This article is more than 1 year old

Now Windows Follina zero-day exploited to infect PCs with Qbot

Data-stealing malware also paired with Black Basta ransomware gang

Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

Threat Insight, part of cybersecurity vendor Proofpoint, noted on Twitter this week that miscreants have been seen exploiting the Follina flaw, tracked as CVE-2022-30190, in the Windows Support Diagnostic Tool to deliver Qbot, also known as QakBot, QuakBot and Pinkslipbot, onto victims' computers.

Microsoft late last month acknowledged the security hole, and said an official fix is being worked on. Crooks and snoops have been exploiting the vulnerability in the wild to target, for instance, government agencies in the US and Europe. Chinese outfit TA413 is reportedly using Follina to attack Tibetans as well.

According to Proofpoint, a crew identified as TA570 exploits the vulnerability in phishing campaigns by hijacking an email thread – a known tactic used by those distributing Qbot – and getting victims to open an HTML attachment that saves a .zip file. This archive contains a disk image file that contains a DLL, a Word document, and a .LNK shortcut file.

"The LNK will execute the DLL to start Qbot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot," the researchers wrote.

A threat hunter with the handle ExecuteMalware on Twitter claimed to have observed Qbot affiliates pushing an .iso file, rather than a .img, which also contains the DLL, Word doc, and shortcut. ExecuteMalware also published a list of signs of compromise.

Follina is a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool; this can be exploited by getting an application, such as Word, to call out to the tool from a specially crafted document when opened. If successful, the attacker can run arbitrary code with the privileges of the application, and thus run programs, delete or steal information, and so on.

While it is working on a proper fix, Microsoft has published some potential steps to mitigate exploitation.

Qbot first came on the scene in 2007. It can steal banking information, Windows credentials, personal information, and financial data. Cybersecurity vendor Kaspersky said in April it was seeing a spike in activity regarding this software nasty: a spam email campaign that was spreading both Qbot and Emotet malware and targeting corporations.

The Qbot botnet can be used by those with access to it to ruin a victim's month or year, and ransomware gangs can tap the malware to gain access to organizations and spread laterally before exfiltrating data and scrambling files.

The fiends behind Qbot have been particularly aggressive in courting such partnerships with extortionists. In a blog post last year detailing the Qbot operators' alliance with notorious ransomware group REvil, analysts with cybersecurity firm AdvIntel wrote that it isn't unusual for malware groups to form a pact with one or two ransomware-as-a-service (RaaS) gangs, but added that "QBot differs from this pattern, as from the very beginning they were aiming at massive partnership expansions."

"In other words, when other botnets only had one liaison on the ransomware side, QBot had many," they wrote. "For instance – Dridex had DopplePaymer, TrickBot botnet had Ryuk, Zloader had DarkSide, etc. At the same time, QBot had Egregor, ProLock, LockerGoga, Mount Locker, and other ransomware collectives. Therefore, it was a matter of time when they engage with REvil."

Now Qbot's controllers are working with Black Basta, a ransomware crew that appeared in April and aggressively attacked a range of corporations and organizations, including the American Dental Association. Black Basta uses double-extortion methods, stealing a victim's data before encrypting it and threatening to publish the information on the Black Basta Blog or Basta News Tor-hidden site if the ransom isn't paid.

Researchers from information assurance firm NCC Group this week said that during an investigation into a recent ransomware infection, they noted the Black Basta group behind the attack was using Qbot malware to move laterally through the victim's network. In a blog post, NCC wrote that Qbot was used to remotely create a temporary service on the targeted system, which was configured to execute a Qbot DLL.

"Qakbot was the primary method utilized by the threat actor to maintain their presence on the network," they wrote. "The threat actor was also observed using Cobalt Strike beacons during the compromise."

Once inside the system, the Black Basta malware grabs the IP addresses of all hosts on the network, disables Windows Defender, deletes Veeam backups from Hyper-V servers, then pushes out the ransomware.

Garret Grajek, CEO of cloud-based identity firm YouAttest, told The Register that what's important to remember is the collaboration and integration of cyber-crime groups and components.

"One group discovers the vulnerability, another creates the exploit and yet another mans the C2 (command and control) center to receive the communication from the infected host," Grajek said.

"The seriousness and efficiency of the collaboration cannot be underestimated. Enterprises must implement new concepts like zero trust and implement stringent identity governance to know what permissions they have granted to all accounts and to watch for any changes." ®

More about

TIP US OFF

Send us news


Other stories you might like