In some of the recent incidents involving LNK files, the Qbot DLL payload was followed quickly by the deployment of Cobalt Strike. We also observed operators using BloodHound, an open source tool used to identify attack paths and relationships in Active Directory, to perform reconnaissance in the compromised environment. The speed at which this activity occurred is concerning, as Qbot, Cobalt Strike, and BloodHound are known ransomware precursors. If you see any Qbot activity, we recommend immediately isolating the machine and starting remediation.
- MSI Packages: In our April 2022 Intelligence Insights we shared additional details on new Qbot tradecraft observed by threat researchers. For the first time, Qbot operators were observed using Windows Installer (MSI) packages instead of malicious Microsoft Office macros.
The LNK, MSI, and Microsoft Office document delivery methods result in a
rundll32.exe process executing the Qbot DLL and injecting into Windows Explorer. This means that despite differences in delivery tradecraft, many of the same set of detection analytics still enable defenders to reliably detect Qbot.
Detection opportunity: Rundll32 executing with uncommon export functions
This detector identifies the Windows DLL Host (
rundll32.exe) executing with uncommon export functions. Although LNK file use is new to Qbot, logic that detects suspicious attempts to load DLLs can be leveraged to gain visibility into this behavior, regardless of the specific threat.
process == (
process_command_line_includes == (
Emotet experiments with new infection TTPs
Following the disruption of its operations and infrastructure in January 2021, Emotet operators resumed activity in late 2021, experimenting with AppX bundles to deliver the malware. Since then, we’ve also seen the operators use different delivery methods, including Excel 4.0 macros, and most recently, shortcut (LNK) files.
In late April, Red Canary observed Emotet operators experimenting with these LNK files to deliver their malware. After a weekend of what appeared to be testing, operators began using the LNK files, effectively replacing the Excel 4.0 macros observed in other recent campaigns. Red Canary observed attempts to deliver these LNK files via phishing emails containing password-protected ZIP files. If executed, the LNK files run PowerShell commands that download and execute a payload from an obfuscated URL.
As operators seek new opportunities to improve delivery, it’s likely the community will see Emotet delivered via additional, non-Office document macro methods. We’ve already begun to see this trend with other malware families like Qbot (see above), and anticipate that Emotet operators will also continue to evolve.
Detection opportunity: Base64 method calls in PowerShell
This detection opportunity identifies the use of .NET methods to convert text to and from Base64 encoding in PowerShell. Adversaries use this tradecraft to obfuscate attempts to execute malicious code on an endpoint and evade command line-based detections. This detection analytic may also identify malicious behavior associated with other threats, like Cobalt Strike.