Security News > 2022 > June > Qbot – known channel for ransomware – delivered via phishing and Follina exploit
Other state-backed threat actors have started exploiting it, but now one of the most active Qbot malware affiliates has also been spotted leveraging Follina.
Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start Qbot.
The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot.
Once opened, the file drops an archive, which contains a disk image file with inside a Word document, a shortcut file, and a.dll file.
"The LNK will execute the DLL to start Qbot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot," Proofpoint threat researchers explained.
Iso file, which again contains a.docx file, a.lnk and a.dll file.
News URL
https://www.helpnetsecurity.com/2022/06/08/qbot-follina-exploit/
Related news
- Russian phishing campaigns exploit Signal's device-linking feature (source)
- China-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware (source)
- Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- EncryptHub Deploys Ransomware and Stealer via Trojanized Apps, PPI Services, and Phishing (source)
- New SuperBlack ransomware exploits Fortinet auth bypass flaws (source)
- New Ad Fraud Campaign Exploits 331 Apps with 60M+ Downloads for Phishing and Intrusive Ads (source)
- BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-01 | CVE-2022-30190 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. | 0.0 |