QBot malware returns with new techniques in corporate attacks

QBot, a dangerous Windows banking Trojan, is being used in a new series of attacks against corporate targets.

Cybercriminals are using new techniques to distribute the malware, including email phishing scams: infiltrating email conversations and tricking users into downloading a PDF attachment that actually contains a Windows script file.

According to a short report published on Twitter by cybersecurity researcher Cryptolaemus, when executed the file runs PowerShell code that downloads a DLL file containing the QBot Trojan.

The malware can steal passwords and cookies from browsers, access emails, download other payloads, including ransomware such as BlackBasta, and use Cobalt Strike to spread the infection across the network.

---

Indicators of Compromise

URL/IP/HASH
hxxps://bebessi[.]com.tr/Q9QbSi/puangaKPpjD
hxxps://comunidadehebrom[.]com.br/0P16/i4dlZCkHEk
hxxps://theyoungandtheratchet[.]com/IzvO/EuVTmZEBRFw
hxxp://unitedec-eg[.]com/IFU6llZ/cO5RcAa
hxxps://thewatchzonebd[.]com/tkh4PH/SBL8BMSeA2rY
hxxps://blogdocisneiros[.]com.br/GOm/lD1vhf
hxxps://immunoliderazgoyoportunidad[.]com/xqa6Cny/Qt0pPfeBAM
hxxps://cozarqingenieria[.]com.mx/R5Awkh4/JZGpFCLYUsr
hxxps://propertynear.co[.]uk/QyYWyp/XRgRWEdFv
hxxps://graficalevi.com[.]br/0p6P/R94icuyQ
hxxp://rosewoodlaminates[.]com/hea/yWY9SJ4VOH
hxxps://chimpcity[.]com/h7e/p5FuepRZjx
hxxps://kmphi[.]com/FWovmB/8oZ0BOV5HqEX
hxxps://theshirtsummit[.]com/MwBGSm/lGP5mGh
hxxps://capitalperurrhh[.]com/vQ1iQg/u6oL8xlJ
hxxps://agtendelperu[.]com/FPu0Fa/EpN5Xvh
hxxps://centerkick[.]com/IC5EQ8/2v6u6vKQwk8
109.218.86.223:2222
78.130.215.67:443
70.112.206.5:443
12.172.173.82:50001
201.244.108.183:995
96.87.28.170:2222
76.80.180.154:993
95.60.243.24:995
87.202.101.164:50000
86.225.214.138:2222
74.66.134.24:443
72.203.216.98:2222
92.239.81.124:443
37.189.1.102:443
144.64.226.144:443
202.142.98.62:443
12.172.173.82:993
71.171.83.69:443
139.226.47.229:995
197.204.234.123:443
92.1.170.110:995
47.205.25.170:443
37.14.229.220:2222
92.20.204.198:2222
184.161.74.73:443
92.27.86.48:2222
84.215.202.8:443
92.154.17.149:2222
100.10.72.114:443
88.122.133.88:32100
176.171.4.107:2222
78.16.156.25:443
27.99.32.26:2222
86.98.23.66:443
119.82.123.160:443
116.75.63.150:443
103.42.86.42:995
103.212.19.254:995
190.191.35.122:443
12.172.173.82:2087
90.55.106.37:2222
116.72.250.18:443
202.142.98.62:995
122.184.143.83:443
85.241.180.94:443
103.140.174.20:2222
50.68.204.71:995
109.150.179.215:2222
12.172.173.82:465
27.109.19.90:2078
123.3.240.16:995
69.119.123.159:2222
77.126.11.114:443
91.82.133.77:443
74.92.243.115:50000
12.172.173.82:21
73.36.196.11:443
172.115.17.50:443
112.222.83.147:6881
69.133.162.35:443
45.50.233.214:443
27.0.48.233:443
78.192.109.105:2222
178.175.187.254:443
88.164.20.177:21
47.21.51.138:443
43.243.215.206:443
49.245.95.124:2222
12.172.173.82:32101
87.223.89.244:443
188.79.242.89:2222
50.68.204.71:443
84.35.26.14:995
35.143.97.145:995
184.153.132.82:443
76.170.252.153:995
2.82.8.80:443
47.34.30.133:443
81.229.117.95:2222
50.68.204.71:993
103.111.70.66:443
12.172.173.82:22
24.236.90.196:2078
114.143.176.235:443
103.144.201.53:2078
157.119.85.203:443
103.111.70.66:995
202.184.218.218:443
109.154.254.126:2222
125.99.76.102:443
86.195.14.72:2222
80.13.205.69:2222
50.68.186.195:443
176.142.207.63:443
78.69.251.252:2222
213.91.235.146:443
122.186.210.254:443
174.4.89.3:443
75.143.236.149:443
198.2.51.242:993
82.41.36.110:22
75.90.114.237:995
109.11.175.42:2222
151.62.55.207:443
197.0.146.16:443
71.38.155.217:443
12.172.173.82:20
162.248.14.107:443
98.145.23.67:443
86.154.216.221:2222
84.155.13.118:995
70.160.80.210:443
103.113.68.33:443
193.253.100.236:2222
12.172.173.82:995
72.134.124.16:443
108.32.72.145:443
161.142.103.5:995
86.143.119.184:995
197.1.218.172:443
8c30e0e3546829c7c7007b2720151342b945a6593be960cd060cee17829c95cd
d7608b8f684e7465599a4673fefa329de646e38d934dd79e592288c68720bcfa