{
	"id": "950c4284-4846-4bc0-bf09-5f15d84e0602",
	"created_at": "2026-04-06T00:13:53.912358Z",
	"updated_at": "2026-04-10T13:11:29.204019Z",
	"deleted_at": null,
	"sha1_hash": "5805a60733c0181b1562a8a512e3b1c3cbcef2e3",
	"title": "TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5360379,
	"plain_text": "TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 12:50:45 UTC\r\nIntroduction\r\nA threat actor designated by Proofpoint as TA570 routinely pushes Qakbot (Qbot) malware. Malicious DLL files\r\nused for Qakbot infections contain a tag indicating their specific distribution channel. Qakbot DLL samples tagged\r\n\"obama\" like \"obama186\" or \"obama187\" indicate a distribution channel from TA570 that uses thread-hijacked\r\nemails. On Tuesday 2022-06-07, Proofpoint and various researchers like @pr0xylife and @k3dg3 reported TA570\r\nQakbot distribution included Word documents using the CVE-2022-30190 (Follina) exploit (ms-msdt).\r\nShown above:  Flow chart for Qakbot infections from TA570 on Tuesday 2022-06-07.\r\nThis wave of malicious spam ultimately provided two separate methods of Qakbot infection. The first method is\r\none also used by other threat actors, where a disk image contains a Windows shortcut that runs a malicious hidden\r\nDLL. The second method is a Word docx file using a CVE-2022-30190 (Follina) exploit.  On Tuesday 2022-06-\r\n07, disk images from TA570 pushing obama186-tagged Qakbot used both methods.\r\nI tried running the malicious docx file in my lab environment and different on-line sandboxes; however, I was\r\nunable to get a successful infection.\r\nThe next day on Wednesday 2022-06-08, obama187-tagged Qakbot from TA570 stopped using the docx file and\r\nrelied on the Windows shortcut and hidden DLL file.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 1 of 15\n\nShown above:  Flow chart for Qakbot infections from TA570 on Wednesday 2022-06-08.\r\nIn addition to other sources, the Internet Storm Center has previously posted diaries about this new attack vector:\r\nNew Microsoft Office Attack Vector via \"ms-msdt\" Protocol Scheme (CVE-2022-30190)\r\nFirst Exploitation of Follina Seen in the Wild\r\nAnalysis Of An \"ms-msdt\" RTF Maldoc\r\nms-msdt\" RTF Maldoc Analysis: oledump Plugins\r\nToday's diary examines the Microsoft Word docx file used by TA570 in the Tuesday 2022-06-07 wave of malspam\r\nfor obama186-tagged Qakbot.\r\nInfection Chain Details\r\nBelow is a TA570 thread-hijacked email pushing obama186 Qakbot from Tuesday 2022-06-07.  The email\r\ncontains an HTML attachment.  The HTML file is approximately 911 kB, and it contains code to convert a base64\r\nsting to a zip archive and present the zip archive as a download.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 2 of 15\n\nShown above:  Screenshot of Thunderbird showing a TA570 email pushing obama186 Qakbot on Tuesday 2022-\r\n06-07.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 3 of 15\n\nShown above:  Opening the attached HTML file.\r\nShown above: Running the HTML file immediately presents a zip download.\r\nThe zip archive contains a disk image as shown below.  Double-clicking the disk image in Microsoft Windows\r\nwill mount the file as a drive. This disk image contains a Windows shortcut, a hidden DLL file for Qakbot, and the\r\ndocx file with the Follina exploit.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 4 of 15\n\nShown above:  Downloaded zip archive contains a disk image.\r\nShown above:  Disk image mounted as a DVD drive in Windows 10.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 5 of 15\n\nShown above:  Shortcut target uses rundll32.exe to run the hidden DLL file for Qakbot.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 6 of 15\n\nShown above:  More interesting is the .docx file.\r\nShown above:  A quick check confirms this is, indeed, a .docx file.\r\nBecause this is a .docx file, we can re-name it as a zip archive, extract the contents, and examine them.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 7 of 15\n\nShown above:  Contents of the .docx file after renaming it as a .zip archive.\r\nExamining the .docx File\r\nBased on text found within an XML file found within the .docx archive, this exploit appears to retrieve an HTML\r\nfile as shown below.