Security News > 2022 > June > Qbot – known channel for ransomware – delivered via phishing and Follina exploit
Other state-backed threat actors have started exploiting it, but now one of the most active Qbot malware affiliates has also been spotted leveraging Follina.
Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start Qbot.
The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot.
Once opened, the file drops an archive, which contains a disk image file with inside a Word document, a shortcut file, and a.dll file.
"The LNK will execute the DLL to start Qbot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot," Proofpoint threat researchers explained.
Iso file, which again contains a.docx file, a.lnk and a.dll file.
News URL
https://www.helpnetsecurity.com/2022/06/08/qbot-follina-exploit/
Related news
- Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws (source)
- Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (source)
- Russian phishing campaigns exploit Signal's device-linking feature (source)
- China-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-01 | CVE-2022-30190 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. | 0.0 |