Over the past few hours, we’ve observed malicious phishing emails associated with the delivery affiliate TR in multiple customer environments. The infection scheme was consistent, executing in the following pattern: OneDrive phishing page -> ZIP download -> malicious XLSB -> Qbot

The ZIP file and XLSB had formats similar to `123 (1).zip/123.xlsb`. The Excel macros downloaded a Qbot binary with an OCX file extension to the TR-specific folder “C:\Watdan” and executed it with the command `regsvr32 C:\Watdan\tle1.ocx`

We observed reconnaissance commands and lateral movement next, and the adversary dropped Cobalt Strike and Bloodhound, common post-exploitation tools, into victims’ environments. This progression of activity is a common ransomware precursor.

#RCIntel wanted to provide some detection opportunities for the community based on this information to empower defenders to respond to this activity in near real-time.

First, we recommend looking for instances of regsvr32 spawning from an excel.exe parent process. Additionally, if regsvr32 spawns an explorer.exe process, this should be prioritized for immediate investigation.

Also look out for rundll32.exe processes with no command-line arguments, with a file modification that contains ‘\pipe’. This could be an indication of Cobalt Strike behavior. It is also suspicious if rundll32 has no CLI arguments and a network connection.