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 8 of 15\n\nShown above:  URL found in text of XML file in .docx archive ending in 123.RES.\r\nShown above:  If the 123.RES file is viewed in Microsoft Edge, it opens the Diagnostics Troubleshooting Wizard.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 9 of 15\n\nShown above:  The diagnostics tool asks for a passkey, which I do not have.\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 10 of 15\n\nShown above:  Script near the bottom of 123.RES with base64-encoded text.\r\nShown above:  Base64 script translated to ASCII text reveals URLs for Qakbot DLL files.\r\nIndicators of Compromise (IOCs)\r\nNames of 11 attachments from TA570 emails on 2022-06-07:\r\n03792072_874241.html\r\n20755103_822431.html\r\n23891652_978954.html\r\n55088410_803346.html\r\n55448947_903195.html\r\n58218799_257561.html\r\n65058266_101487.html\r\n68101181_048154.html\r\n69849517_238275.html\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 11 of 15\n\n71875983_866759.html\r\n85873035_409355.html\r\nSHA256 hashes for the above HTML files:\r\n568cd2d4b6c33d00d00da0255fd27c351ae0a1eba72a926f3f81021a3ee0ce7b\r\n1513769188ac6bf68f87b33ed00555126bc68976c4d4022e040547a8814435dc\r\n07df19bfec85932ecac6649c8d49f98bdd3236368bbf2b73d924dbbf5ce7be32\r\n208bf25c7b5d16b6ba2f1cb029f55aed14e3f2df75e171d6c25f21ae99fbac92\r\n6b46db5ba757066c7872e6ada49ff23016a87cc3b24e22111809c56ad66d5b17\r\n8c5bea919f8c4abd0ba6d228a817ae3b7af9e6f13fafba69a1d2b6aac56dabcf\r\ne7b7b01ae0964dc285f480feae85e157d796bf7263f7bc1018d1030647cb28ac\r\n2ce0921bcec42ab238140c9e811db564b0d93c11ffae4eb2e03ce5e45a885637\r\nb8679b5c38bca0b2de5e238f29c4ad293c6051435d54711eba2197c42a6e0c80\r\n3ffb696484d28acbda12a73dde1ec3a68d75657b22af667f5104d83690a74de9\r\nc912048a25a7dd2f85fac3169fff008f6ebd9894b2fb6b98267b170c078b618c\r\nNames of 11 zip archives generated by the above HTML files:\r\n03792072_874241.zip\r\n20755103_822431.zip\r\n23891652_978954.zip\r\n55088410_803346.zip\r\n55448947_903195.zip\r\n58218799_257561.zip\r\n65058266_101487.zip\r\n68101181_048154.zip\r\n69849517_238275.zip\r\n71875983_866759.zip\r\n85873035_409355.zip\r\nSHA256 hashes for the above zip archives:\r\ne24ce87a20c17bafe9da942722492e2a81328dd9dc3b6af574c1dad4112daff1\r\n7a42a6182fc3b96b3de4aace5cc97c7c28017d9cfa154c410829caac3ca612c4\r\n994caa143ec7cedccf52a1e446fe2255e862924575c6c5b89a6af269bf3f3b71\r\n4a9f728b44c1827ed42a28d9b63bd3a5edf37ad0df34ad291ce8911329bf25c1\r\n2c0dae888de793f55b3c04d3cc9218e52b8e7a265776e231f62c14893e6bf2e5\r\n6e210c37f08f0723549af3e0a766bfef0703f4b35e6f60ca2f5d4ba1ca876bb1\r\n6bac41ebf365ee7a9f97ea84ed8e5f87e0799cbe2e38158b48d78f7d4746b821\r\naa114cb2d5b8043d72b8869f7c63cbc95078298233e37d258bcf04d37ded68e5\r\n95baf71d1ffc7a2677f77f824913d6c9f63dc8128ae9145930594831bfdabc45\r\n7de0f9f25bc8a3edb631ff42573719ccb0ad1ed2eeca54ad3dea63fb7f04d3be\r\n49bc1574020858f2277da948ecc44acc830e3cf1fd09f04d10f70462e3ed0d99\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 12 of 15\n\nNames of 11 disk image files extracted from the above zip archives:\r\n03792072_874241.img\r\n20755103_822431.img\r\n23891652_978954.img\r\n55088410_803346.img\r\n55448947_903195.img\r\n58218799_257561.img\r\n65058266_101487.img\r\n68101181_048154.img\r\n69849517_238275.img\r\n71875983_866759.img\r\n85873035_409355.img\r\nSHA256 hashes for the above disk image files:\r\n7e0a345fba5c7ad1d8196139a1ec8a66cf8ee7bee85627b9b9ccaa856d723ed5\r\n85b4504543ed58861a85899b4c1cd315fbc9bd31540ce74e7730495a9384eef2\r\n859bb10ac5b012f2af49dd9c6fe3463c60937e4054b395e5e5f2e2206a6fa6e7\r\nd9a19da9543b921c03e089a0c78a35ef1cc5bc378e2e457b5cea97b70f4490a7\r\n85591984196580620887922be65f053a7220ec455737a845d1f8da0665983524\r\nd9ac855c390cab8ab44970b838cb6b27a12f7771e3cfef064ff84a98555e0ba4\r\n33dff4aa9b4cc2f078638966b7d0787d4bd5b75b24b266e354b005fbb515e2d3\r\nc77c63b0ad713ca97776305af4b22cd934271fec00f3c8029bdbbfcf8cd1ed98\r\n090f652b176dfb8bb7ceaca8863ebf2041e250bb21b208fecdfa4d917aed5637\r\n997c4a9c2507695477552a98f89ebe64aea1685ac3309f42e7713d13ee3056f1\r\n9ad904b6ec926b0f03d856c3d57feb009c811f31e5676884db95f7d7652fd73d\r\nNames of 11 Windows