Threat Actors Using Fake QuickBooks Software to Scam Organizations

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

QuickBooks is a popular accounting software developed and marketed by Intuit. It is designed to help small and medium-sized businesses manage their finances, including tracking income and expenses, invoicing customers, managing bills, and generating financial reports.

Our Incident Handling team was notified about the scamming attempt against one of our clients in the financial sector. The client reported being unable to access one of their QuickBooks files, and upon opening the file, they received a warning message instructing them to call a phone number that appeared to be from Intuit Technical Support.

However, the number was part of a scam. Upon calling the number, the malicious actor would offer to sell the service to “repair” the files. The malicious actor claimed to be from QB Exclusive and used ZoHo Assist (remote support software) to achieve the remote session on the victim’s machine.

The eSentire Threat Response Unit (TRU) performed proactive threat hunting across all clients and identified two more infections targeting Business Services and Consulting sector customers.

"QB Exclusive" is purported to provide accounting and bookkeeping services, as well as QuickBooks support and products for sale on their website. However, there are concerns about the legitimacy of the company.

After conducting a more thorough investigation, we discovered that the same phone number listed on the original website appears on two additional websites. One of these websites, which operates under the name Business Growth Solutions, offers QuickBooks consulting services in addition to the sale of QuickBooks products. The second website, also operating under the name Business Growth Solutions, appears to specialize in the sale of office supplies.

The threat actor(s) also listed the random address in the contact form. eSentire TRU assesses the chances as probable that the malicious actor is using the websites for scamming purposes.

The QuickBooks scam has been identified as a known threat, with concerned users posting messages on Reddit and QuickBooks forums about warning messages and non-legitimate support services being offered for prices ranging from $800 to $2000.

The warning messages appear due to the presence of QuickBooks scamming malware on the machine, and users can get infected with it through a drive-by download, specifically via Google Ads.

The infection typically starts when a user searches for "QuickBooks download" on Google, and the first search result leads them to a malicious website hosting a fake QuickBooks installer.

Please note that the malicious installers will not have the valid QuickBooks signature as shown below.

Legitimate installers are signed by Intuit, Inc. as shown below.

The malicious QuickBooks MSI installer contains two or more files including the DLL dependencies necessary for the malicious binaries to operate as shown in the screenshot below. The files are dropped under C:\Users\Public\Libraries\.

Please note that the legitimate QuickBooks files are located under C:\Users\Public\Public Documents\Intuit\QuickBooks\ by default. Any files located under a different folder should be suspicious.

• 90s.rtf – is the fake agreement file as shown below.



• QDB.exe – responsible for displaying a legitimate QuickBooks install pop-up message after the successful installation of the malicious QuickBooks scamming malware as shown below. The binary also terminates legitimate QuickBooks processes such as QBW, QBWebConnector, and QBPOSShell.

Below is the snippet of the code responsible for displaying the pop-up message asking the user to input the data in the fields and saving the data into sv.ini under C:\Users\Pulbic\Libraries.

QuickBooksDownloder namespace is responsible for retrieving the legitimate QuickBooks installer via the API requests to hxxp://185.161.211[.]237/.

Below is the response from the mentioned server (185.161.211[.]237) from get-software API request containing the links to legitimate QuickBooks installers.

Below is the data that the user enters in the Downloader pop-up message form mentioned previously, the data is being sent to 185.161.211[.]237 to retrieve the proper version that the user selected via API request add-user.

The code snippet below is responsible for displaying the HTML content of the “err.bin” file which is a malicious warning message in a web browser control on a Windows form. The code sets various properties of the web browser control to prevent user interaction, such as disabling scrolling, context menus, and keyboard shortcuts.

When the form is loaded, it navigates the web browser control to the local file path of the "err.bin" or “err.html” file.

• RuntimeBoker.exe – the binary is responsible for downloading the HTML file that contains the warning message from C2.

The code below attempts to connect to one of the domains listed; it tries up to 3 times to connect to the domain and if it fails – it moves onto the next one. Further on, it builds the URL string that contains the C2 and current date and time (using GetSystemTimeAsFileTime function), for example, hxxp://103.251.94.106:8080?20230427001224" and retrieves the HTML file.

It’s also worth noting that the binary creates the mutex “quickbookslegitaf” to prevent two instances of the RuntimeBoker.exe running as shown below.

QuickBooks scamming malware achieves persistence via scheduled tasks. We have observed it creating two tasks:

• FSC – runs C:\Users\Public\Libraries\QBD.exe at log on of any user
• FSMQ – runs C:\Users\Public\Libraries\RuntimeBokers.exe at log on of any user

How did we find it?

• The client informed us about not being able to open QuickBooks files and the display of the warning messages.
• eSentire MDR for Endpoint identified the IOCs related to QuickBooks scamming malware.

What did we do?

• The eSentire Threat Response Unit (TRU) performed proactive threat hunting for the IOCs across clients’ MDR for Endpoint instances and notified all impacted clients accordingly.

What can you learn from this TRU positive?

• Google Ads are still actively being used to deliver malware.
• Threat actors achieved a more persistent approach to performing scamming operations by disrupting the functionality of legitimate software and planting malicious messages on users’ machines.
• With remote access to the victim's machine, the attacker(s) is capable of performing further malicious actions such as exfiltrating sensitive data and planting backdoors.

Recommendations from our Threat Response Unit (TRU) Team:

• Train users to identify and report potentially malicious content using Phishing and Security Awareness Training (PSAT) programs.
• Ensure employees have access to a dedicated software center to download corporate-approved software.
• Protect endpoints against malware by:
  • Ensuring antivirus signatures are up-to-date.
  • Using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and contain threats.

Indicators of Compromise

Yara rules

rule QuickBooks_QBD {
    meta:
        author = "eSentire TI"
        description = "QuickBooks scamming malware" 
        date = "4/27/2023"
    strings:
        $s1 = "\\err.html" wide
        $s2 = "C:\\Users\\Simran\\Desktop\\TEST TESt TES\\QuickBooksDownloder\\obj\\Release\\QBD.pdb"
        $s3 = "D:\\Side\\QuickBook_23\\Downloader\\QuickBooksDownloder\\obj\\Release\\QBDownloder.pdb"
        $s4 = "http://185.161.211.237/" wide
        $s5 = "90s.rtf" wide
        $s6 = "err.bin" wide
    condition:
        4 of ($s*) and filesize < 700KB

}

rule QuickBooks_RuntimeBokers {

    meta:
        author = "eSentire TI"
        description = "QuickBooks scamming malware" 
        date = "4/27/2023"

    strings:
        $s1 = "C:\\Users\\Public\\Libraries\\sv.ini"
        $s2 = "C:\\Users\\Public\\Libraries\\err.bin"
        $s3 = "quickbooks12.hopto.org"
        $s4 = "quickbooks149.hopto.org"
        $s5 = "C:\\Users\\Public\\Libraries\\QBD.exe" wide

    condition:
        all of ($s*) and filesize < 400KB
        and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)

}