Trojan Hunted at a Medical Center

The Network: A medical care organization operating with more than 6,000 endpoint devices across 8 sites.

The Expectation: Email communication is safe to use in business and healthcare correspondence, and users follow security and phishing best practices. Healthcare organizations such as the medical center invest accordingly to ensure compliance with mandates such as HIPAA. Given that cyber criminals will exploit every possible threat vector, constant detection and response is needed.

The Catch: Netsurion’s Security Operations Center (SOC) team monitored and detected the anomalous behavior related to Command & Control (C&C) connections and local user account enumeration attempts using advanced real-time alerts.

Based on the log analysis, the SOC analyst hunted the challenging trojan set to run in a persisted mode and advised the healthcare customer regarding threat response and remediation.

Incident Summary

Type of Incident Detected Type/Function Trojan QBot
Investigation Details Target Machine (Managed/Unmanaged) Windows 7 host on a VMware (Windows 7 was End-of-Support in 2020 by Microsoft)
Incident Timeline 6/1/2022 11:57:18 AM EST – 6/1/2022 06:00:00 PM EST
Threat Source and Type Weaponized Microsoft Excel document / Trojan
Connection details (allow, deny, byte transfer, direction) Allowed and blocked based on Netsurion’s SOC recommendations
Security Gaps
  • User awareness training on handling emails from unknown source.
  • No proper control on Spam email filtering.
Integration Gaps No integration gaps
Anti-Virus Solution Used by the Medical Center Trend Micro Deep Security
Determined Impact Data Exfiltration Local user account enumeration, outbound network connection attempts to botnet IP addresses. Data exfiltration was prevented.

The Find: Netsurion performed further forensics and identified that the threat was initiated by a malicious Microsoft Excel document. The attacker objective was to use a Visual Basic Script (VBScript) to launch highly sophisticated tactics to steal user information and perform a high-level attack using the pilfered data.

Based on the assessment, the SOC analyst identified the trojan as the QBot or Qakbot family of malware. QBot is a large and modular family of trojans in use since 2007. While initially used as a banking trojan, it has since evolved to become utility malware to perform reconnaissance, move laterally, exfiltrate data, or deliver dangerous payloads. A wide variety of cyber criminal gangs use QBot.

The anatomy of the detected threat is as follows:

QBot Threat Chain Detected by Netsurion’s SOC Experts

QBot-Threat-Chain

The Trigger Point: The SOC identified both the C&C and enumeration attempts using the below real-time alerts based on the threat intelligence source and known exploit patterns. Threat actors perform enumeration to gather information regarding user and machine name as well as network and system insights.

  1. A suspicious exploit attempt detected
  2. A process connected to an unsafe IP address

ATT&CK Detections: The MITRE ATT&CK framework of real-world attacker tactics, techniques, and procedures (TTPs) are built into Netsurion’s Managed Threat Protection platform. These ATT&CK insights help Netsurion analysts use structured threat hunting based on Indicators of Attack (IoA) to connect the missing dots and uncover similar patterns across the organization for a more comprehensive threat response.

Details of the Investigation: The SOC detected the suspicious outbound connection and exploit attempt on a VDI based host. The customer was promptly notified of the threat and provided with guided remediation.

Qbot Trojan

Initial Access: The threat actor gained access through a Visual Basic script embedded with a Microsoft Excel file using spearphishing techniques.

Initial Access

Execution and Persistence: The attacker persisted on the host by storing the Visual Basic compiled script as a registry entry and injected a malicious DLL into Mobsync.exe.

Execution-Persistence

Discovery: Process Mobsync.exe in turn launched Microsoft Windows default network administration tools whoami.exe, ARP.exe, Ipconfig.exe, net.exe, Route.exe, NETSTAT.exe to perform multiple discovery operations as shown below.

Discovery

The SOC analyst detected and blocked the attacker’s discovery operation while the enumeration attempts were underway.

