Some malspam campaigns are relying on the QtBot downloader, rather than malicious VBScripts, to help determine whether infected hosts receive Locky ransomware or the Trickbot banking trojan.
Some malspam campaigns are relying on the QtBot downloader, rather than malicious VBScripts, to help determine whether infected hosts receive Locky ransomware or the Trickbot banking trojan.

Researchers from Palo Alto Networks have uncovered a new piece of the puzzle in the case of an ongoing series of malspam campaigns that distribute either Locky ransomware or the Trickbot banking trojan, depending on the victim's geographical location.

This latest discovery comes in the form of QtBot, an intermediate-stage downloader that helps to deliver the final payload, according to a Wednesday blog post from Palo Alto's Unit 42 threat intelligence team. Since Oct. 19, the researchers observed more than 4 million "unique sessions" with QtBot activity, the report states.

Malspam recipients unknowingly download QtBot upon opening malicious Microsoft Office email attachments that are designed to abuse Microsoft Windows' Dynamic Data Exchange (DDE) protocol. This same DDE technique was also observed in a recent spear phishing campaign impersonating the U.S. Securities and Exchange Commission in order to infect victims with DNSMessenger malware.

QtBot in this instance is being used as a replacement for malicious VBScripts that had been used in previous Locky-Trickbot distribution campaigns to query websites that provide geo-IP services in order to pinpoint the geographic region of a particular target, thereby determining the final payload.

Palo Alto has likened QtBot to the Andromeda loader and bot, identifying it as a likely offshoot. Researchers note that both downloader threats exhibit similar anti-analysis behaviors; analyze potential hosts' keyboard language identifiers to avoid infecting machines in former Soviet countries; and use Microsoft's Windows Installer program msiexec.exe for code execution.

Blog post authors Brandon Levene, Brandon Young and Dominik Reichel further describe QtBot as "a Windows executable file that decrypts an importless stub into memory. This payload is later injected into msiexec.exe using common techniques. The payload then decrypts the second stage shellcode and injects it into a newly spawned svchost.exe process. This svchost.exe acts as the handler for the final payload."

The phishing emails serving up QtBot are spawned by the Necurs botnet, and generally trick recipients with generic subject-line lures that suggest the delivery of a financial document or file transfer. After opening a malicious document, users are prompted to click through three dialogue boxes, triggering an HTTP GET request to the command-and-control server, which Unit 42 researchers believe is likely a compromised webhost running a vulnerable version of [the commercial web hosting platform] PLESK." This C&C server then downloads QtBot, which is executed via a PowerShell directive.

"While geographic location specific malware delivery is not a new phenomenon, the combination of two previously disparate malware family affiliates utilizing unified malspam campaigns and droppers is an interesting shift in tactics," concludes the Unit 42 blog post. "QtBot protects itself and the decision tree by which targeting is established and offers a significantly more robust anti-analysis package to stymie analysts."