | Command-Line Interface | Starts CMD.EXE for commands execution |
| T1106 | Execution through API | Application launched itself | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Persistence | T1050 | New Service | Executed as Windows Service |
| T1060 | Registry Run Keys / Startup Folder | Changes the autorun value in the registry | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Privilege Escalation | T1050 | New Service | Executed as Windows Service |
| T1055 | Process Injection | Application was injected by another process | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Defense Evasion | T1553 | Install Root Certificate | Changes settings of System certificates |
| T1055 | Process Injection | Application was injected by another process | |
| Discovery | T1087 | Account Discovery | Starts NET.EXE to view/change users group |
| T1135 | Network Share Discovery | Starts NET.EXE for network exploration | |
| T1069 | Permission Groups Discovery | Starts NET.EXE to view/change users group | |
| T1012 | Query Registry | Reads the machine GUID from the registry | |
| T1018 | Remote System Discovery | Starts NET.EXE for network exploration | |
| T1082 | System Information Discovery | Reads the machine GUID from the registry | |
| T1016 | System Network Configuration Discovery | Uses IPCONFIG.EXE to discover IP address |
This tried and tested trick will download a malicious payload onto the victim’s machine. The URL for that payload is encoded in a cell of a Cyrillic-named sheet “Лист3”.
Once executed, the QBot Trojan will contact its command and control server and request instructions. In addition to stealing and exfiltrating data from its victims, QBot will also start grabbing emails that will later be used as part of the next malspam campaigns.
World events are the best lure
At the core of the malware attacks we witness each day are typical social engineering schemes. Threat actors need to get victims to perform a certain set of actions in order to compromise them.
Spam campaigns routinely abuse email delivery notifications (Fedex, DHL, etc.) or bank alerts to disguise malicious payloads. But world events such as the Covid pandemic or the US elections provide ideal material to craft effective schemes resulting in high infection ratios.
Malwarebytes users were already protected against this attack thanks to our Anti-Exploit technology. Additionally, we detect the payload as Backdoor.Qbot.
Indicators of Compromise
Malicious Excel documents
b500a3c769e22535dfc0c0f2383b7b4fbb5eb52097f001814d8219ecbb3048a1
f2fb3e7d69bf1b8c0c20484e94b20be33723b4715e7cf94c5cbb120b800328da
0282a796dec675f556a0bf888eda0fe84f63558afc96321709a298d7a0a4f8e5
e800b0d95e02e6e46a05433a9531d7fb900a45af7999a262c3c147ac23cd4c10
7dec31d782ab776bcbb51bd64cbbd40039805ad94733d644a23d5cf16f85552c
0bec208127e4a021dccb499131ea91062386126b75d098947134a37e41c4b035
30de8dcd4e894549d6d16edb181dd1a7abec8f001c478cf73baf6075756dc8c2
a8329913c8bbccb86b207e5a851f7696b1e8a120929ca5c0a5709bd779babedf
ef8a17c3bb01d58bfea74a19f6cb8573cfb2d94d9e6159709ac15a7e0860dbce
7ddc225ad0ed91ce90b3bde296c5ce0b4649447fb3f02188e5303e22dc7cb5f0
QBot
china[.]asiaspain[.]com/tertgev/1247015.png
1edfe375fafa1f941dc4ee30702f4af31ba636e4b639bcbb90a1d793b5d4b06c 06be75b2f3207de93389e090afd899f392da2e0f1c6e02226db65c61f291b81b
QBot C2s
142.129.227[.]86
95.77.144[.]238
MITRE ATT&CK techniques
| Tactic | ID | Name | Details |
| Execution | T1059 | Command-Line Interface | Starts CMD.EXE for commands execution |
| T1106 | Execution through API | Application launched itself | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Persistence | T1050 | New Service | Executed as Windows Service |
| T1060 | Registry Run Keys / Startup Folder | Changes the autorun value in the registry | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Privilege Escalation | T1050 | New Service | Executed as Windows Service |
| T1055 | Process Injection | Application was injected by another process | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Defense Evasion | T1553 | Install Root Certificate | Changes settings of System certificates |
| T1055 | Process Injection | Application was injected by another process | |
| Discovery | T1087 | Account Discovery | Starts NET.EXE to view/change users group |
| T1135 | Network Share Discovery | Starts NET.EXE for network exploration | |
| T1069 | Permission Groups Discovery | Starts NET.EXE to view/change users group | |
| T1012 | Query Registry | Reads the machine GUID from the registry | |
| T1018 | Remote System Discovery | Starts NET.EXE for network exploration | |
| T1082 | System Information Discovery | Reads the machine GUID from the registry | |
| T1016 | System Network Configuration Discovery | Uses IPCONFIG.EXE to discover IP address |
The extracted file is an Excel spreadsheet that has been crafted as if it were a secure DocuSign file. Users are tricked to allow macros in order to ‘decrypt’ the document.
