TSPY_QAKBOT.PE

This Spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

It connects to certain websites to send and receive information. It prevents users from visiting antivirus-related websites that contain specific strings.

Arrival Details

This Spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Spyware drops the following component file(s):

• {malware path}\{random file name}.dat ← encrypted component
• {malware path}\{random file name}.dll ← encrypted configuration file
• %Windows%\Tasks\{GUID 1}.job (for Windows XP and below) ← executes the malware
• %Windows%\Tasks\{GUID 2}.job (for Windows XP and below) ← executes the Javascript component
• %System%\Tasks\{GUID 2} (for Windows Vista and above) ← executes the Javascript component
• %System%\Tasks\{GUID 1} (for Windows Vista and above) ← executes the malware
• %AppDataLocal%\Microsoft\{random file name}.wpl ← Javascript component

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %User Temp%\{random file name}.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\{random}
ImagePath = {malware path}\{malware file name}.exe

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random name} = {malware path}\{malware file name}.exe

It adds and runs the following services:

• DisplayName : "Remote Procedure Call (RPC) Service"
  ImagePath : "{malware path}\{malware name}.exe /D"

Process Termination

This Spyware terminates the following processes if found running in the affected system's memory:

• windbg.exe
• ChromeUpdate.exe
• msdev.exe
• dbgview.exe
• ollydbg.exe
• ctfmon.exe
• Proxifier.exe
• nav.exe

Web Browser Home Page and Search Page Modification

This Spyware modifies the Internet Explorer Zone Settings.

Information Theft

This Spyware monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• tdetreasury.tdbank.com
• cmoltp.bbt.com
• cashmanageronline.bbt.com
• .hsbcnet.com
• ebc_ebc
• blilk.com
• bankeft.com
• cmol.bbt.com
• securentrycorp.zionsbank.com
• tmcb.zionsbank.com
• .web-access.com
• nj00-wcm
• commercial.bnc.ca
• /clkccm/
• paylinks.cunet.org
• e-facts.org
• accessonline.abnamro.com
• providentnjolb.com
• firstmeritib.com
• corporatebanking
• firstmeritib.com/defaultcorp.aspx
• e-moneyger.com
• jsp/mainWeb.jsp
• svbconnect.com
• premierview.membersunited.org
• each.bremer.com
• iris.sovereignbank.com
• /wires/
• paylinks.cunet.org
• securentrycorp.amegybank.com
• businessbankingcenter.synovus.com
• businessinternetbanking.synovus.com
• ocm.suntrust.com
• otm.suntrust.com
• cashproonline.bankofamerica.com
• singlepoint.usbank.com
• netconnect.bokf.com
• business-eb.ibanking-services.com
• cashproonline.bankofamerica.com
• /cashplus/
• ebanking-services.com
• /cashman/
• web-cashplus.com
• treas-mgt.frostbank.com
• business-eb.ibanking-services.com
• treasury.pncbank.com
• access.jpmorgan.com
• tssportal.jpmorgan.com
• ktt.key.com
• onlineserv/CM
• premierview.membersunited.org
• directline4biz.com
• .webcashmgmt.com
• tmconnectweb
• moneymanagergps.com
• ibc.klikbca.com
• directpay.wellsfargo.com
• express.53.com
• ctm.53.com
• itreasury.regions.com
• itreasurypr.regions.com
• cpw-achweb.bankofamerica.com
• businessaccess.citibank.citigroup.com
• businessonline.huntington.com
• /cmserver/
• goldleafach.com
• iachwellsprod.wellsfargo.com
• achbatchlisting
• /achupload
• commercial2.wachovia.com
• commercial3.wachovia.com
• commercial4.wachovia.com
• wc.wachovia.com
• commercial.wachovia.com
• wcp.wachovia.com
• chsec.wellsfargo.com
• wellsoffice.wellsfargo.com
• /ibws/
• /stbcorp/
• /payments/ach
• trz.tranzact.org
• /wiret
• /payments/ach
• cbs.firstcitizensonline.com
• /corpach/
• scotiaconnect.scotiabank.com
• webexpress.tdbank.com
• businessonline.tdbank.com
• /wcmpw/
• /wcmpr/
• /wcmtr/
• tcfexpressbusiness.com
• trz.tranzact.org

It gathers the following data:

• GeoIP locations
• Browser cookies
• Flash cookies
• Network information
• System information
• FTP, POP3, IMAP, SMTP, HTTPMail, NNTP Passwords
• Outlook login credentials
• Private keys from system certificates
• Login credentials for certain websites
• Internet sessions

Other Details

This Spyware connects to the following URL(s) to check for an Internet connection:

