New phishing attacks use a Windows zero-day vulnerability to drop the Qbot malware without displaying Mark of the Web security warnings.
When files are downloaded from an untrusted remote location, such as the Internet or an email attachment, Windows add a special attribute to the file called the Mark of the Web.
This Mark of the Web (MoTW) is an alternate data stream that contains information about the file, such as the URL security zone the file originates from, its referrer, and its download URL.
When a user attempts to open a file with a MoTW attribute, Windows will display a security warning asking if they are sure they wish to open the file.
“While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” reads the warning from Windows.
After analyzing the files, Will Dormann, a senior vulnerability analyst at ANALYGENCE, discovered that the threat actors were using a new Windows zero-day vulnerability that prevented Mark of the Web security warnings from being displayed.
To exploit this vulnerability, a JS file (or other types of files) could be signed using an embedded base64 encoded signature block, as described in this Microsoft support article.
However, when a malicious file with one of these malformed signatures is opened, instead of being flagged by Microsoft SmartScreen and showing the MoTW security warning, Windows automatically allows the program to run.
QBot malware campaign uses Windows zero-day
about : blankParagraph: Change block type or styleChange text alignmentDisplays more block tools
Recent QBot malware phishing campaigns have distr
ibuted password-protected ZIP archives containing ISO images. These ISO images contain a Windows shortcut and DLLs to install the malware.
ISO images were being used to distribute the malware as Windows was not correctly propagating the Mark of the Web to files within them, allowing the contained files to bypass Windows security warnings.
As part of the Microsoft November 2022 Patch Tuesday, security updates were released that fixed this bug, causing the MoTW flag to propagate to all files inside an opened ISO image, fixing this security bypass.
In a new QBot phishing campaign discovered by security researcher ProxyLife, the threat actors have switched to the Windows Mark of the Web zero-day vulnerability by distributing JS files signed with malformed signatures.
Read more about this at bleepingcomputer.com