shortcut files contained in the above disk images:\r\n03792072_874241.lnk\r\n20755103_822431.lnk\r\n23891652_978954.lnk\r\n55088410_803346.lnk\r\n55448947_903195.lnk\r\n58218799_257561.lnk\r\n65058266_101487.lnk\r\n68101181_048154.lnk\r\n69849517_238275.lnk\r\n71875983_866759.lnk\r\n85873035_409355.lnk\r\nSHA256 hash for all of the above Windows shortcut files\r\n03160be7cb698e1684f47071cb441ff181ff299cb38429636d11542ba8d306ae\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 13 of 15\n\nCommand generated from the Windows shortcut:\r\nC:\\Windows\\System32\\rundll32.exe 019338921.dll,DllInstall\r\nName for the obama186 Qakbot 32-bit DLL files hidden in the 11 disk images:\r\n19338921.dll\r\nSHA256 hashes for 10 obama186 Qakbot DLL files hidden in the 11 disk images:\r\n17af3b12512b3430d59ca594bc16171c66ec49db4458cb2de887b83e9f37860b\r\n31de1b6c455784d6524cc3db4b37360782f260ddedf414d60dd4c96913512f48\r\n41623849299f5f6d5551f9e58476a5df527cef441f65076d2526ea8a1437b3ed\r\n5577643e4028eb610c688d5ab703cd6c80c60aa99048414f1803e7264183c366\r\n68aee52f4bee3cf4d50f33110f439249dbe450f65f3ba09a0d833882ad8ded11\r\n71c9229eb849ed2ff17ef435b385ba98aeaae931849ff226621b39fd31e00976\r\n765844ed4f11fb1a050994f5d0a589fff04b2e6342acab17f373626f7583e10a\r\naf8232f3a789672602db9937217882f6d52f4640a258403ed3531172afca7220\r\ncef129dbfb9dc93e9937a60f2c31d292db8e3591a349f101923be8d05886920d\r\ne13fca7c957ae5064cdba0a1cea672031d7b8a56ee876bfa0c1a0505dc8ef24f\r\nNames of 11 .docx files contained in the 11 disk images:\r\ndoc106.docx\r\ndoc276.docx\r\ndoc310.docx\r\ndoc632.docx\r\ndoc672.docx\r\ndoc708.docx\r\ndoc879.docx\r\ndoc1454.docx\r\ndoc1750.docx\r\ndoc1792.docx\r\ndoc1848.docx\r\nSHA256 hash for the above .docx files:\r\nd20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93\r\nURL contained in XML file from the above .docx archive:\r\nhxxp://185.234.247[.]119/123.RES\r\nSHA256 hash of the above 123.RES file:\r\ne3ba1c45f9dd1f432138654b5f19cf89c55e07219b88aa7628334d38bb036433\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 14 of 15\n\nExamples of URLs contained in script from 123.RES that returned obama186 Qakbot DLL files:\r\nhxxp://104.36.229[.]139/75257103.dat\r\nhxxp://85.239.55[.]228/75257103.dat\r\nhxxp://185.234.247[.]119/75257103.dat\r\nExample of User-Agent string in HTTP request header for the above URLs:\r\nUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.431\r\nExamples of obama186 Qakbot DLL files retrieved from the above URLs:\r\n6a16d1ec263eeacd6d5b2eb1855337a0aeeacd8020df840a0d883f973b3111b7\r\n767e1d12493cb7de999a85323da06190706324397d26af020b9bc833c6d5b7f6\r\n62acb357d94bebb8ee25761e5b7b0188f44e5c69156bbcb884884d1fe6b2838a\r\nFinal Words\r\nAs mentioned earlier, I was unable to get the Follina exploit to work in my lab environment.  And the next day\r\n(Wednesday 2022-06-08), TA570 did not include a .docx file in disk images associated with obama187 Qakbot. \r\nThe disk image --\u003e Windows shortcut --\u003e hidden DLL method of Qakbot infection worked in my lab environment,\r\nthough.\r\nI've posted the associated emails, malware, and a pcap of infection traffic from a TA570 obama186 Qakbot\r\ninfection from Tuesday 2022-06-07 here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/28728\r\nhttps://isc.sans.edu/diary/rss/28728\r\nPage 15 of 15\n\n   https://isc.sans.edu/diary/rss/28728 \nShown above: Downloaded zip archive contains a disk image. \nShown above: Disk image mounted as a DVD drive in Windows 10.\n   Page 5 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/28728"
	],
	"report_names": [
		"28728"
	],
	"threat_actors": [
		{
			"id": "96d5b301-0872-444c-ba32-eecf7a9241c0",
			"created_at": "2023-02-15T02:01:49.560566Z",
			"updated_at": "2026-04-10T02:00:03.347926Z",
			"deleted_at": null,
			"main_name": "TA570",
			"aliases": [
				"DEV-0450"
			],
			"source_name": "MISPGALAXY:TA570",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434433,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5805a60733c0181b1562a8a512e3b1c3cbcef2e3.pdf",
		"text": "https://archive.orkl.eu/5805a60733c0181b1562a8a512e3b1c3cbcef2e3.txt",
		"img": "https://archive.orkl.eu/5805a60733c0181b1562a8a512e3b1c3cbcef2e3.jpg"
	}
}