Demystifying QBot Banking Trojan - Nick Summerlin and Jorge Rodriguez

you let's start with just a brief introduction of ourselves my name is Nick I'm running the malware Intel team at Intel 471 we all hate myself and the rest of the guys we spend all day looking at malware mostly financially motivated malware and we trying to figure out what these guys are doing we're trying to track their actions in a programmatic way and then analyze the data that we collect so let's fix it I I work at somewhere where I'm at least in his team this is my first time speaking out besides so let's go for it and if you want to to talk shop you can reach me through through Twitter 24 hours per day so a little overview of

how we've structured the talk so the beginning is answering the question what is cubot and I'm glad we put that because it seems like nobody knows what it is a second we'll talk about how does cubot work that's the technical portion trying to keep it to like high level tactics and and procedures and tools used and function of the malware and then finally we're going to talk a little bit more about the vendors that the Cuba operators use because they don't do everything themselves they outsource some of the work to others so let's get started Cuba there's a modular info stealer though the main purpose of Cuba is to gather information from the infected machine the modular part means

that they can load additional plugins for for additional functionality so if for example they want to turn your machine into a proxy they just load a UPnP plug-in and now your your infected machine is a proxy or they can load a cookie grabber plug-in that steals all the cookies that are saved by all your browsers and ships those back to the the back end Cuba at first emerging in 2007 according to a report released by Symantec it's a really good report in fact so we trust that this is true but it hasn't always been showing the same level of activity over the years so some years we've seen low levels of activity which some years

we've seen as like right now high activity where the operation is is going at full strength we will be talking about activity from the year 2019 unless we specify otherwise so everything that we talk about like how the malware is spread and stuff like that is relevant to 2019 cubot is financially motivated it's not an apt but I would classify it as an advanced threat and it can also be persistent but it's not apt in the sense of espionage it's financially motivated thereafter they're trying to make money using their their Cuba malware the current code base actually matches the analysis done in 2011 and what that seems to show is that we're talking about the same malware that was

operating in 2011 which is actually quite impressive because not many malware families have that long of a life span and it still actively developed to this day so just a few months ago we saw a new plug-in that was released and we've also seen new functions that were developed as we're tracking this threat so why cubot why are we calling it Cuba again sorry for the small screen shot but this is some of the strings that were found in the binary and I'll read some of them out for you pew bot version Cuba configuration path Cuba run mutex the authors are calling it Cuba and that's why we're calling it Cuba now some vendors have given other names like

quake bots and pink slip bought but we're going to stick with Cuba because that's what the authors call it I'd like to give a shout out to some of the previous work that's been done give credit where it's due we've read over these reports here they're all excellent it's all really good work done that we've built upon and to improve our own understanding of them our as well and to validate like things that we're seeing in 2011 can we see that it's the same now again it shows that it's one actor group consistently operating over time so now we know what is Cuba let's talk about how does Cuba get onto your network Ponty onto victim machines so in 2019

and even 2018 we've seen the primary delivery mechanism is mouth spam so malicious spam either with a link to some other file or with files attached so sometimes we see JavaScript loaders we see VBS loaders we see documents like office documents with macros the prevailing theme here is that the Cuba operators are continuously making modifications and changes to be able to bypass protection systems to be able to bypass yeah those protection systems to get onto the machine an interesting note is that we've seen the same VBS loader used to drop other malware families such as Dana bot dry decks enhancer which seems to indicate that the Cuba operators have purchased a dropper service or purchased

a tool from someone else that other people are also using so again it shows that Cuba operators will will gladly outsource some of the work one other thing that we've seen is Cuba dropped by a motet maybe some people have heard of a motet yeah few more hands this family is really prevalent these days it's one of the most talked about droppers and they send new campaigns spreading campaigns almost every day of the week and almost all over the world I mean all the way to like China Latin America Europe United States a motet is considered top tier cyber criminals and if we're we saw a motet dropping Cuba earlier this year and this shows that

the Cuba operators have access to top tier cyber criminals that maybe some of the lower ranking cyber criminals don't have access to and that makes sense considering how long they've been in the game so we've talked about what is Cuba how does it get to your machine I'm going to talk briefly about what happens at the moment that the cubed is launched on the machine and then I'm going to pass it over to what hated to jump into the details so Cuba launches itself several times to get everything accomplished that it wants to do in the initial execution can't see here but it launches itself with with a special flag and then it creates a scheduled task to

