QBot Malware is being dropped in new attacks using a zero-day exploit in Windows security

Malware known as Qbot is being spread using new phishing attacks that make use of a zero-day vulnerability in Windows. These attacks bypass the security warnings shown by Mark of the Web.

Windows adds a distinctive feature called the Mark of the Web to files received from an unknown remote location, including the Internet or an email attachment. This Mark of the Web is an alternative data stream that contains information about the file, such as its origin URL security zone, referrer, and download URL.

Windows will prompt the user for confirmation before opening a file with a MoTW property.

The windows warning reads "While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,”

The HP threat intelligence team stated last month that a phishing attempt was leveraging JavaScript files to distribute the Magniber ransomware [1].

These JavaScript files are distinct from those used on webpages; rather, they are standalone.JS files that are executed via the Windows Script Host (wscript.exe).

Will Dormann, a senior vulnerability analyst at ANALYGENCE, determined that the threat actors were using a new zero-day vulnerability in Windows by conducting an analysis of the files. This weakness prevented Mark of the Web security warnings from being shown on the user's computer.

According to the information provided in the?Microsoft support article Digitally Signing Scripts [2], a JS file (or other kinds of files) might be signed with an embedded base64 encoded signature block in order to take advantage of this issue.

When a malicious file containing one of these malformed signatures is opened, however, instead of being flagged by Microsoft SmartScreen and displaying the MoTW security warning, Windows automatically allows the programme to run. This occurs because Microsoft SmartScreen does not recognise the file as malicious.

The QBot malware campaign utilises a zero-day vulnerability in Windows.

Recent phishing efforts using the QBot malware have released ZIP packages that are password-protected and include ISO images [3]. These ISO images include a shortcut in Windows as well as the necessary DLLs to install the virus.

ISO images were being used to propagate malware because Windows was not successfully distributing the Mark of the Web to files included inside them. This made it possible for the enclosed files to avoid being warned about security issues by Windows.

As part of the security upgrades that were provided as part of the Microsoft November 2022 Patch, this flaw was resolved. This caused the MoTW flag to propagate to all of the files included inside an opened ISO image, which in turn corrected this security bypass. [4]

Threat actors have shifted to the Windows Mark of the Web zero-day vulnerability in a new QBot phishing campaign, which was uncovered by security researcher ProxyLife [5]. The threat actors did this by distributing JS files signed with flawed signatures.

This latest phishing effort begins with an email that contains a link to what is said to be a document as well as a password for accessing the file.

When the user clicks on the link, a ZIP archive that is encrypted with a password is downloaded. Inside of this archive is another zip file, and then an image file comes next.

If you double-click on a disc image file in Windows 10 or a later version of Windows, the operating system will immediately mount it as a new drive letter. This applies to files with extensions IMG and ISO.

This IMG file includes a.js file, a text file, and also another folder that has a DLL file that has been renamed to a.tmp file inside it. All of these files are in the same directory. It is important to keep in mind that the file names will vary with each campaign; thus, you cannot assume them to be static.

The 'vR32' string is located in the data.txt file, which is read by the VB script included inside the JS file. The VB script then appends the contents of the data.txt file to the argument of the shellexecute command, which loads the '.tmp' DLL file.?

Launching the JS file on Windows would cause a "Mark of the Web" security warning to appear due to the fact that the file originated on the Internet.

Nevertheless, the JS file is signed with the same flawed key that was used in the Magniber ransomware operations to exploit the zero-day vulnerability in Windows.

Because this signature has been corrupted, it is possible for the JS script to execute and load the QBot malware without Windows showing any security warnings.

After a brief length of time, the malware loader will inject the QBot DLL into normal Windows programmes in order to avoid detection. These processes include wermgr.exe and AtBroker.exe, for example.

Since October, Microsoft has been aware of this zero-day vulnerability; now that other malware campaigns are using it, we may ideally expect to see the flaw fixed as part of the security upgrades that are released in the December 2022 Patch.

An unauthorised patch has been made available via the 0patch micro-patching service, which may be used in the interim until Microsoft issues an official security update. [6]

The QBot malware

The Windows spyware known as QBot, which was formerly known as Qakbot, was first built as a banking trojan but has now morphed into a malware dropper.

After it has been installed, the malicious software will operate quietly in the background, capturing emails to use in subsequent phishing assaults or to install other malware such as Brute Ratel, Cobalt Strike, and others.

Installing post-exploitation toolkits such as Brute Ratel and Cobalt Strike generally results in more disruptive assaults, which includes?data theft and ransomware campaigns.

Previously, the ransomware operations known as Egregor and Prolock formed partnerships with QBot distributors in order to get access to business networks. More recently, ransomware attacks using the Black Basta name have been seen on networks after infections caused by QBot.