QakBot Exploiting Windows MSDT CVE-2022-30190
Industry: N/A | Level: Tactical | Source: BleepingComputer
ProofPoint's tracking of CVE-2022-30190 identified Qakbot/Qbot affiliate TA570, distributing the Qbot malware using the MSDT zero-day exploit. Attackers are utilizing hijacked email threads to send emails attached with malicious IMG files containing a Word document, a shortcut/LNK file, and the QBot DLL. The LNK file loads the Qbot DLL file from the IMG. The Word document downloads an HTML file exploiting the CVE-2022-30190 vulnerability, causing the PowerShell code to execute and download additional payloads. The threat group, TA570 has been identified as adaptable and open to experimenting with new tactics in their phishing campaigns. From this year the threat group has distributed QBot with Squiblydoo techniques in February and following Microsoft's autoblock of macros, in April 2022 TA570 distributed malicious MSI files contained within ZIP archives.
Anvilogic Use Cases:
- CVE-2022-30190: Microsoft Office Code Execution Vulnerability