QBot Cyber Attack Demo

0:02 welcome to the Juniper threat Labs

0:04 attack demo series today's subject is

0:06 cubot malware this video will

0:09 demonstrate how malicious threat actors

0:10 conduct this multi-stage malware attack

0:13 but let's first begin with an

0:15 introduction to cubot malware in use by

0:18 malicious threat actors for well over a

0:20 decade cubot also known as quackbot

0:23 began its days wreaking havoc as a

0:25 banking Trojan it has since evolved

0:27 because cubot acts as a downloader it

0:30 has become a means by which malicious

0:31 threat actors can drop additional

0:33 malware onto the victim's system

0:36 for example ransomware gangs such as

0:39 black Basta Revel boned locker egregor

0:42 and mega cortex among others are using

0:45 tools like Cobalt strike and brute ratel

0:48 also known as brc4 following cubot

0:51 malware related Enterprise breaches in

0:54 some cases to begin a ransomware attack

0:55 and others for lateral movement across

0:58 the now breached Network and instill

1:00 others to steal victim credentials

1:03 though intended for use in red team and

1:05 adversary simulations these tools are a

1:07 tremendous Aid to malicious threat

1:09 actors such as these gangs as they're

1:12 effectively weaponized command and

1:13 control center tools further escalating

1:15 the attack surface and Damage Done

1:18 these tools make it possible for

1:20 ransomware as a service gangs to deploy

1:22 beacons on cubot victim systems that can

1:25 home to an attacker-controlled server

1:27 for the purposes of actual trading

1:29 information and or receiving next stage

1:31 instructions

1:33 though in existence since 2007 cubot

1:36 malware is making news now in 2023. in

1:39 recent months there's been an increase

1:41 in this malware being delivered via

1:43 phishing attacks notably the black pasta

1:46 ransomware Gang has been using cubot

1:48 when infiltrating networks in doing so

1:50 these malicious threat actors have

1:52 furthered the attack by installing brute

1:54 Motel as a second stage malicious

1:56 payload finally there has also been news

1:58 of cubot email phishing attacks having

2:01 an attached PDF file that links to a zip

2:03 file archive containing a Windows

2:05 scripting file that is being used to

2:07 install cubot malware and potentially

2:10 other next stage malicious threats in

2:12 fact this is the kind of cubot malware

2:15 attack you are about to see

2:17 here you can see the cubot or crackbot

2:19 attack chain

2:20 the first stage is a phishing campaign

2:22 it begins with an email sent to the

2:24 prospective victim to make it more

2:26 convincing and to seem less like spam

2:28 the email is often in response to a

2:30 legitimate email to which the attacker

2:32 had access it may even use the real

2:35 sender's name except that the sending

2:37 email address has been altered by the

2:38 attacker the email contains a PDF

2:40 attachment the contents of that

2:42 attachment lead the victim to believe

2:44 that something is wrong with the file

2:46 and that in order to view it he or she

2:48 needs to click the download button doing

2:51 so the victim retrieves a zip file with

2:54 a long random number for a name when the

2:56 victim opens the zip archive file he

2:58 extracts a Windows script file or wsf

3:01 file typically a wsf file contains code

3:04 written in jscript and or vbscript that

3:08 is executed when opened when the script

3:10 file is executed it downloads the cubot

3:12 dll in the form of a DOT DAT file the

3:15 dll is executed using run

3:19 dll32.exe in the miter attack framework

3:22 this is an example of system binary

3:24 proxy execution

3:26 the cubot malware then injects itself

3:28 into the Microsoft Windows error

3:30 reporting manager executable

3:33 wermgr.exe allowing it to remain

3:36 persistent on the victim system

3:38 now with the background on qbot Mill

3:40 we're out of the way next up in this

3:42 video Juniper threat Labs demonstrates

3:44 the stages of this attack

3:46 here is an example of a phishing email

3:48 with a PDF attachment sent to the victim

3:50 the attachment name begins with ERC 1337

3:54 if this was a forged reply to a once

3:56 valid email the discussion may have been

3:59 about blockchain or cryptocurrency as

4:01 ERC 1337 means ethereum request for

4:04 comment 1337 and is a technical standard

4:08 stock intended to support businesses

4:09 with decentralized apps or dapps on the

4:12 ethereum blockchain

4:14 and again 1337 is also hacker speak for

4:17 elite as in Elite

4:19 so the file name may just coincidentally

4:21 correspond to something blockchain

4:23 related opening the PDF we the victim

4:26 are shown a message suggesting that

4:28 there is some kind of problem and that

4:30 we need to download the file another way

4:32 when we are duped into doing this the

4:34 hyperlink directs the victim to download

4:36 a zip archive from an

4:38 attacker-controlled server

4:47 the victim then extracts the contents of

4:50 the zip file containing a file named ERC

4:52 underscore f913 underscore m a y 3 dot

4:57 at wsf

4:59 let's look under the hood and examine

5:01 part of this wsf file in more detail

5:04 tries in succession to download the qbot

5:07 malware from each one of the URLs listed

5:09 in the code iterates down through the

5:11 list stopping only after having

5:13 succeeded

5:14 ultimately the script downloads a dll

5:16 masquerading as a dot dot file

5:19 when the victim double clicks on the

5:21 script file we see in the process

5:22 monitor that the process W script.exe is

5:26 spawned

5:30 we also see through Wireshark that it is

5:33 iterating through each of the URLs we

5:35 had shown you in the script file

5:42 [Music]