run itself again and this is sort of a privilege escalation to get higher privileges it's a kind of ridiculous that Windows allows you to do that but finally we see that Cuba runs itself from the scheduled tasks and injects its its own copy of the core DLL into explorer.exe so you won't see you know some suspicious process name in your task manager it's running inside explorer.exe which is presumably running on on everybody's Windows machine and with that I'm gonna pass it to alright so now that we have an overview into the queue or threat let's go to life including darkness well first of all we have to to mention when we fight miner is through my pan pour through a motet

or through any mean this sample is is packed and cobblestone pucker they seem to do use always the same one that is polymorphic so perhaps it works against individual detection after performing an unpacking we have another layer of protection which flirts static analysis and these are just two included templates which are pretty straightforward to the code they are plain Shorry themes with 64 key whites but this simple procedure throws a lot of light into static analysis I think you cannot see from from there but here we have all the dakotas strings like articles or the book and messages the allows to load and so on so after we have the strings the code we can jump

into the interior television which cubot that's a lot it it once to ensure it's not running an assemble for a militarized environment for detecting them he's going to to use the Heian instructions from the Intel instruction set to attack being were it also will check if the sample has been renamed as sample the deep sea of active file dot exe so perhaps there are some some boxes using this profile for submitted samples and if if you wat detect it's running on an built environment it will overwrite the executable with the Liddy made windows calculator sort of erases itself so we have been discussing the production from the unpacked sample visit the cubed other and this no other

has many resources which are the next component in the fact insane behalf I this we are interested in the first three ones so for IV number one we have to be cordial which is going to be injected into Splore dot exe all of these resources are protected under two layers one encryption layer or rc4 and another compression layer of brief l set which is hard to to realize because it has the header change into a custom one so you have a unknown compression algorithm without no header if you and realize what are we dealing with they only have the only thing you have to do next is to implement yourself which is a lot of work and you want to

avoid that at any cost for at least 200 these are the dll's to be injected in Internet Explorer to perform the bank in stealing we have pls here targeting both detectors 32 and 64 systems and also they could be ll which is the one responsible for establishing communications with the command and control executing commands has its own resources the at least in this table and we are going to dive into every one of them in upcoming slides just to summarize in the ID 8 stands for the on-board computer asian number 10 is a javascript later cubot has two methods of 13 with 80 binaries this one a plan we are going to talk about the other one later and the

ID 11 stands for the controller drift to establish this communication with the backend for these resources we have only one layer of protection for more configuration and control list this is only the increase in layer of support and further they ask you to the data we have also the completion layer intake and riley and diffenbach configuration are not really huge files so when the thing gets bigger I guess cubed operators want to make a nice pool tables tinier so they compress these files so for the on board configuration we have up to this two different kinds of internal configurations for the first one we have here the company ID and a configuration a timestamp for the company V let's say

you run multiple multiple campaigns or you have malice pain campaigns and other malware pistol and third party payloads so on the back end you can keep track of what does it come every what the configuration timestamp we believe is a timestamp they computed on the operators set in in the samples for keeping track of when did they build them and here is when the thing gets interesting those are compromised FTP locations very likely stolen in previous cubed campaigns so they use this compromised FTP account to upload the stolen data the these are little eight addresses so we if they run one campaign and still this FTP access to a user in upcoming campaigns they are going to upload the

stern information to this compromised FTP account finally there are some samples which don't have the campaign Navy for example this one and this is because this is more likely to be an update for Google so the company B is going to be inherited from the previous sample for the derivative later is pretty stifled war it has son of a station but very very very very little it will establish a communication with up to three controllers to essentially set unrelated kavod the communication has to Liza encoding an encryption this is just exciting encoding and after that we'll have rc4 encryption finally after these two letters we will have the final few board executable but before dropping to disk the javascript

file is going to try some a bastion for antivirus over and for doing so is going to slide defective below into first 1000 bytes in one side and the very rest on another one this is basically taking the P header from a suitable file of frontiers of the file so I believe this second file even if it is happy and individuals award perhaps cannot analyze it properly so to ensure if this works for the last component in the resources for the core DLL we have to control a list which may have up to 150 controllers per sample which is a lot and we can see here controls we'll listen in in many many many boards like

