Windows Follina zero-day exploited to infect PCs with Qbot • The Register


Malefactors have allegedly exploited the recently revealed Windows Follina critical zero-day flaw to infect PCs with Qbot, aggressively expanding their reach.

The bot’s operators are also working with the Black Basta gang to spread ransomware in another partnership in the cybercrime underworld, it is claimed.

This combination of exploiting Follina and using it to extort organizations makes the malware an even greater threat to businesses. Qbot started out as malware that plundered people’s online bank accounts, and evolved to spy on users’ keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, to infected Windows systems, and forms a remotely controllable botnet.

Threat Insight, part of cybersecurity provider Proofpoint, noted on twitter this week that miscreants were seen exploiting the Follina Rift, followed as CVE-2022-30190in the Windows Support Diagnostic Tool to deliver Qbot, also known as QakBot, QuakBot, and Pinkslipbot, to victim computers.

Late last month, Microsoft acknowledged the security flaw and said an official fix was in the works. Crooks and spies exploit the vulnerability in the wild to target, for example, government agencies in the United States and Europe. The Chinese team TA413 would also use Follina to attack the Tibetans.

According to Proofpoint, a team identified as TA570 is exploiting the vulnerability in phishing campaigns by hijacking an email thread – a known tactic used by those who distribute Qbot – and force victims to open an HTML attachment which saves a .zip file. This archive contains a disk image file containing a DLL, a Word document and a .LNK shortcut file.

“The LNK will run the DLL to start Qbot. The doc will load and run an HTML file containing PowerShell abusing CVE-2022-30190 used to download and run Qbot,” the researchers wrote.

A threat hunter with the handle ExecuteMalware on Twitter claims to have observed Qbot affiliates pushing an .iso file, rather than an .img, which also contains the DLL, Word document and shortcut. ExecuteMalware also released a list of signs of compromise.

Follina is a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostics Tool; this can be exploited by having an application, such as Word, call the tool from a specially crafted document when it is opened. If successful, the attacker can execute arbitrary code with the privileges of the application, and thus execute programs, delete or steal information, etc.

While working on a suitable fix, Microsoft has published some potential measures to mitigate exploitation.

Qbot first appeared in 2007. It can steal banking information, Windows credentials, personal information, and financial data. Kaspersky cybersecurity provider said in April, he saw a spike in malware activity: a spam campaign that distributed both Qbot and Emotet malware and targeted businesses.

The Qbot botnet can be used by those with access to ruin a victim’s month or year, and ransomware gangs can exploit the malware to gain access to organizations and spread laterally before exfiltrating data and to scramble the files.

The demons behind Qbot have been particularly aggressive in courting such partnerships with extortionists. In a blog post detailing Qbot operators’ alliance with notorious ransomware group REvil last year, analysts at cybersecurity firm AdvIntel wrote that it’s not unusual for malware groups to strike a pact with one or two ransomware-as-a-service (RaaS) gangs, but added that “QBot differs from this model because from the start they were aiming for massive partnership expansions.”

“In other words, while the other botnets had only one link on the ransomware side, QBot had several,” they wrote. “For example, Dridex had DopplePaymer, TrickBot botnet had Ryuk, Zloader had DarkSide, etc. At the same time, QBot had Egregor, ProLock, LockerGoga, Mount Locker, and other ransomware collectives engage with REvil.”

Now Qbot’s controllers are working with Black Basta, a ransomware team that emerged in April and aggressively attacked various companies and organizations, including the American Dental Association. Black Basta uses double extortion methods, stealing a victim’s data before encrypting it and threatening to publish the information on the Black Basta blog or the hidden Basta News Tor site if the ransom is not paid.

Researchers from information assurance firm NCC Group said this week that during an investigation into a recent ransomware infection, they noted that the Black Basta group behind the attack was using the Qbot malware to move laterally on the victim’s network. In a blog postNCC wrote that Qbot was used to remotely create a temporary service on the targeted system, which was configured to run a Qbot DLL.

“Qakbot was the primary method used by the threat actor to maintain its presence on the network,” they wrote. “The threat actor was also observed using Cobalt Strike beacons during the compromise.”

Once inside the system, the Black Basta malware grabs the IP addresses of all network hosts, disables Windows Defender, deletes Veeam backups from Hyper-V servers, and then kicks the ransomware out.

Garret Grajek, CEO of cloud-based identity company YouAttest, said The register that what is important to remember is the collaboration and integration of groups and components of cybercrime.

“One group discovers the vulnerability, another creates the exploit, and yet another operates the C2 (command and control) center to receive communication from the infected host,” Grajek said.

“The seriousness and efficiency of collaboration cannot be underestimated. Companies need to implement new concepts such as zero trust and implement strict identity governance to know what permissions they have granted to everyone accounts and monitor any changes.” ®


Comments are closed.