5:51 next we see the victim downloading the

5:53 malicious cubot.dat file

5:56 and a few moments later

5:58 wrmgr.exe is spawned

6:05 here it is highlighted

6:07 looking into the system's memory we see

6:09 that qbot has been injected into it

6:21 foreign

6:25 we can dump this memory to a file this

6:28 is useful in part because it's already

6:30 unpacked such that most antivirus

6:32 Solutions can examine a file like this

6:39 foreign

6:55 if we upload this memory dump file to

6:58 virus total you can readily see that

7:00 most AV engines identify the file as the

7:03 malicious cubot Trojan

7:28 of course not every anti-malware engine

7:30 detected cubot

7:34 let's now look and see whether or not

7:36 this attack works as successfully with

7:39 the Juniper SRX firewall enhanced with

7:41 protection from Juniper's cloud-based

7:43 Advanced anti-malware solution Juniper

7:45 ATP

7:47 for the demo Juniper threat Labs is

7:49 using the following setup we have a vsrx

7:52 pictured in the center the vsrx is a

7:55 virtual SRX firewall providing network

7:57 security protection its purpose is to

7:59 inspect Network traffic and with the

8:02 assistance of juniper ATP Cloud to

8:04 detect malware like qbot

8:07 in addition to the virtual firewall and

8:09 cloud-based protections we are using

8:11 Juniper's security director which is a

8:13 centralized management system security

8:15 director facilitates our configuring and

8:17 monitoring of the vsrx firewall and we

8:20 are using Juniper's policy enforcer as

8:23 well

8:23 Juniper's policy enforcer enforces

8:26 security policies on endpoints and

8:28 ensures they comply with corporate

8:30 security standards pictured as well are

8:33 several Windows workstations Each of

8:35 which is connected to the vsrx there is

8:38 an Ubuntu Server which is acting as the

8:40 malware download server

8:42 before we proceed an attempt to use the

8:45 cubot malware in an attack with juniper

8:48 connected Security Solutions in place

8:49 providing protection let's first take a

8:52 look at the threat prevention policy

8:53 that we've set up on our security

8:55 director and applied to the vsrx

8:58 to access the policy we'll navigate to

9:00 the configure Tab and then we select

9:02 threat prevention and policies

9:06 as you can see we already have an

9:08 existing policy in place let's further

9:10 inspect the protections being enforced

9:12 by the applied policy

9:14 for this demo our policy is configured

9:16 to block command and control traffic at

9:18 Threat Level 8 and above

9:19 we've also set it up to block infected

9:21 hosts at Threat Level 8 and above

9:24 additionally we've configured our policy

9:27 to use ATP Cloud for malware detection

9:29 and as you can see we've elected to scan

9:31 both HTTP downloads and email

9:33 attachments

9:35 finally we've chosen to block any and

9:37 all threats rated at level 7 and above

9:40 this threat prevention policy applied to

9:43 the Juniper vsrx firewall is a critical

9:46 component of our defenses protecting our

9:48 systems against malware related attacks

9:49 including cubot

9:51 it allows us to detect and block

9:53 malicious traffic as well as the

9:55 activity of potentially infected hosts

9:57 which will then prevent the spread of

9:59 malware throughout our Network in the

10:01 event that one of our systems gets

10:02 compromised

10:04 so to begin we'll log into our Target

10:06 victim system using RDP

10:12 and we'll verify that our target has an

10:14 internet connection by opening a browser

10:16 and going to Wikipedia after all without

10:18 an internet connection the victim's PC

10:20 would be unable to download the cubot

10:22 malware

10:30 as explained earlier for the cubot

10:32 attack our targeted victim was sent a

10:34 phishing email with a PDF attachment and

10:36 opening the victim's email here it is

10:39 next acting as the victim we open the

10:41 malicious PDF attachment

10:43 soon we'll click the malicious download

10:45 URL that's in the file here when we do

10:48 the system will attempt to download the

