Threat actors actively exploiting Windows Follina zero-day to deliver Qbot malware
Microsoft has still not provided a fix for the flaw
Threat actors are now actively exploiting critical Windows zero-day vulnerability Follina in ongoing phishing attacks to infect targets with Qbot banking trojan malware.
As reported by security vendor Proofpoint, the TA570 Qbot affiliate has now started using malicious Microsoft Office .docx documents to exploit CVE-2022-30190 vulnerability to infect recipients with Qbot.
CVE-2022-30190 (also known as Follina) allows attackers to execute arbitrary code via the Microsoft Support Diagnostic Tool (MSDT). All it takes to exploit the vulnerability is for a victim to open an infected Word document. The document makes use of the Word remote template feature in order to retrieve an HTML file from a remote webserver. This HTML file then uses the ms-msdt MSProtocol URI scheme to load some code and run it in PowerShell.
In the most recent attacks detected by Proofpoint researchers, the actors used hijacked email thread messages with HTML attachments that would download ZIP archives containing IMG files.
Inside the IMG files are DLL, Word and shortcut files.
While the shortcut file directly loads the Qbot DLL file that already exists in the IMG disk image, the blank.docx document connects to a remote server controlled by attackers to load an HTML file.
This file uses Follina to execute PowerShell code to download and run a new Qbot DLL payload.
The phishing methods utilised in this campaign reflect reports indicating how the TA570 has exploited email thread hijacking to spread malicious attachments in the past.
Since at least 2007, Qbot has been used as a Windows banking trojan with worm capabilities to steal Windows domain credentials, banking credentials, financial data and personal information.
This malware also gives threat actors the ability drop backdoors on compromised systems, deploy Cobalt Strike beacons, and provide remote access to ransomware gangs.
Phishing tactics that use different lures, such as bogus invoices, payment and banking details, scanned documents, or bills, often cause victims to be infected with Qbot.
However, Qbot may also infect victims when they are already infected with another kind of malware.
CVE-2022-30190, which was uncovered by security researchers at the end of May, has been exploited in multiple attacks since its disclosure.
Earlier this month, Proofpoint researchers said that suspected Chinese threat group TA413 CN APT had been spotted exploiting the Follina bug to deliver ZIP archives containing infected Word documents.
Another attempt at exploiting the vulnerability was reported by the SANS Internet Storm Center, where researchers received an infected document uploaded from Ireland but with a filename in Chinese characters.
Proofpoint said on Monday that phishing emails offering salary raises to staff were sent to European government agencies and US local government agencies.
Once the recipient opens the attached file, malicious attachments utilise CVE-2022-30190 to put PowerShell scripts on the machine and steal private information from a range of apps, including browsers, instant messaging software, receiver software, and so on.
The stolen information is subsequently sent to the hacker's server.
The recent exploitation of the Follina vulnerability demonstrates how attackers move quickly to exploit an unpatched vulnerability.
Microsoft has yet to provide a fix for the flaw. It recommends blocking the MSDT URL protocol as a mitigating measure.
"Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters," Microsoft says.