443 or eighty ninety nine ninety five so for finalizing this internals of cubot will it here the export that comment because after establishing communications with the IP controllers we are so here the baton is going to request devotes to exactly some commands and those comments are listed here for the sake of simplicity we only have renamed the most you set one for the began and that is fitting Cuba dates this is the second method for fitting all they did cubot sideswipe in yet and that plugins also it has our movement capabilities it we are going to discuss later oh by the way a cute version is also in this beta section of the P here we have the three

two two version and here the three two three three two three they are different in terms this one exports more comments they are always having new comments or removing existing ones so now that we'll have an overview into the technical internals of the thread let's try to talk a bit more about the operation so we started tracking cubot in May 2000 nineteen and we have collected all these versions so we can tell you these guys do code and do like coding and I new filters many of the versions only saw minor updates but for other ones we have seen new commands remove commands and also new methods for not a fist infiltration the company is we were discussing before

in the embark config they will all of the operators of the bone to keep track of the infection the source of disinfectants for campaigns SP and SPX they are for sure delivered through one spam email spam waves Nick was describing and for the 888 campaigns to serve for further added the EU here I believe it stands for Europe because this wave was just target in Europe so you have another IP address you will get this cubed sample and nowadays there are ongoing queue world campaigns under SPX campaign Navy and these are incrementing numbers for example I think the last one was SP x26 campaign ad

so we said we have up to 150 controllers per sample and as we have been trading this thread since May we have up to three thousand unique controllers from kuat which we have brought in in this deal distribution a scam I don't know if we have told you this already but keyword is targeted mainly the US and Canada so it makes sense for all the controllers to be located in the United States it will arise less suspicions if you see ongoing Canadians to do yes from the US so if you see some connectors from for Russia or from for China maybe you can flag the traffic a suspicious another point is that the first line of

qubit controllers are actually just proxies and these proxies are made up of infected bots so they have basically an endless supply of front-end proxies and that's why we're seeing the front-end proxies located in countries where they focus most of their attention it's really nice because it hides the backend from prying eyes like us and law enforcement as well and it's it's free to them they're just reusing resources that they already have so we introduced cubot as a molar information s tiller this means cubot can extend its functionality with orginal plugins so far we have seen these three here the platform rubber has been here since the very beginning of the operation it will felt credential

from services like pop3 also SDP to use later in the as filtration professors for the stolen data one really interesting part about the cookie wherever model first time we saw this one was in August 2000 nineteen and it turns out that trip bot group release a cookie model in your life 2019 so three brothers in a cookie rubber model in July and Bing cubed in August mega hat makes us seen that there is some kind of relationship within the groups like hey guys we have released this model and it's working is useful or perhaps they just saw it and this they thought to yourself perhaps we will code another one for us we don't know the

last model we want to discuss here is the play model which will make this Infotech computers part of cubed in fractal too so we have impacted system new integrity system already impacted system acting as proxies intermediate nodes and the final cubed again - with all of these intermediate infra which is very clever actually so you increase the uptime from the real controllers so you have to reign style in another servers so let's go now let's move into the stolen data you both resist this as distant plates for uploading the data we've told from infected users the fields from the template are highlighted in red they are self explanatory time URL later referrer they seem to have a

lock with Windows 10 and it's processor as we have see here this back attack well the filthy is not very self-explanatory but it stands for fourth type so 8/2 will be beta gathereth through hooking HTTP or HTTPS requests so every HTTP site that's visited by the infected user all the cookies and the site itself are sent back to the Cuba operators so they can see if you're visiting interesting sites like banking websites that will draw their attention towards you this is how they find the interesting victims from them you know thousands of pots that they have notice also another type which is denoted by K B which is stands for keyboard so this T login technique will

take K strokes from P program the windows title so it for this case they are killing in in Chrome in a catalog in Google Chrome window and this will be the data gathered through the keystrokes for this is like we have some poetic justice because if to check the kind of report here is also keyboard so this data is collected through collodion and we have this I have an important message for you this starts interesting about my late client bla la la which has a deposit of 10.5 million dollars so if you want more information I can give you full details had the see Frank at us a.com same on this guy is a scammer for one name is

