New phishing attacks use a Windows zero-day vulnerability to drop Qbot malware without displaying Mark of the Web security warnings.
When files are downloaded from a remote, untrusted location, such as the Internet or an email attachment, Windows adds a special attribute to the file called Mark of the Web.
This Markup of the Web (MoTW) is an alternative data stream that contains information about the file, such as the URL security zone the file originates from, its referrer, and its download URL.
When a user tries to open a file with a MoTW attribute, Windows will display a security warning asking if they are sure they want to open the file.
“While Internet files can be useful, this type of file can potentially harm your computer. If you don’t trust the source, don’t open this software,” the Windows warning read.
After analyzing the files, Will Dormann, a senior vulnerability analyst at ANALYGENCE, discovered that the threat actors were using a new Windows zero-day vulnerability that prevented the Mark of the Web security warnings from being displayed.
To exploit this vulnerability, one could sign a JS file (or other types of files) using a built-in base64-encoded signature block, as described in this Microsoft support article.
However, when a malicious file with one of these malformed signatures is opened, instead of being marked by Microsoft SmartScreen and displaying the MoTW security warning, Windows automatically allows the program to run.
QBot malware campaign uses Windows zero-day
Recent QBot malware phishing campaigns have distributed password-protected ZIP files containing ISO images. These ISO images contain a Windows shortcut and DLL files to install the malware.
ISO images were used to distribute the malware, as Windows did not properly propagate the Web Mark to the files they contained, allowing the contained files to bypass Windows security warnings.
As part of Microsoft’s November 2022 Patch Tuesday, security updates have been released that fix this bugwhich causes the MoTW flag to propagate to all files within an open ISO image, which fixes this security bypass.
In a new QBot phishing campaign discovered by security researcher ProxyLifethreat actors have switched to the Windows Mark of the Web zero-day vulnerability by distributing JS files signed with malformed signatures.
This new phishing campaign begins with an email that includes a link to a supposed document and a password for the file.
When the link is clicked, a password protected ZIP file containing another zip file is downloaded, followed by an IMG file.
In Windows 10 and later, when you double-click a disk image file, such as an IMG or ISO, the operating system will automatically mount it as a new drive letter.
This IMG file contains a .js file (‘WW.js’), a text file (‘data.txt’) and another folder containing a DLL file renamed as a .tmp file (‘similarity.tmp’) [VirusTotal], as illustrated below. It should be noted that the file names will change by campaign, so they should not be considered static.
The JS file contains a VB script that will read the data.txt file, which contains the string ‘vR32’, and add the content to the parameter of the shellerun command to load the dll ‘port/similarity.tmp’. In this particular email, the reconstructed command is:
Since the JS file originates from the Internet, launching it on Windows would display a Mark of the Web security warning.
However, as you can see in the image of the JS script above, it is signed with the same malformed key that was used in the Magniber ransomware campaigns to exploit the Windows zero-day vulnerability.
This malformed signature allows the JS script to run and load the QBot malware without displaying any Windows security warnings, as shown in the process started below.
After a short time, the malware loader will inject the QBot DLL into legitimate Windows processes to evade detection, such as wermgr.exe or AtBroker.exe.
Microsoft has known about this zero-day vulnerability since October, and now that other malware campaigns are exploiting it, we expect to see the bug fixed as part of the December 2022 Patch Tuesday security updates.
QBot, also known as Qakbot, is a Windows malware initially developed as a banking Trojan, but has evolved into a malware launcher.
Installing the Brute Ratel and Cobalt Strike post-exploitation toolkits often leads to more disruptive attacks, such as data theft and ransomware attacks.
In the past, the egregor Y Prolock Ransomware operations partnered with QBot distributors to gain access to corporate networks. More recently, black enough Ransomware attacks have been seen on networks after QBot infections.