Qbot – known channel for ransomware – delivered via phishing and Follina exploit
More than a week has passed since Microsoft acknowledged the existence of the “Follina” vulnerability (CVE-2022-30190), after reports of it being exploited in the wild began to crop up here and there. Since then, other state-backed threat actors have started exploiting it, but now one of the most active Qbot (QakBot) malware affiliates has also been spotted leveraging Follina.
Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start Qbot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot.
— Threat Insight (@threatinsight) June 7, 2022
#Follina #Qbot storm – Detect at the earliest!
Malspam -> HTML-> ZIP -> IMG -> ( LNK+DLL+Follina )
Look for stolen chain email attachments which are HTML and
Size between 933000 and 935000 bytes.
Match following filename pattern
[0-9]{8}\_[0-9]{6}.htmlhttps://t.co/xaKa60O3hW pic.twitter.com/L2MQ8vMfyQ— Ankit Anubhav (@ankit_anubhav) June 8, 2022
Follina exploitation leads to Qbot installation
Setting aside for a moment the fact that Qbot is an effective information stealer and backdoor in its own right, this latest development should worry most organizations, as a variety of Ransomware-as-a-Service (RaaS) operators use Qbot to secure a foothold into corporate networks before deploying ransomware.
These most recent campaigns begin with email thread hijacking – a regular trick employed by Qbot affiliates – and the delivery of an HTML attachment.
Once opened, the file drops an archive (.zip), which contains a disk image file (.img) with inside a Word document, a shortcut file (.lnk), and a .dll file.
“The LNK will execute the DLL to start Qbot. The doc will [retrieve from a remote server and] load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot,” Proofpoint threat researchers explained. With this double whammy they’re leaving nothing to chance, hoping that at least one of these approaches will be successful.
In another variant of the attack, instead of the .img file in the zipped archive is an .iso file (another type of disk image file), which again contains a .docx file (Word document), a .lnk and a .dll file. For that variant, a malware hunter that goes by the online nick “ExecuteMalware” has compiled a list of indicators of compromise.
Threat detection and risk mitigation
Given that Microsoft has yet to release a fix for Follina, enterprise defenders are left with performing risk mitigation actions such as implementing temporary workarounds.
Microsoft has updated their guidance for CVE-2022-30190 mitigation and pointed out effective and non-effective workarounds. Security researcher Benjamin Delpy has previously shared another mitigation that has been confirmed to work.
There’s also the option of implementing a free micropatch created by ACROS Security.(As a sidenote: they’ve also developed micropatches for a less critical, but still serious path traversal vulnerability affecting Microsoft’s Diagnostic Tool that Microsoft doesn’t intend to fix.)
UPDATE (June 9, 2022, 04:35 a.m. ET):
Some attackers are abusing Follina to deliver the AsyncRAT and an infostealer.