Press "Enter" to skip to content

Month: April 2021

Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server

About Qbot Qbot (also known as Qakbot) is an information stealer that has been active since 2007. It was originally used as a banking trojan, but has since been updated to steal credentials from other sites as well that are not financial. Qbot has also been observed being used for a variety of different types of activities, including distributing ransomware. Recently, Qbot has been distributed through spam email campaigns. Specifically, a URL is sent through an email. This URL belongs to a compromised WordPress site controlled by the attacker. This URL is redirected to a malicious PHP script that loads…

Comments closed

Analysis of Password Protected Malicious Word Document

Let’s take a look at an example of a malicious Word document that has a password-protected VBA project. When looking at malware, it is a good idea to first verify the file type you are looking at. Many malware authors will purposely use deceptive file extensions to try to look as benign as possible. So, running the “file” command on the file, it is confirmed to be a Word document, as the extension suggests. Our next step is checking the streams for macros using oledump.py. The following three streams have macros in them, indicated by an uppercase “M”. Searching for…

Comments closed