Security News > 2022 > June > Qbot – known channel for ransomware – delivered via phishing and Follina exploit
Other state-backed threat actors have started exploiting it, but now one of the most active Qbot malware affiliates has also been spotted leveraging Follina.
Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start Qbot.
The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot.
Once opened, the file drops an archive, which contains a disk image file with inside a Word document, a shortcut file, and a.dll file.
"The LNK will execute the DLL to start Qbot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot," Proofpoint threat researchers explained.
Iso file, which again contains a.docx file, a.lnk and a.dll file.
News URL
https://www.helpnetsecurity.com/2022/06/08/qbot-follina-exploit/
Related news
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Helldown ransomware exploits Zyxel VPN flaw to breach networks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-01 | CVE-2022-30190 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. | 7.8 |