Security News > 2022 > June > Qbot malware now uses Windows MSDT zero-day in phishing attacks
A critical Windows zero-day vulnerability, known as Follina and still waiting for an official fix from Microsoft, is now being actively exploited in ongoing phishing attacks to infect recipients with Qbot malware.
As Proofpoint security researchers shared today, the TA570 Qbot affiliate has now begun using malicious Microsoft Office.
Docx document will reach out to an external server to load an HTML file that exploits the Follina flaw to run PowerShell code which downloads and executes a different Qbot DLL payload. A collection of indicators of compromise linked to this campaign by malware analyst ExecuteMalware can be found here.
Qbot is a modular Windows banking trojan with worming capabilities for infecting more devices on compromised networks via network share exploits and highly aggressive brute-force attacks against Active Directory admin accounts.
Microsoft has published a report in December 2021 regarding the versatility of Qbot attacks that makes it harder to accurately evaluate the scope of its infections.
The DFIR Report also recently shed light on Qbot light-speed attacks where the malware is able to steal sensitive user data within roughly 30 minutes after the initial infection.
- Windows zero-day exploited in US local govt phishing attacks (source)
- Ukraine warns of “chemical attack” phishing pushing stealer malware (source)
- Microsoft patches Windows LSA spoofing zero-day under active attack (CVE-2022-26925) (source)
- Microsoft fixes under-attack Windows zero-day Follina (source)
- New Raspberry Robin worm uses Windows Installer to drop malware (source)
- Nothing personal: Training employees to identify a spear phishing attack (source)
- USB-based Wormable Malware Targets Windows Installer (source)
- This New Fileless Malware Hides Shellcode in Windows Event Logs (source)
- Hackers are now hiding malware in Windows Event Logs (source)
- Kaspersky uncovers fileless malware inside Windows event logs (source)