Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Qbot Malware Operators Exploit Windows MSDT Zero-Day Flaw to Infect PCs

Cybersecurity researchers have found that attackers are exploiting the recently discovered Windows zero-day flaw dubbed “Follina” to infect victims’ computers with Qbot malware. Qbot operators have also teamed up with the Black Basta group to spread ransomware.

Qbot, also known as QuakBot QakBot, and Pinkslipbot, was first identified in 2008 as a trojan capable of stealing credentials, bank details, and other sensitive data from Windows machines. The trojan has now evolved into sophisticated malware with phishing capabilities such as email hijacking.

Researchers from cybersecurity firm Proofpoint claim that a hacker group (TA570) abuses the CVE-2022-30190 flaw by hijacking an email thread and tracking victims to open HTML attachments that download .zip files. These archives contain a disk image (IMG) file with a shortcut file, DLL, and Word document.

“The LNK will execute the DLL to start Qbot. The doc will load and execute an HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot,” the researchers wrote on Twitter.

According to the malware analyst ExecuteMalware, Qbot operators also use ISO files instead of IMG in phishing campaigns to infect PCs. Moreover, the analyst has also published a list of indicators of compromise to help IT teams mitigate the threats.

Black Basta ransomware group teams up with Qbot malware operators

It is important to note that Qbot operators are collaborating with a ransomware group called “Black Basta” to compromise enterprise networks. Security researchers have found that Black Basta uses double-extortion methods to demand ransomware. This involves stealing sensitive information, encrypting it, and then threatening the victim to upload the data on the Black Basta Blog.

Microsoft acknowledged the remote code vulnerability (CVE-2022-30190) last week, but the company has yet to release a fix to address it. The security flaw is currently being used in phishing campaigns to target EU and US government agencies. Meanwhile, Microsoft has provided a couple of temporary workarounds, and you can find more details in our previous post.

by Rabia Noureen
Jun 9, 2022

Rabia comes from a solid IT background and has been writing professionally about Microsoft products and other technology for four years. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on the latest trends in...

Streamlining SaaS Governance: How Nudge Security Simplifies Compliance and Security Management for Cloud Apps

Oct 30, 2023
Nov 03, 2023
The Dirty Truth About IT Offboarding Automation

Jul 21, 2023
Aug 25, 2023
Five Tactics Towards Achieving Zero Trust with Azure Active Directory

Aug 29, 2023
Feb 01, 2024

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.