Follina Exploit Leads to Domain Compromise

An intrusion in early June 2022 leveraged the Follina CVE-2022-30190 vulnerability embedded in a malicious Word document to install Qbot (Qakbot/Pinksliplot) and pivot through the network toward a domain compromise. Attackers used Cobalt Strike, NetSupport Manager, and Atera for persistence and remote access, conducted discovery across systems, and eventually accessed sensitive documents on a file server before exiting. #Follina #Qbot #Qakbot #Pinksliplot #TA570 #CobaltStrike #NetSupport #Atera

Keypoints

Initial access via CVE-2022-30190 (Follina) embedded in a weaponized Word document, likely delivered through thread hijacking by TA570.
Qbot malware executes a DLL load chain, establishes C2 connectivity, and performs beachhead discovery before broader propagation.
Post-compromise, threat actors pivoted to multiple hosts, deploying NetSupport and Atera, and leveraging Cobalt Strike for persistence and C2.
Persistence and defense evasion include scheduled task creation, registry-based C2 data, and adding Windows Defender exclusions; SMB-based DLL transfers were used for lateral movement.

Credential access and discovery activities targeted LSASS, browser data, AD topology (via AdFind), and domain trust/group enumerations.

Impact involved viewing sensitive documents on a file server via RDP, with limited observed exfiltration; activity ceased after initial access.

MITRE Techniques

[T1203] Exploitation for Client Execution – “where exploit code was embedded inside a malicious Word document to gain initial access.”
[T1218.010] Regsvr32 – “The Qbot DLL was executed via regsvr32.exe”
[T1055] Process Injection – “injected into legitimate processes (explorer.exe) on the host.”
[T1053] Scheduled Task/Job – “Qbot used scheduled task creation as a persistence mechanism.”
[T1105] Ingress Tool Transfer – “The payload contains base64-encoded content and is used to download Qbot DLLs inside the user’s Temp directory.”
[T1021.001] Remote Desktop Protocol – “moved laterally to the domain controller via a Remote Desktop session.”
[T1569.002] Service Execution – “registered a local service on each host to execute the Qbot DLL using regsvr32.”
[T1562.001] Disable or Modify Tools – “added multiple folders to the Windows Defender exclusions list.”
[T1219] Remote Access Software – “Cobalt Strike server connection”
[T1570] Lateral Tool Transfer – “Lateral Tool Transfer across the network via SMB and remote DLLs.”
[T1033] System Owner/User Discovery – “whoami… and other discovery commands”
[T1049] System Network Connections Discovery – “nslookup, netstat, and other network discovery commands”
[T1069.002] Domain Groups – “net localgroup … ‘Domain Computers’ /domain”
[T1482] Domain Trust Discovery – “domain trusts /all_trusts”
[T1059.001] PowerShell – “PowerShell payload downloaded/decoded and executed”
[T1555.003] Credentials from Web Browsers – “Credentials from Web Browsers”
[T1555.004] Windows Credential Manager – “Windows Credential Manager access”
[T1003.001] LSASS Memory – “LSASS interaction from the injected process”
[T1071] Application Layer Protocol – “C2 communications over HTTP/DNS/TLS”
[T1550.004] Web Shell? (not used) – omitted to avoid confusion

Indicators of Compromise

[Atomic] ATERA Integrator Login ID – cadencefitzp.atrickzx@gmail[.]com
[DNS Requests] – www.stanzatextbooks[.]com, www.framemymirror[.]com, and 2 more domains
[Qbot C2 IPs in traffic] – 144.202.3[.]39:443, 67.209.195[.]198:443, 176.67.56[.]94:443, 90.120.65[.]153:2078
[Cobalt Strike] – 190.123.44[.]126:443
[Qbot C2 IPv4s in registry key] – 38.70.253[.]226:2222, 182.191.92[.]203:995
[Named Pipe] – postex_4c14
[Files] – liidfxngjotktx.dll (hash: 5abb2c12f066ce32a0e4866fb5bb347f), dab316b8973ecc9a1893061b649443f5358b0e64, and 2 more hashes

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print