An intrusion was detected by The DFir Report in early June 2022 that leveraged the Follina vulnerability, CVE-2022-30190 to gain initial access. Apart from getting initial access it also initiated the infection chain of Qbot.
Qbot (aka Qakbot and Pinksliplot) is a very active malware that has plenty of features and can be used for a variety of purposes, such as:-
- Lateral movement
- Data exfiltration
- Deliver payloads
- Act as an initial access broker
The malware establishes C2 connectivity in this intrusion when the Qbot payload is executed, and then on the host that has been compromised, it performs discovery action.
To maintain access to the network, the threat actors were directed to several systems, and then on those systems, they installed and used the following tools:-
- Atera Agent
- Cobalt Strike
Threat actors have exploited the CVE-2022-30190 (Follina vulnerability) in this intrusion and here they used a malicious Word document to embed the exploit code into it for gaining initial access.
According to the report, Inside the Temp directory of the users, the base64-encoded content that comes with the payload is used by threat actors to download Qbot DLL files. This activity was immediately followed by the execution of the Qbot DLL through the regsvr32.exe on the host.
There were a number of Windows utilities that were spawned by the injected process, including:-
The Qbot persistent mechanism was based on creating scheduled tasks. The injected Cobalt Strike process executes the following utilities:-
A tool called Atera Remote Management was installed on the domain controller in order to allow remote access. A port scan was performed across the entire network by the tool, which was executed.
By doing this, the threat actors will be able to access sensitive documents from a file share server through RDP, and this will also enable them to connect to it in the future and maintain persistence.
As part of the initial delivery of this intrusion, hijacked email threads were used in conjunction with TA570. There is a possibility that the code that is generated will be interpreted and executed by msdt.exe (Microsoft Support Diagnostic Tool) when a system becomes vulnerable to Follina.
The Folllina uses three different URLs to download the Qbot libraries, which makes it a very unique payload. The following are the three URLs that we have mentioned below:-
- http[:]//220.127.116.11/$(random)[:]dat -OutFile $p\t.A
- http[:]//18.104.22.168/$(random)[:]dat -OutFile $p\t1.A
- http[:]//22.214.171.124/$(random)[:]dat -OutFile $p\t2.A
A new instance of the sdiagnhost.exe is spawned as soon as a MSDT payload is executed. The Follina payload was ultimately invoked by this process, and it was the end result of this process.
Process hollowing is a method used by QBot to streamline its processes. There was an attempt to inject malware into explorer.exe by starting it in a suspended state, and then using the suspended version as a target – in this case, 32-bit explorer.exe.
The following access rights correspond to the level of access that is commonly requested for credentials mining by the credential dumping tools like Mimikatz:-
- PROCESS_VM_READ (0x0010)
- PROCESS_QUERY_INFORMATION (0x0400)
- PROCESS_QUERY_LIMITED_INFORMATION (0x1000)
- PROCESS_ALL_ACCESS (0x1fffff)
For the purpose of extracting sensitive data from the compromised host, Qbot used several types of information-stealing modules. After that, the Atera RMM agent was installed and enabled on the domain controller by the threat actor during the attack.
Further, without relying on RDP, the threat actors gained access to the environment using the deployed remote admin tools.
Managed DDoS Attack Protection for Applications – Download Free Guide