skip to Main Content

Cybercrime, QuakBot use SERVICE STREAM in its signed global campaign

Technical analysis by the Malware Hunter JAMESWT

QuakBot use SERVICE STREAM LIMITED in its signed global campaign. It exploits company certificates to sign the executable and decept the anti virus. The malware infection chain is activated by the attachment

QuakBot adds “SERVICE STREAM LIMITED” to its signed global campaign. New malicious mails have been distributed by cybercrime exploiting the company’s certificates to sign the executable file. The template and xls attachment are the same, but links are new. The objective is to decept the anti virus and let the victims download and install the malware through the attachment and a link. Criminal hackers for this purpose are exploiting organizations from different countries. In the last period have been used many signatures. They include those related to:

Mislean Software Limited

Master Networking s.r.o.

DocsGen Software Solutions Inc.

Digital Capital Management Ireland Limited

Equal Cash Technologies Limited

Korist Networks Incorporated

Instamix Limited

Akhirah Technologies Inc.

Bamboo Connect s.r.o.

OLIMP STROI OOO

BOREC OOO

Cubic Information Systems UAB

Highweb Ireland Operations Limited

VESNA OOO

THREE D CORPORATION PTY LTD

Umbrella LLC

Olymp LLC

Hairis LLC

SERVICE STREAM LIMITED

The malware is a banking trojan with worm capabilites

The QuakBot (aka Qbot) malware is a modular cybercrime banking trojan known to target businesses to steal money from their online banking accounts. It features worm capabilities to self-replicate through shared drives and removable media. The code uses powerful information-stealing features to spy on users’ banking activity.

The fake .xls attachment

DNS HTTP/HTTPS requests / Connection

 

 

Back To Top