Research
Locky Actors Adopt QTLoader to Deliver Ransomware
Starting October 19, 2017, the actors behind Locky distribution began using a new loader to drop their ransomware payload. The loader has been dubbed QTLoader (or QTBot) based on strings and registry keys found in the binary. Its adoption coincided with the switch to the DDE AUTO technique for delivering the initial document. There has been limited public analysis of QTLoader, so we are publishing our findings here.
Anti-Analysis Checks
QTLoader samples used in recent Locky attacks include basic anti-analysis tricks not present in the previous script-based downloaders. On startup, the loader enumerates all running processes looking for tools commonly used by malware analysts, including:
OLLYDBG.EXEpython.exevmtoolsd.exeWireshark.exex32dbg.exe
Enumeration uses CreateToolhelp32Snapshot / Process32FirstW / Process32NextW. For
each running process the CRC32 is calculated, then XOR’d with a constant. If the result
matches a hardcoded blocklist entry the loader exits immediately.
Execution Flow
If the anti-analysis checks pass, execution continues until a svchost.exe process is
hollowed out and execution is transferred into it using process hollowing. From within
the hollowed svchost.exe, QTLoader performs a series of HTTP POST check-ins to a
hardcoded C2 server, after which it downloads the final payload, either Locky or
Trickbot depending on the victim’s geo-location.
Samples (MD5)
| MD5 |
|---|
| 4f03e360be488a3811d40c113292bc01 |
| a633ccbf2a9d299a06512319a0286777 |
| eae849f6510db451f4fbdb780b5d49aa |
| 2119cd6480863198437c021b8b3e6339 |
| 8b746248f1b810ce11e231acc5953510 |
| f436a9edea4cb3df6193715c105fcffe |
| e08729c692629dcd9a7678c0b18ac312 |
| 1916150b3356fe6e6da7ec2e2a78e189 |
| d0be9eee425acecc5469286424a44405 |
| 9280a952e5ff85d8f67bf71f590d00ac |