{"id":3716,"date":"2021-11-15T21:35:30","date_gmt":"2021-11-15T16:05:30","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3716"},"modified":"2021-11-15T21:35:32","modified_gmt":"2021-11-15T16:05:32","slug":"qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/","title":{"rendered":"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle"},"content":{"rendered":"\n
The activity of the QBot (also known as Quakbot) banking trojan is spiking again, and analysts from multiple security research firms attribute this to the rise of Squirrelwaffle. Squirrelwaffle emerged last month as one of the most likely candidates to fill the void left by the take-down of Emotet, and unfortunately, these predictions are quickly being confirmed.<\/p><\/p>\n\n\n\n
What are the Advance waves of attacks?<\/strong><\/h2>\n\n\n\n
Security researchers at Xiarch have observed a new distribution campaign for QBot relying on Visual Basic Macros (VBA) macros in Microsoft Word documents sent as attachments in phishing emails.<\/p><\/p>\n\n\n\n
Earlier Qbot operations utilized Excel Macros, which are still present in some situations, even if they are more deficient now.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
The victim currently has to manually open the document and \u201cEnable Content\u201d on their Microsoft Office suite to let the macro code execution, dropping a QBot payload on the system.<\/p><\/p>\n\n\n\n
The rest of the process chain hasn’t changed much compared to previous versions, still downloading a DLL file as the core payload and setting the same scheduled task for persistence as before.<\/p><\/p>\n\n\n\n
Qbot is also known to partner with ransomware operations to provide them with initial access to a network. QBot has previously collaborated with ransomware gangs to deploy REvil, Egregor, ProLock, PwndLocker, and MegaCortex strains.<\/p><\/p>\n\n\n\n
We shouldn’t forget that even if these compromises never evolve to file-encryption events, QBot can do significant damage on its own.<\/p><\/p>\n\n\n\n
The additional modules downloaded by the QBot malware can grab browser cookies, passwords, emails, drop Cobalt Strike, enable lateral movement, and turn the infected machine into a proxy for C2 traffic.<\/p><\/p>\n\n\n\n
How they Seated the Cache?<\/strong><\/h2>\n\n\n\n
Sentinel Labs published a report on the rise of the SquirrelWaffle malware loader, linking it directly to QBot, which is dropped as second stage malware. Researchers at Minerva Labs have also drawn a similar conclusion, seeing the following delivery scheme:<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
SquirrelWaffle also uses VBA macros to execute a PowerShell command that retrieves its payload and launches it. Unlike Emotet, who used a wide range of phishing lures, the SquirrelWaffle is not doing a great job creating convincing spam mails, keeping the infections in check.<\/p><\/p>\n\n\n\n
The creation of more convincing phishing emails could be outsourced or quickly resolved by contacting an expert in that part of phishing operations, leading to a more significant number of SquirrelWaffle infections.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
The activity of the QBot (also known as Quakbot) banking trojan is spiking again, and analysts from multiple security research firms attribute this to the rise of Squirrelwaffle. Squirrelwaffle emerged last month as one of the most likely candidates to fill the void left by the take-down of Emotet, and unfortunately, these predictions are quickly […]<\/p>\n","protected":false},"author":2,"featured_media":3718,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\n
QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"The activity of the QBot (also known as Quakbot) banking trojan is spiking again, and analysts from multiple security research firms attribute this to the rise of Squirrelwaffle. Squirrelwaffle emerged last month as one of the most likely candidates to fill the void left by the take-down of Emotet, and unfortunately, these predictions are quickly […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-15T16:05:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-11-15T16:05:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/QBot-returns-for-an-Advance-wave-of-Adversaries-by-utilizing-Squirrelwaffle-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle\",\"datePublished\":\"2021-11-15T16:05:30+00:00\",\"dateModified\":\"2021-11-15T16:05:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/\"},\"wordCount\":393,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/\",\"url\":\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/\",\"name\":\"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-11-15T16:05:30+00:00\",\"dateModified\":\"2021-11-15T16:05:32+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/","og_locale":"en_US","og_type":"article","og_title":"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle - Xiarch Solutions Private Limited","og_description":"The activity of the QBot (also known as Quakbot) banking trojan is spiking again, and analysts from multiple security research firms attribute this to the rise of Squirrelwaffle. Squirrelwaffle emerged last month as one of the most likely candidates to fill the void left by the take-down of Emotet, and unfortunately, these predictions are quickly […]","og_url":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-11-15T16:05:30+00:00","article_modified_time":"2021-11-15T16:05:32+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/QBot-returns-for-an-Advance-wave-of-Adversaries-by-utilizing-Squirrelwaffle-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle","datePublished":"2021-11-15T16:05:30+00:00","dateModified":"2021-11-15T16:05:32+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/"},"wordCount":393,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/","url":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/","name":"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-11-15T16:05:30+00:00","dateModified":"2021-11-15T16:05:32+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/qbot-returns-for-an-advance-wave-of-adversaries-by-utilizing-squirrelwaffle\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"QBot returns for an Advance wave of Adversaries by utilizing Squirrelwaffle"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3716"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3716"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3716\/revisions"}],"predecessor-version":[{"id":3721,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3716\/revisions\/3721"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3718"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"QBot-returns-for-an-Advance-wave-of-Adversaries-by-utilizing-Squirrelwaffle-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/QBot-returns-for-an-Advance-wave-of-Adversaries-by-utilizing-Squirrelwaffle-image1.jpg\")
<\/figure><\/div>\n\n\n\n![\"QBot-returns-for-an-Advance-wave-of-Adversaries-by-utilizing-Squirrelwaffle-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/QBot-returns-for-an-Advance-wave-of-Adversaries-by-utilizing-Squirrelwaffle-image2-1024x535.jpg\")
<\/figure><\/div>\n\n\n\n