• cnn.com
• microsoft.com
• baidu.com
• facebook.com
• yahoo.com
• wikipedia.org
• qq.com
• linkedin.com
• mail.ru
• http://sanjose.speedtest.comcast.net/speedtest/random750x750.jpg?x={random numbers}&y=1
• http://boston.speedtest.comcast.net/speedtest/random750x750.jpg?x={random numbers}&y=1
• http://jacksonville.speedtest.comcast.net/speedtest/random750x750.jpg?x={random numbers}&y=1
• http://houston.speedtest.comcast.net/speedtest/random750x750.jpg?x={random numbers}&y=1

It connects to the following URL(s) to get the affected system's IP address:

• www.ip-adress.com

It connects to the following website to send and receive information:

• projects.{BLOCKED}merytech.com/TealeafTarget.php
• n.abcwd0.seed.{BLOCKED}cureservers.com/TealeafTarget.php
• css.kbaf.{BLOCKED}n.co.uk/TealeafTarget.php

It does the following:

• It checks for the following DLLs in running processes:
  • ivm-inject.dll
  • SbieDll.dll
• It is capable of the following:
  • Download and execute component files
  • Download configuration and updates
  • Download updated copy of itself
  • Uninstall itself
  • Kill processes
  • Upload files containing stolen information
  • Perform FTP functionalities
• It sends the following information to its C&C server:
  • ext_ip
  • dnsname
  • hostname
  • user
  • domain
  • is_admin
  • os
  • qbot_version
  • install_time
  • exe
• It also steals stored passwords, cache and cookies from the following servers:
  • SMTP Email Address
  • SMTP Server
  • POP3 Server
  • POP3 User Name
  • SMTP User Name
  • NNTP Email Address
  • NNTP User Name
  • NNTP Server
  • IMAP Server
  • IMAP User Name
  • Email
  • HTTP User
  • HTTP Server URL
  • POP3 User
  • IMAP User
  • HTTPMail User Name
  • HTTPMail Server
  • SMTP User
  • 001e6607
  • 001e6608
• It also monitors the browsing activities of the infected computer and logs all information related to websites containing the following strings:
  • safebrowsing.google.com
  • geo.query.yahoo.com
  • googleusercontent.com
  • salesforce.com
  • officeapps.live.com
  • storage.live.com
  • messenger.live.com
  • .twimg.com
  • api.skype.com
  • mail.google.com
  • .bing.com
  • playtoga.com
  • .mozilla.com
  • .mozilla.org
  • hotbar.com
  • lphbs.com
  • contacts.msn.com
  • search.msn.com
  • clients.mindbodyonline.com
  • loyaltyconnect.ihg.com
  • .amazonaws.com
  • audatexsolutions.com
  • mail.services.live.com
  • etsy.com
  • .king.com
  • phantomefx.com
  • facebook.com
  • .gator.com
  • doubleclick.
  • zango.com
  • 180solutions.com
  • wildtangent.com
  • webhancer.com
  • tbreport.bellsouth.net
  • spamblockerutility.com
  • internet-optimizer.com
  • .adworldmedia.com
  • seekmo.com
  • r777r.info
  • sipuku.com
  • eorezo.com
  • newasp.com.cn
  • wpzkq.com
  • radialpoint.com
  • owlforce.com
  • .microsoft.com
  • localhost
  • 127.0.0.1
  • securestudies.com
  • farmville.com
  • mybrowserbar.com
  • auditude.com
  • digitalmediacommunications.com
  • mapquest.com
  • kixeye.com
  • myshopres.com
  • conduit-services.com
  • zynga.com
  • .5min.com
  • netflix.com
  • tubemogul.com
  • youtube.com
  • brightcove.com
  • mochibot.com
  • fwmrm.net
  • mendeley.com
• It terminates itself when executed in the following Virtual Environments:
  • VMWare
  • VirtualBox
  • CWSandbox
  • Virtual HD
  • QEMU
  • Red Hat VirtIO
• It checks for the following running process:
  • VBoxTray.exe
  • vmtoolsd.exe
  • vmacthlp.exe
  • metsvc-ser.exe
  • VboxService.exe
  • windump.exe
• It checks if the following anti-virus software is installed:
  • norton
  • AVG
  • kaspersky
  • NOD32
  • Bitdefender
  • Avast
  • Trend Micro
  • Microsoft Security Essentials
• It terminates itself if the malware path/file name contains any of the following strings:
  • sample
  • mlwr_smpl
  • artifact.exe

It prevents users from visiting antivirus-related websites that contain the following strings:

• siteadvisor.com
• avgthreatlabs.com
• safeweb.norton.com