In phishing assaults, the Qbot malware now uses the Windows MSDT zero-day.
A serious Windows zero-day vulnerability known as Follina is currently being actively exploited in continuing phishing campaigns to infect targets with Qbot malware, which is still waiting for an official fix from Microsoft.
As Proofpoint security researchers, the TA570 Qbot affiliate has now begun using malicious Microsoft Office .docx documents to abuse the Follina CVE-2022-30190 security flaw and infect recipients with Qbot— Threat Insight.
CVE-2022-30190 (also known as Follina) allows attackers to execute arbitrary code through the Microsoft Support Diagnostic Tool (MSDT). All it takes to exploit the vulnerability is for the victim to open an infected Word document. The document uses the Word Remote Template feature to extract an HTML file from a remote web server. This HTML file then uses the URI scheme of ms-msdt MSProtocol to load some code and execute it in PowerShell.
In the latest attacks discovered by Proofpoint researchers
The actors used hijacked e-mail messages with HTML attachments that will download ZIP archives containing IMG files.
Inside the IMG files are DLLs, Word and shortcut files. While the direct file directly loads the Qbot DLL file that already exists in the IMG disk image, the blank.docx document connects to a remote attacker-controlled server to load the HTML file.
This file uses Follina to execute PowerShell code to download and run a new payload Qbot DLL. The phishing methods used in this campaign reflect reports showing how the TA570 has used email thread hijacking to distribute malicious attachments in the past.
Since at least 2007, Qbot has been used as a Windows banking Trojan with worm capabilities to steal credentials.
However, Qbot may also infect victims when they are already infected with another type of malware.