Summary

The Hornetsecurity Security Lab has detected usage of XLM macros within XLSB documents to distributed the QakBot malware. Because both XLM macros as well as the XLSB document format being uncommon these new malicious documents have a very low static detection rate by current anti-virus solutions.

Background

QakBot (also known as QBot, QuakBot, Pinkslipbot) has been around since 2008. It is distributed via Emotet, i.e., Emotet will download the QakBot loader onto victims that are already infected with Emotet. But it is also distributed directly via email. To this end, it uses email conversation thread hijacking in its campaigns1, i.e., it will reply to emails that it finds in its victim’s mailboxes. QakBot is known to escalate intrusions by downloading the ProLock ransomware2.

The following timeline shows recent events relating to QakBot:

QakBot event timeline

QakBot’s chain of infection is as follows:

QakBot's chain of infection

QakBot has been using XLM macros (also known as Excel 4 macros) for quiet sometime.

Technical Analysis

On 2020-10-15 at around 12:40 UTC a malspam campaign distributing QakBot using XLSB documents was observed.

XLSB is an Excel Binary Workbook file. Its main use is to make reading from and written to the file much faster and reducing the size of very large spreadsheets. However, with current computing power and storage availability the need for this binary format diminished and today they are seldom used.

Combining this with the ancient and thus also not very well detected XLM macros causes the current documents to not be recognized by any AV listed on VirusTotal:

QakBot XLSB document not detected on VirusTotal

Also common document malware analysis tools such as OLEVBA do not recognize the XLM macros in the XLSB format:

QakBot XLSB document not detected by OLEVBA

Though, support for XLM macros in XLSB files is on OLEVBA’s roadmap3.

Even the tool XLMMacroDeobfuscator (specialized on analyzing malicious XLM macros), which supports the XLSB format4, has problems with QakBot’s XLSB file:

QakBot XLSB document not detected by XLMMacroDeobfuscator

But as usual the bug in XLMMacroDeobfuscator was quickly worked on5.

The QakBot XLSB files are delivered via the classic QakBot email conversation thread hijacking1 in an attached ZIP file:

QakBot email delivering XLSB file

The ZIP file contains the XLSB document, which when opened pretends to be a encrypted by DocuSign and the user needs to “Enable Editing” and “Enable Content” to decrypt it:

QakBot XLSB document

When the user does so a Auto_Open XLM macro in the document is launched, which will download the QakBot loader:

QakBot XLM macro

The URL is a assembled via the XLM macro and pretends to download an PNG file:

QakBot loader download disguised as PNG download

In reality the PNG file is the QakBot loader executable. Hornetsecurity has previously reported on the QakBot loader and follow up malware such as ProLock ransomware2.

Conclusion and Countermeasure

Like the reemergence of the ancient and nowadays less common XLM macros used by malicious actors, the use of the uncommon XLSB documents again leads to lower detection rates by security solutions, which are mostly focused on the more common modern VBA macro malware.

However, Hornetsecurity’s fast response time to new emerging threats and zero-day malware protection provides its customers a robust shield against never-before-seen malspam campaigns and new attack types. Users of Hornetsecurity’s Spam and Malware Protection are protected against the QakBot XLSB document.

References

Indicators of Compromise (IOCs)

Hashes

MD5 Filename
ebd0e8581800059d451ed9969502ba53 Comission_1587332740_10142020.xlsb
80fd1750532ebb8d148cd9916e621dba Comission_1587332740_10142020.zip

URLs

  • hxxp[:]//thomastongralestate[.]com/skywkc/3415201.png

DNSs

  • thomastongralestate[.]com

MITRE ATT&CK

MITRE ATT&CK Tactics and Techniques used by QakBot:

Tactic Technique
TA0001 – Initial Access T1566.001 – Spearphishing Attachment
TA0001 – Initial Access T1566.002 – Spearphishing Link
TA0002 – Execution T1027 – Obfuscated Files or Information
TA0002 – Execution T1059.005 – Visual Basic
TA0002 – Execution T1204.002 – Malicious File
TA0003 – Persistence T1053.005 – Scheduled Task
TA0003 – Persistence T1547.001 – Registry Run Keys / Startup Folder
TA0004 – Privilege Escalation T1053.005 – Scheduled Task
TA0005 – Defense Evasion T1027.002 – Software Packing
TA0005 – Defense Evasion T1055 – Process Injection
TA0005 – Defense Evasion T1055.012 – Process Hollowing
TA0005 – Defense Evasion T1497.001 – System Checks
TA0006 – Credential Access T1003 – OS Credential Dumping
TA0006 – Credential Access T1110.001 – Password Guessing
TA0006 – Credential Access T1555.003 – Credentials from Web Browsers
TA0007 – Discovery T1016 – System Network Configuration Discovery
TA0011 – Command and Control T1071.001 – Web Protocols
TA0011 – Command and Control T1090 – Proxy
TA0011 – Command and Control T1090.002 – External Proxy