Qbot Malware Now Uses Windows MSDT zero-day in Phishing Attacks
A critical Windows zero-day vulnerability, known as Follina and still waiting for an official fix from Microsoft, is now being actively exploited in ongoing phishing attacks to infect recipients with Qbot malware.
Proofpoint first reported Monday that the same zero-day was used in phishing targeting US and EU government agencies.
Last week, the enterprise security firm also revealed that the Chinese TA413 hacking group is exploiting the bug in attacks targeting the Tibetan diaspora.
What is Qbot?
Qbot (aka Qakbot, Quakbot, and Pinkslipbot) is a modular Windows banking trojan with worming capabilities for infecting more devices on compromised networks via network share exploits and highly aggressive brute-force attacks against Active Directory admin accounts.
This information stealer malware has been used since at least 2007 to harvest banking credentials, personal info, and financial data, as well as to backdoor compromised computers and deploy Cobalt Strike beacons.
Ransomware affiliates linked to multiple Ransomware as a Service (RaaS) operations (including REvil, PwndLocker, Egregor, ProLock, and MegaCortex) have also used Qbot for initial access into corporate networks.
Microsoft has published a report in December 2021 regarding the versatility of Qbot attacks that makes it harder to accurately evaluate the scope of its infections.
The DFIR Report also recently shed light on Qbot light-speed attacks where the malware is able to steal sensitive user data (including Windows credentials and emails) within roughly 30 minutes after the initial infection.