Locky Actors Adopt QTLoader to Deliver Ransomware

Starting October 19, 2017, the actors behind Locky distribution started using a new loader to drop their Ransomware. The new loader has been dubbed QTLoader or QTBot based on some strings and registry keys used by the malware. The use of the so-called QTLoader coincided with the adoption of the DDE AUTO feature of Office documents to download the Locky Ransomware payload. There has not been much publicly available analysis of QTLoader so we thought we would do a quick writeup.

The QTLoader samples used in recent Locky attacks contain some basic anti-analysis tricks that were not present in the previous script-based downloaders used by Locky. The loader enumerates all of the running processes on the victim machine looking for tools commonly used by malware analysts. Some of the flagged processes include:

OLLYDBG.EXE

python.exe

vmtoolsd.exe

Wireshark.exe

x32dbg.exe

The loader enumerates each process using CreateToolhelp32Snapshot/Process32FirstW/Process32NextW. For each running process, the crc32 is calculated and then xor’d with a constant value. If this calculated value matches one of the hardcoded blocklist in the binary, the loader exits immediately.

If the anti-debug checks pass, execution continues. Eventually execution is passed to a svchost.exe process using process hollowing. Once the execution has been passed to the hollowed svchost.exe process, QTLoader then does a series of check-ins with the hard coded c2 server via HTTP POST. These check-ins are followed by the loader downloading the final payload in the context of the svchost.exe process. The payload will either be Locky or Trickbot based on the geo-location of the victim.

QTLoader samples analyzed (md5sum):