Security News > 2022 > June > Qbot – known channel for ransomware – delivered via phishing and Follina exploit

Qbot – known channel for ransomware – delivered via phishing and Follina exploit
2022-06-08 10:40

Other state-backed threat actors have started exploiting it, but now one of the most active Qbot malware affiliates has also been spotted leveraging Follina.

Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start Qbot.

The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot.

Once opened, the file drops an archive, which contains a disk image file with inside a Word document, a shortcut file, and a.dll file.

"The LNK will execute the DLL to start Qbot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot," Proofpoint threat researchers explained.

Iso file, which again contains a.docx file, a.lnk and a.dll file.


News URL

https://www.helpnetsecurity.com/2022/06/08/qbot-follina-exploit/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-06-01 CVE-2022-30190 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.
local
low complexity
microsoft CWE-610
7.8