The stager reads registry entry 3, and the content of this registry is another encoded string. When decrypted, the string is a list of combined IP addresses and ports. Configured in the memory, the stager would have access to the URL format of hxxps[:]//:/zkr?n=qafsdb378960, where it would take three parameters:

  • The first parameter is for the switch case
  1. Execute via regsvr32.exe
  2. Execute via Start-Process (exe)
  3. Execute via invoke-expression (IEX)
  4. Execute via cmd.exe
  5. Execute via Start-Process (bat)
  6. Execute via Start-Process (vbs)
  • The second parameter is for error handling.
  • The third parameter is for the content of the PE file to be downloaded and executed.

Conclusion

While we observed this fileless stager only deploying QAKBOT, the stager also serves as a stager for other malware. It also achieves persistence via a scheduled task, which means it can also deploy multiple types of malware as deemed necessary by the cybercriminals behind this stager, with each malware execution triggered with the scheduled task.

There were instances where QAKBOT has tried to hide its tracks by being fileless. However, this is the first time we have encountered this kind of fileless stager with persistence, and having the capability to move laterally and download other types of malware such as ransomware. Security teams are advised to reinforce and enable their monitoring mechanisms for better visibility of fileless malware artifacts, suspicious variables, and malicious processes.

Trend Micro solutions

Users can also opt to protect systems through managed detection and response (MDR), which enables the expertise of skilled cybersecurity personnel capable of reading at and between data gathered by advanced artificial intelligence and machine learning technology to correlate and prioritize threats, determining if they are part of a larger attack. Combined with the visibility to track and monitor both malicious and legitimate processes abused for fileless threats and routines in siloed systems, MDR can detect threats before they are executed, preventing further compromise and mitigating the risks of an attack's lateral spread.

Indicators of Compromise (IOCs)

View the full list of IOCs here.

Attachments

  • Original Link
  • Original Document
  • Permalink

Disclaimer

Trend Micro Inc. published this content on 17 December 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 17 December 2021 11:58:05 UTC.