Security News > 2022 > June > Qbot malware now uses Windows MSDT zero-day in phishing attacks

Qbot malware now uses Windows MSDT zero-day in phishing attacks
2022-06-07 22:03

A critical Windows zero-day vulnerability, known as Follina and still waiting for an official fix from Microsoft, is now being actively exploited in ongoing phishing attacks to infect recipients with Qbot malware.

As Proofpoint security researchers shared today, the TA570 Qbot affiliate has now begun using malicious Microsoft Office.

Docx document will reach out to an external server to load an HTML file that exploits the Follina flaw to run PowerShell code which downloads and executes a different Qbot DLL payload. A collection of indicators of compromise linked to this campaign by malware analyst ExecuteMalware can be found here.

Qbot is a modular Windows banking trojan with worming capabilities for infecting more devices on compromised networks via network share exploits and highly aggressive brute-force attacks against Active Directory admin accounts.

Microsoft has published a report in December 2021 regarding the versatility of Qbot attacks that makes it harder to accurately evaluate the scope of its infections.

The DFIR Report also recently shed light on Qbot light-speed attacks where the malware is able to steal sensitive user data within roughly 30 minutes after the initial infection.

News URL