Security News > 2022 > June > Now Windows Follina zero-day exploited to infect PCs with Qbot

Now Windows Follina zero-day exploited to infect PCs with Qbot
2022-06-09 00:29

Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

Threat Insight, part of cybersecurity vendor Proofpoint, noted on Twitter this week that miscreants have been seen exploiting the Follina flaw, tracked as CVE-2022-30190, in the Windows Support Diagnostic Tool to deliver Qbot, also known as QakBot, QuakBot and Pinkslipbot, onto victims' computers.

The Qbot botnet can be used by those with access to it to ruin a victim's month or year, and ransomware gangs can tap the malware to gain access to organizations and spread laterally before exfiltrating data and scrambling files.

In a blog post last year detailing the Qbot operators' alliance with notorious ransomware group REvil, analysts with cybersecurity firm AdvIntel wrote that it isn't unusual for malware groups to form a pact with one or two ransomware-as-a-service gangs, but added that "QBot differs from this pattern, as from the very beginning they were aiming at massive partnership expansions."

"For instance - Dridex had DopplePaymer, TrickBot botnet had Ryuk, Zloader had DarkSide, etc. At the same time, QBot had Egregor, ProLock, LockerGoga, Mount Locker, and other ransomware collectives. Therefore, it was a matter of time when they engage with REvil."

In a blog post, NCC wrote that Qbot was used to remotely create a temporary service on the targeted system, which was configured to execute a Qbot DLL. "Qakbot was the primary method utilized by the threat actor to maintain their presence on the network," they wrote.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/09/qbot-malware-microsoft-follina/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-06-01 CVE-2022-30190 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.
local
low complexity
microsoft CWE-610
7.8