ProxyShell Exploited with DatopLoader Leading to Qakbot

A threat report from Cybereason and security researcher, Orange Tsai, investigates a new malware loader - DatopLoader that emerged in September 2021. The malware loader was observed to be a payload dropping following the attacker's successful exploitation of ProxyShell and Exchange vulnerabilities. Once the loader is executed, Qakbot/Qbot lands on the victim's workstation to set up persistence and conduct reconnaissance activity, using largely native tools with the exception of AdFind. Cobalt Strike is also launched, using PsExec to move laterally in the environment. In addition, credential access has been identified through gathering from registry hives.