2018-02-08 - RETURN OF QUANT LOADER: MALSPAM USING PDF FILES TRIES A NEW TACTIC

ASSOCIATED FILES:

  • 2018-02-08-malspam-pushing-Quant-Loader-1st-run.pcap   (548,205 bytes) - Windows 7 host
  • 2018-02-08-malspam-pushing-Quant-Loader-2nd-run.pcap   (505,636 bytes) - Windows 10 host
  • 08.02.2018.doc   (188,928 bytes)
  • 08.02.2018_251910.pdf   (17,207 bytes)
  • 08.02.2018_7719830.pdf   (17,175 bytes)
  • 2018-02-08-malspam-1454-UTC.eml   (1,329 bytes)
  • 2018-02-08-malspam-1517-UTC.eml   (1,338 bytes)
  • rozabich8.exe   (231,688 bytes)

NOTES:


Shown above:  Flow chart of today's events.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot of an email (1 of 2).

 


Shown above:  Screenshot of an email (2 of 2).

 

MALSPAM INFO FROM TWO EMAILS:

 


Shown above:  Link from the email.

 


Shown above:  The downloaded PDF file.

 


Shown above:  The downloaded Word document--have to bypass protected mode.

 


Shown above:  Then you have to enable macros to get infected.

 

TRAFFIC


Shown above:  Infection traffic from the Windows 10 host filtered in Wireshark.

 


Shown above:  Alerts from Sguil on the infection traffic in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

TRAFFIC AFTER DOWNLOADING PDF FILE FROM GOOGLE DRIVE:

 

MALWARE

PDF FILES FROM GOOGLE DRIVE LINKS IN THE EMAILS:

DOWNLOADED WORD DOCUMENT LINKED FROM PDF FILES:

QUANT LOADER RETRIEVED BY WORD DOCUMENT MACRO:

 

POST-INFECTION FORENSICS


Shown above:  Quant Loader executable retrieved by the Word document macro.

 


Shown above:  Registry key and location of Quant Loader for persistence on the infected Windows 10 host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.