Hello, welcome to the Tuesday, November 3, 2020 edition of the San Bernard Storm Center's Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

Brad today has an interesting diary talking about the interaction between Imotet and Quagbot or cubebot. Now, both of them are

typically being spread via malicious emails and they're sort of considered two distinct

Malware families. Emotet, historically more sort of being a banking, Trojan and Quagbot,

really more being sort of an information stealer. But both of

these malware families typically spread via malicious emails, so you would receive an email with

an office document that then asks you to enable macros, and then the malware will be installed.

Of course, both of these malware families also have

the ability to add additional components and updates later on via command control server that they

connect to. Now, the interesting behavior that Brad saw was that these two malware families can

also install each other. So what he saw

was a malicious word document that installed Emotet. The Emotet install was then used to install QuackBot,

which in turn was used to install Emotet again. So in the end, Brad ended up with two copies of Emotet and Quagbot installed on the same system.

Now, it's not clear why this happened.

It's possible that this was more or less a mistake by the attacker.

Also, this type of malware is often just rendered out

as a service to install other malware, and maybe that's sort of what happened here, or the

attacker just tried to get better persistence by installing various pieces of malware in order

to not have them all wiped at the same time.

And well, we got sadly bad news if you are running Oracle's web logic.

...