Briefing Malware
BLOG CERT SOGETI ESEC
CERT BRIEFING MALWARE

Briefing Malware - 14/06/2022

14th of June 2022 - Winners of the 24th week : Redline, AgentTesla and NjRAT .

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.

 

Threat statistics report

Publication date:

14/06/2022

Distribution :

TLP : WHITE  

What's new?

Qbot (NC)

Qbot malware now uses Windows MSDT zero-day in phishing attacks

Recently uncovered vulnerability #Follina (CVE-2022-30190) is being used for phishing attacks by TA570 threat actor, as reported by #Proofpoint.

Through hijacked emails with HMTL attachments, a zip archive is downloaded. It contains an IMG disk image, inside is a #Qbot DLL, a Word document and a shortcut file pointing to the DLL.

Opening the Word document will trigger the exploit of #Follina while reaching an external server and executing PowerShell code. A different #Qbot payload than the one already in the IMG file, which can be loaded from the shortcut file, is then downloaded and executed.

As of lately it has been reported that #Black Basta ransomware group and #Qbot are in a partnership. We could suppose that #Qbot compromission may lead to ransomware attack or data exfiltration.

https://www.bleepingcomputer.com/news/security/qbot-malware-now-uses-windows-msdt-zero-day-in-phishing-attacks/

 

Download the report