camera is infected with cured for the lateral movement which we have to discuss our less because this like they they the topic now and networks being infected by a man would like trick both imitate drive x-cubed we perform this protection and after that they run from the network cubed has lateral movement capabilities it's the common 13 it has to be issued for again to be executed and it will take advantage of the net videos protocol to spread through internet network to do so it will try to use the administrator account and in case it has a password cubed has him in one of the recording plates this part of password listing to used against the

administrator account is going to put a force his way into another shirt to basically test in them also it has the capability to execute this Power Cell common which we'll say it a Power Cell is freed from a remote location in this state is Dropbox will be another one this Power Cell will have two dll's within the code and looser unica's dll's which it cool use to try further the administration administration account brutal force or just to report to the Kommandant controls the passwords such as through through mini cuts there are claims my some vendors but cubot may be behind some pushing trucks on ransomware outbreak it is not confirmed and we don't even confirm it or deny it but

it's just a chance you are exposed you have activity in fact in your network so now that we have some overview into your internals at the did operation Nick is going to walk us through the vendor footprint so what am I talking about with vendor footprint the cubed operators have done a really good job to stay under the radar we don't know who they are we don't know who they're what their handles are however we do realize that they extensively use services of vendors in the underground economy and by investigating those vendors we can see who has connections to the cubot operators and what vendors they're using so that's what we're going to talk about

next and this is something that I'm calling the the vendor footprint of Cuba one of the services that they use is code signing code signing is used by legitimate software vendors to ensure that the software that they release to their users has not been tampered with so before they so they get a secure key from a company like Komodo or Symantec then they sign their binaries with this key and then they release these signed binaries and the reason why malware authors are interested in code signing is because it can help to bypass features protection features of Windows like smart screen which it will generally increase the chance that when a user when an end-user when a victim

clicks on the malware or executes the malware in some way that this malware will be allowed to execute on the victim machine so the cubot operators have used code signing in to 2019 and and previously before but they don't do it for everything so they don't use code signing on updates but only for this the mouse spam campaigns that they're trying to spread in our tracking we notice that okay you can't really see it so well but in about June we saw a lot of code signed cubot binaries but then later on we saw none and these two are kind of anomalous these are actually older versions that we just hadn't seen four and then we we pick them up later

in our sample collection and process them so we're seeing them stop using this tactic in the early days of cubot a semantic report from 2011 suggested that human operators were were stealing the signing keys from their victims and using them but we think that in 2019 Cuba operators are not doing this anymore we think it's more likely that they're using vendors in the underground economy and this is a post from an actor in an online forum saying I'd like to offer you this service for $300 I will sign your malware and it will it will look legitimate and you can see that from the screenshots previously this says well it says it cannot be verified

because these certificates were revoked but at the time that they were spread these were valid and Windows thought that they were valid another thing that makes us think that they stopped using stolen keys from their victims and switched to a vendor is because all of the code sign samples that we found were these keys were issued to companies in the UK every single one and if they were using keys the stolen from bots we should see a wider geographic distribution and because we don't see that it's it's another indication that they're using one of these online code signing vendors from the underground next I'm going to talk about web injects I feel like I might need to explain what

a web inject is so I'll do so briefly when you go to a web site when you're infected with Cuba and you go to a website in your browser that interests them like a banking website or Amazon or something like that what they can do is your browser will request the page and and Amazon if that's the the page we'll we'll send a response and before the browser renders that response they will inject some additional HTML and JavaScript to do things like add additional fields like what's the mother's maiden name what's your secret question they'll try to also trick you into using into giving like an authentication token that they can then use to make it a transaction like a bank

transfer and we see the Cuba operators using several different vendors for web injects web injects are actually not the most simple thing to to develop and maintain you have to have access to the bank's website you have to spend a lot of time learning how the bank website works and it's something that a lot of banking Trojans outsource and Cuba interestingly enough has outsourced to at least three different vendors possibly more the web injects for Cuba are mostly targeting the banking sector financial services online payments online shopping interestingly enough they're targeting Verizon which is a telecommunications company a cell phone company in the United States mostly in the United States in Canada but this can