10:49 zip archive containing the wsf script

10:51 file

10:53 but before we do that let's look what

10:56 happens in Wireshark to monitor what

10:57 happens next

11:02 clicking the download button like URL in

11:04 the PDF the victim's PC retrieves the

11:07 zip archive from the malware server to

11:09 his or her system and opens the folder

11:11 that contains the downloaded zip file

11:20 now here is where the rubber meets the

11:21 road and things get very interesting

11:23 let's see what happens when the victim

11:25 attempts to open the malicious wsf

11:27 script file

11:33 foreign

11:37 popping over to our Wireshark output

11:39 let's see what just happened when our

11:41 would-be victim attempted to extract the

11:43 malicious file

11:47 [Music]

11:49 though the victim extracts the wsf file

11:52 the Juniper connected Security Solutions

11:54 correctly recognized that the script's

11:56 attempt to retrieve the cubot.dat

11:58 payload was malicious activity and

12:01 thankfully the would-be victim was

12:02 prevented from doing so this message

12:04 from the SRX provides pretty much that

12:06 same information if more succinctly

12:09 to show that the attack was detected by

12:11 Juniper we go to Juniper's ATP cloud

12:13 from the monitor tab we navigate to

12:15 files and then to http file downloads

12:19 Atop The resulting list on the right we

12:21 see that there was an attempt to

12:22 download something malicious from

12:25 cinnamonconnection.com.au that was

12:26 detected at Threat Level 10.

12:30 clicking on that topmost row we see

12:33 detailed information about this malware

12:35 including static analysis that Juniper

12:38 performs on the malware

12:42 foreign

12:47 and network activity

12:51 genover ATP also captures behavioral

12:54 details as well as the minor attack

12:57 vectors involved

12:58 and of course Juniper tells the customer

13:00 that the threat detective was a

13:02 malicious cubot Trojan returning to

13:04 security director Cloud we want to see

13:06 what action if any Juniper's policy

13:08 enforcer took on the would-be victims

13:10 system to do so we navigate to the

13:12 monitor tab then under threat prevention

13:14 we choose ATP Cloud hosts and there Atop

13:17 The List is the victim's host

13:19 security director indicates that the

13:21 victim host has been blocked from the

13:22 network as something on it was detected

13:24 at Threat Level greater than equal to

13:26 seven

13:27 of course we know the reason that the

13:29 host was blocked was because that it

13:31 attempted to download the cubot.dat

13:33 malicious file

13:35 to confirm that this PC has been blocked

13:37 from the network we first tried RDP to

13:40 it when that fails we'll try

13:42 unsuccessfully as you'll see to Ping the

13:45 host's IP address

13:49 foreign

13:56 foreign

14:02 [Music]

14:12 once the security admin is sure that the

14:14 qbot impacted host is indeed free from

14:16 infection he or she will want to restore

14:18 the block system back to the network to

14:20 do so she goes to security director and

14:22 clicks on the blocked host and then to

14:24 the right of Investigation status she

14:26 then selects resolve fixed afterwards

14:29 the blocked host will be restored back

14:30 to the network and able to operate as

14:32 before

14:45 now that it is no longer blocked we can

14:47 verify that the host is back online

14:49 let's try to Ping that PC again

14:56 looks like it's up and connected to the

14:58 network so let's try again an RDP to it

15:00 and make sure that the host can use the

15:02 network as well

15:04 bringing up the browser we navigate to

15:06 Wikipedia which demonstrates restored

15:09 connectivity

15:15 after disconnecting the RDP session we

15:17 check one last thing on security

15:18 director that is to show you that the

15:21 restored host has a clean bill of health

15:22 with the threat level of zero

15:26 that completes our demo of cubot malware

15:28 check out more videos from the Juniper

15:30 threat Labs attack demo series by

15:31 visiting juniper.net thanks for watching