Command & Control (C&C): The weaponized Mobsync.exe attempted to connect to multiple C&C servers across different countries. This suspicious activity was promptly detected by Netsurion’s SOC.

Cyber Kill Chain Summary: The Netsurion SOC’s quick response neutralized the nefarious trojan activity before damage was done.

Kill Chain

The Fix: The SOC identified the root causes of the trojan as a vulnerable user accessing a weaponized Excel document due to spearphishing and an outdated Operating System (OS) in use at the healthcare organization. Netsurion provided the following guided remediation to assist the healthcare organization in reducing QBot impacts:

  • Isolate the infected devices
  • Disable accounts
  • Scramble passwords
  • Upgrade to the most current Operating System and keep systems patched
  • Disable default network discovery
  • Ensure all workstations and servers are actively being monitored and managed
  • Implement network segmentation if not already in place
  • Enhance focus and training on email security such as spearhishing since this is a significant preventative measure

The SOC then updated the Netsurion Threat Center to include the Indicators of Compromise (IoCs) and further protect all its managed customers.

The Lesson:  Ensure that Operating Systems are up-to-date since cyber criminals use malware like QBot to target vulnerable systems. Customers should bolster their email security since more than 70% of malware targets endpoints and lax user processes. Continuous detection and response from Netsurion’s 24/7/365 SOC ensure holistic visibility and a rapid investigation. Finally, Netsurion’s effective threat hunting team proactively uncovers malware like trojans and their many stealthy variants. Learn more about how Netsurion protects against advanced threats like QBot.

Category Type Value
Command & Control (C&C) server IP Address 136.143.11.232
47.158.25.67
86.139.33.187
114.79.148.170
115.69.247.95
82.41.63.217
73.151.236.31
120.61.0.254
75.188.35.168
89.137.52.44
82.152.39.39
184.100.174.73
189.146.51.56
216.46.32.83
75.99.168.194
67.209.195.198
185.249.85.209
78.96.235.245
208.107.221.224
69.14.172.24
32.221.231.1
108.16.33.18
68.204.7.158
109.12.111.14
208.101.87.135
31.35.28.29
75.156.151.34
75.67.194.204
47.180.172.159
66.230.104.103
144.202.2.175
201.103.17.10
173.174.216.62
24.55.67.176
100.1.108.246
47.156.191.217
140.82.49.12
Payload MD5 B9628B013C6942437332A8EBF0E51AC3
6738D99E716C0BF2FA5D485A6FBCECE0
Command Execution Command Line Creator Process Command Line Application Name
EXCEL.EXE “C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE” /Embedding EXCEL.EXE
mobsync.exe C:\Windows\SysWOW64\mobsync.exe mobsync.exe
mobsync.exe net localgroup net.exe
mobsync.exe netstat -nao NETSTAT.EXE
mobsync.exe route print ROUTE.EXE
mobsync.exe net share net.exe
mobsync.exe nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._domain nslookup.exe
mobsync.exe net view /all net.exe
mobsync.exe ipconfig /all ipconfig.exe
mobsync.exe arp -a ARP.EXE
mobsync.exe cmd /c set cmd.exe
mobsync.exe whoami /all whoami.exe
regsvr32.exe C:\Windows\SysWOW64\mobsync.exe mobsync.exe
EXCEL.EXE regsvr32 C:Remevch3.ocx regsvr32.exe
EXCEL.EXE regsvr32 C:Remevch2.ocx regsvr32.exe
regsvr32.exe C:\Windows\SysWOW64\mobsync.exe mobsync.exe
EXCEL.EXE regsvr32 C:Remevch1.ocx regsvr32.exe
EXCEL.EXE “C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE” /Embedding EXCEL.EXE
csrss.exe ??C:\Windows\system32\conhost.exe “16601605855187146543724062536 23151691960740387-216275488-16409946351391149806” conhost.exe
EXCEL.EXE C:\Windows\splwow64.exe 8192 splwow64.exe
explorer.exe “C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE” EXCEL.EXE