change at any time or it could be that we didn't detect the campaign that targeted other region so this is sort of what part of a web inject looks like it's just JavaScript this one in particular is a TS engine by an actor called Yuma Yuma has been around since the early zeus days they're probably the oldest web inject vendor that I know of and they offer their services for here you can see $3,500 for Chase Bank and that is a complete solution that requires no interaction from the from the operator it's it's the ATS automatic transfer system in the case of Cuba they're targeting eBay PayPal and Amazon with this web inject kit I want

also make a note about this gate key here this is the default gate key that that is when you buy a 80s engine that's the default gate key that that you're given when you set up that software and I've seen previous researchers say oh I've seen this key used by three or four different banking Trojans there must be some sort of link there but I think the link would be very weak given that this is the default key and anyone who purchases the the AES engine and doesn't change the default settings would would have that gate key now if that gate key were changed then that would be an indication that there could be a link

the next one was first mentioned by a former colleague of mine James Wieck at bot comp and an excellent talk that he gave about web injects we don't know still who is behind this webbing jetpack but it's it's denoted it's been named ing underscore ing because of variable names that that were assigned in the in that you'll find in it it's heavily obfuscated here's some of the less obfuscated code there are some key words in here like I'd mean capaz that you might be able to recognize if you see this in the wild and this is what the the panel the login panel looks like for the operator the third vendor that we know is their services are purchased by

the Q Bar operators is cactus 1010 cactus 1010 has a nice service there's their website where you can buy you can shop for web injects by brand by country it's on it's on the it's on tour it's it's an onion server this is a screenshot of the panel what it looks like to the operator we have this because cactus provided sample videos on their website and this is what the login panel looks like if anyone is following along in investigating web injects this is how you can tell that you're looking at you panel and you panel stands for universal panel which means you purchase this service and all your web inject needs are met it can grab tokens it can

do automatic transfers it's a very capable and it seems to be pretty popular as well and cubot specifically is using it to target American Express Verizon and Costco I have a little bit of time left so I'd like to talk about two web injects sets packs that we found where we don't know who the vendor is in fact we don't really know anything about it at all and as far as I know I couldn't find any references to it in open source intelligence well I'm calling it bucha simply because they used the name bucha a lot i rep through the file and found the book a button book a timer bucha mein Buch a pop-up so if anyone is

looking at web injects and they've seen this bucha stuff I'd like to talk with you cubot is using it this vendor to target United States banks big banks in the United States it's also heavily obfuscated this is some of the less obfuscated stuff that might be recognizable to someone and then finally I'll talk about Cortez Cortez is less sophisticated than the other web injects it doesn't use any obfuscation at all everything is completely in clear text personally it looks to me like someone's first foray into web injects like they're just learning and in fact it for Cuba they only use it to target a single bank it could be that other vendors weren't working well with that bank and

maybe they tried their own hand that's something that they weren't familiar with or they outsource the work to someone who wasn't as experienced as the other vendors the reason why I called it Cortez is it simply because the the gait path is called Cortez that PHP there really wasn't anything else that I that was unique about it so for for Cuba we are able to learn that they have an extensive operation where they use open-source tools they use their own developed tools they use a Trojan that they've been using for ten years almost they continuously develop it but they're not afraid to use vendors for spreading them out we're for doing web injects and also for bypassing

security solutions of the code signing it's the mark in my opinion of a sophisticated group if anybody wants to play along at home with the samples we've got some hashes for you it's kind of pointless to give IFC's of the of the controllers because they change so often although I did give the latest domain actually it's not the latest domain it it changed this is one domain that they were using for almost a year for fetching web injects that's where they were hosting it behind this domain it's now CDN metrics com finally someone took it down or something I'd like to wrap up with just a few words about cubot personally I would consider it a high-priority threat

just given the amount of experience that they have and the the fact that if you see this on your network they're either going to make money off of your off of your computers by making account transfers or they can decide to ransom your data and they have the tools to answer to do full ransom of all machines in the network and it's also not a threat that will be likely to disappear anytime soon unless there's some law enforcement operation that I'm not aware of but given that they've been in the scene for over a decade I think they're here to stay and I'd like to invite anyone who's researching cubot to to contact us we're happy to work with

anyone who is doing research into cube lot as well and thanks for your time you