Last Updated: 2023-06-22 22:30:03 UTC
by Brad Duncan (Version: 1)
Qakbot using the obama-series distribution tag has been active this week on Tuesday 2023-06-20 (obama269), Wednesday 2023-06-21 (obama270), and Thursday 2023-06-22 (obama271). Today's diary provides indicators from an infection and some samples collected today from the obama271 wave on Thursday 2023-06-22.
Initial Infection Traffic
The initial infection started with an HTTP URL ending in .gif that returned a zip archive. After extracting a .js file from the downloaded zip and running it, we see HTTPS traffic with the domain that returned our Qakbot DLL. Qakbot C2 traffic includes HTTPS requests to legitimate domains like oracle.com as noted below. Finally, we saw Qakbot HTTPS C2 traffic on 142.154.58[.]207 almost eight minutes after the Qakbot DLL was retrieved.
Indicators of compromise (IOCs)
2023-06-22 (THURSDAY): OBAMA271 QAKBOT (QBOT) ACTIVITY
email --> PDF attachment --> link from PDF --> downloaded zip --> extracted .js --> retrieves/runs Qakbot DLL
SIX EXAMPLES OF PDF ATTACHMENTS:
LINKS FROM ATTACHED PDF FILES:
FILES USED FOR AN INFECTION RUN:
File size: 79,478 bytes
Downloaded from: hxxp://rolopom[.]com/alfqtwrbcn/alfqtwrbcn.gif
File name: BSN-1226578580.zip
File description: Zip archive downloaded from link in PDF attachment
File size: 350,611 bytes
File name: BSN-1226578580.js
File description: JS file extracted from the above zip archive
URLS GENERATED BY THE ABOVE .JS FOR QAKBOT DLL:
QAKBOT DLL SEEN DURING THE INFECTION RUN:
File size: 1,405,439 bytes
Downloaded from: hxxp://hevintar[.]com/0.38107541532568295.dat
File location: C:\VPNStors\Krosters\Spote.OCCXX
Run method: rundll32.exe [file name],zertc
A pcap of the infection traffic, along the the associated malware and artifacts can be found here.
brad [at] malware-traffic-analysis.net
Last Updated: 2023-06-22 07:12:39 UTC
by Johannes Ullrich (Version: 1)
Apple released iOS, macOS, and watchOS updates, patching three vulnerabilities already being exploited. Two vulnerabilities affect WebKit, leading to a Safari patch for older operating systems.
The two WebKit issues (CVE-2023-32439 and CVE-2023-32435) can be used to execute arbitrary code as a user visits a malicious web page. The third vulnerability, CVE-2023-32434, can be used to elevate privileges after the initial code execution.
See below for affected operating systems. Apple does not provide CVSS scores, so we asked ChatGPT to fill them in.
|Safari 16.5.1||iOS 16.5.1 and iPadOS 16.5.1||iOS 15.7.7 and iPadOS 15.7.7||macOS Ventura 13.4.1||macOS Monterey 12.6.7||macOS Big Sur 11.7.8||watchOS 9.5.2||watchOS 8.8.1|
|CVE-2023-32439 [critical] ChatGPT-CVSS: CVSS score: 9.8 (Critical) *** EXPLOITED *** WebKit
A type confusion issue was addressed with improved checks.
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
|CVE-2023-32434 [important] ChatGPT-CVSS: 8.8 *** EXPLOITED *** Kernel
An integer overflow was addressed with improved input validation.
An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
|CVE-2023-32435 [critical] ChatGPT-CVSS: 7.8 *** EXPLOITED *** WebKit
A memory corruption issue was addressed with improved state management.
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.