This tried and tested trick will download a malicious payload onto the victim’s machine. The URL for that payload is encoded in a cell of a Cyrillic-named sheet “Лист3”.
Once executed, the QBot Trojan will contact its command and control server and request instructions. In addition to stealing and exfiltrating data from its victims, QBot will also start grabbing emails that will later be used as part of the next malspam campaigns.
World events are the best lure
At the core of the malware attacks we witness each day are typical social engineering schemes. Threat actors need to get victims to perform a certain set of actions in order to compromise them.
Spam campaigns routinely abuse email delivery notifications (Fedex, DHL, etc.) or bank alerts to disguise malicious payloads. But world events such as the Covid pandemic or the US elections provide ideal material to craft effective schemes resulting in high infection ratios.
Malwarebytes users were already protected against this attack thanks to our Anti-Exploit technology. Additionally, we detect the payload as Backdoor.Qbot.
Indicators of Compromise
Malicious Excel documents
b500a3c769e22535dfc0c0f2383b7b4fbb5eb52097f001814d8219ecbb3048a1
f2fb3e7d69bf1b8c0c20484e94b20be33723b4715e7cf94c5cbb120b800328da
0282a796dec675f556a0bf888eda0fe84f63558afc96321709a298d7a0a4f8e5
e800b0d95e02e6e46a05433a9531d7fb900a45af7999a262c3c147ac23cd4c10
7dec31d782ab776bcbb51bd64cbbd40039805ad94733d644a23d5cf16f85552c
0bec208127e4a021dccb499131ea91062386126b75d098947134a37e41c4b035
30de8dcd4e894549d6d16edb181dd1a7abec8f001c478cf73baf6075756dc8c2
a8329913c8bbccb86b207e5a851f7696b1e8a120929ca5c0a5709bd779babedf
ef8a17c3bb01d58bfea74a19f6cb8573cfb2d94d9e6159709ac15a7e0860dbce
7ddc225ad0ed91ce90b3bde296c5ce0b4649447fb3f02188e5303e22dc7cb5f0
QBot
china[.]asiaspain[.]com/tertgev/1247015.png
1edfe375fafa1f941dc4ee30702f4af31ba636e4b639bcbb90a1d793b5d4b06c 06be75b2f3207de93389e090afd899f392da2e0f1c6e02226db65c61f291b81b
QBot C2s
142.129.227[.]86
95.77.144[.]238
MITRE ATT&CK techniques
| Tactic | ID | Name | Details |
| Execution | T1059 | Command-Line Interface | Starts CMD.EXE for commands execution |
| T1106 | Execution through API | Application launched itself | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Persistence | T1050 | New Service | Executed as Windows Service |
| T1060 | Registry Run Keys / Startup Folder | Changes the autorun value in the registry | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Privilege Escalation | T1050 | New Service | Executed as Windows Service |
| T1055 | Process Injection | Application was injected by another process | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Defense Evasion | T1553 | Install Root Certificate | Changes settings of System certificates |
| T1055 | Process Injection | Application was injected by another process | |
| Discovery | T1087 | Account Discovery | Starts NET.EXE to view/change users group |
| T1135 | Network Share Discovery | Starts NET.EXE for network exploration | |
| T1069 | Permission Groups Discovery | Starts NET.EXE to view/change users group | |
| T1012 | Query Registry | Reads the machine GUID from the registry | |
| T1018 | Remote System Discovery | Starts NET.EXE for network exploration | |
| T1082 | System Information Discovery | Reads the machine GUID from the registry | |
| T1016 | System Network Configuration Discovery | Uses IPCONFIG.EXE to discover IP address |
