Ransomware Hits Catering Service Supplier Edward Don

Ransomware has hit one of the nation’s largest catering service suppliers, Edward Don. Edward Don and Company is one of the largest distributors of foodservice equipment and supplies, such as kitchen supplies, bar supplies, flatware, and dinnerware. The ransomware attack has forced the company to take down parts of its network, affecting customer relations and communications. The infection has disrupted their business operations, including their phone systems, network, and email.

The email outage forced company employees to use personal Gmail accounts to communicate with customers and vendors regarding urgent orders or fulfillment issues.

Reporters at BleepingComputer have pressed the company for information regarding the ransomware attack, but Edward Don has yet to release a statement. However, employees have stated that they cannot accept new orders until the systems are brought back online.

As Edward Don is one of the leading distributors of foodservice supplies, this attack will cause a significant disruption in the supply chain for hospitals, restaurants, hotels, and bars.

There has yet to be confirmation on what strain of ransomware is responsible for the attack. However, given the current ransomware climate, it could be one of many. Despite this, Advanced Intel CEO Vitali Kremez stated that the company might have been infected by the Qbot malware based on their adversarial visibility.

Following Kremez’ suggestion, other researchers have confirmed the Qbot trojan was on Edward Don’s network, and as such likely became a foothold for ransomware to enter their system. In the past, the ProLock and Egregor ransomware gangs partnered with Qbot. Since their shutdown, the REvil ransomware gang has been utilizing the botnet.

The Qbot Trojan has been plaguing computer users and businesses for over a decade and the cybercriminals behind it are still coming up with new tricks that keep it one of the most prevalent and successful malware threats.

Qbot, also known as Qakbot or Pinkslipbot, started out as a banking Trojan focused on stealing online banking credentials, but has since evolved into a “Swiss Army knife” that’s used for a variety of purposes including distributing ransomware.

LAst year, a new Qbot variant started being distributed by another Trojan called Emotet as part of a new spam campaign that affected many organizations worldwide. That new variant exhibited new features and a new command-and-control infrastructure. This continued with a renewed Qbot distribution campaign late last year.

“One of Qbot’s new tricks is particularly nasty, as once a machine is infected, it activates a special ‘email collector module’ which extracts all email threads from the victim’s Outlook client, and uploads it to a hardcoded remote server,” Check Point researchers said in a report. “These stolen emails are then utilized for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation.”

Qbot Trojan Analysis: A Foothold For Ransomware

Note: This analysis of Qbot was carried out by independent cybersecurity researcher Abdallah Elshinbary.

QBot can be delivered in various different ways including Malspam (Malicious Spam) or dropped by other malware families like Emotet.

The infection flow for this campaign is as follows:

First, the victim receives a phishing email with a link to a malicious zip file. The zip file contains a very obfuscated VBS file which downloads and launches Qbot executable. The VBS file tries to download Qbot from several addresses.

Most of QBot strings are encrypted (stored in a continuous blob) and they are decrypted on demand. The decryption routine accepts one argument which is the index to the string then it XORs it with a hardcoded bytes array until it encounters a null byte.

QBot spawns a new process of itself with the “/C” parameter, this process is responsible for doing Anti-Analysis checks. The trojan performs this to try stop researchers examining it.

In VMWare, communication with the host is done through a specific I/O port (0x5658), so QBot uses the in assembly instruction to detect VMWare by reading from this port and checking the return value in ebx if it’s equal to VMXh. Another Anti-VM trick is to check hardware devices against known devices names used by VMs and Sandboxes.

The last check is done using CPUID instruction. First it is executed with EAX=0 to get the CPU vendor and compares it with GenuineIntel (Intel processor). Then it is executed with EAX=1 to get the processors features. On a physical machine the last bit will be equal to 0. On a guest VM it will equal to 1.

After the Anti-Analysis checks, QBot drops a copy of itself along with a configuration file at “%APPDATA%\Microsoft\”. Finally, QBot starts the dropped copy in a new process and overwrites itself with a legitimate executable.

The dropped configuration file is accessed frequently by Qbot, this file is RC4 encrypted.

QBot obfuscates its communication with the C2 (Command-and-Control) server by encrypting the payloads using RC4 and encoding the result using Base64. The communication is also done over SSL.

After establishing communication, the C2 server will send commands indexes to be executed.

QBot can spread through the network by enumerating network shares using WNetOpenEnumW() and WNetEnumResourceW() then it drops a copy of Qbot into the shared folders.

When Qbot ensures it is not in analysis, and communication to the C2 server has been established, it can begin delivering other malware such as ransomware onto the system.