Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
A threat actor designated by Proofpoint as TA570 routinely pushes Qakbot (Qbot) malware. Malicious DLL files used for Qakbot infections contain a tag indicating their specific distribution channel. Qakbot DLL samples tagged "obama" like "obama186" or "obama187" indicate a distribution channel from TA570 that uses thread-hijacked emails. On Tuesday 2022-06-07, Proofpoint and various researchers like @pr0xylife and @k3dg3 reported TA570 Qakbot distribution included Word documents using the CVE-2022-30190 (Follina) exploit (ms-msdt).
From the Qakbot DLL file tag "obama202" we can see this distribution channel also uses a Qakbot variant that looks for CVE-2022-30190 (Follina) exploit (ms-msdt) on Windows XP SP3.
A custom Qakbot build will be used in the examples below.
The exploit code inside the Word document is triggered by the presence of any PNG image inside it. The PNG image is processed by ms-dword:CDOView::IsPNGFile(). In case of acceptance, ms-dword:CDOView::GetProperty() is called. The result of this function call determines the exploitation vector. If the result is 0, then some sort of memory corruption occurs. The Data Execution Prevention (DEP) feature is enabled by default in most modern Windows OSes, and in such case a bug in ms-dword:CDOView::IsPNGFile() will allow code execution as SYSTEM.
The following is a short example of the exploit code inside a Word document.
<(GetProperty IDC_PNG_ICON "User's Notebook (Windows XP Service Pack 3)" 0)><(System.AppDomain.CurrentDomain.BaseNamingContext..ctor().Assembly._nGetInterface.<>>> System.<String^>pvProcInfo::IRegistryEntry::QueryInterface.</String>(m_GlobalVariable1,m_pOwnerHandle).</Int32>(0))>
Crashed here because: <(System.AppDomain.CurrentDomain.BaseNamingContext..ctor().Assembly._nGetInterface.<>>> System.
The "obama202" Qakbot DLL variant looks for PNG files in both the current directory and subdirectories. The PNG image is then processed by ms-dword:CDOView::IsPNGFile().
After a PNG image is found, it is inserted into the host document using InsertString() as a way to detect memory corruption.
Next, an object of type CDOView (ms-dword:CDOView::GetProperty()) is created to retrieve the content of the inserted PNG image and then call its method IsPNGFile(). If IsPNGFile() returns True, then some memory corruption occurs, which can be exploited to execute arbitrary code such as SYSTEM.
When the PNG image is detected as valid, the Qakbot DLL downloads and executes additional code from txt-it.com. In this case, it is a variant of Qakbot that will infect the system with PonyLoader (aka FinFisher).