Windows Follina zero-day leveraged in Qbot phishing attacks

BleepingComputer reports that Qbot affiliate TA570 has been exploiting the yet-to-be-addressed critical Windows zero-day flaw dubbed "Follina" and tracked as CVE-2022-30190 in phishing attacks distributing the Qbot malware. Malicious .docx files have been leveraged to abuse the vulnerability while hijacked email threads with HTML attachments are being used to deploy a ZIP archive with a Qbot DLL file and eventually facilitate Qbot DLL payload execution, noted Proofpoint researchers, who previously reported that exploitation of Follina to attack government entities in the U.S. and Europe, as well as the international Tibetan community. While TA570's usage of email thread hijacking harkens back to previously utilized tactics, attackers may have used two different techniques to determine which yields the best results, according to BleepingComputer. Qbot affiliates have been observed using the older Squiblydoo technique for malware distribution in February, while password-protected ZIP archive attachments containing malicious MSI Windows Installer packages have been used by attackers in lieu of malicious macro-laced Microsoft Office docs after Microsoft unveiled a VBA macro autoblock feature in April.