Windows attack

New attacks use zero-day Windows security bypass to drop malware

Spread the love

New phishing attacks use a Windows zero-day vulnerability to drop Qbot malware without displaying Mark of the Web security warnings.

When files are downloaded from a remote, untrusted location, such as the Internet or an email attachment, Windows adds a special attribute to the file called Mark of the Web.

This markup of the web (MoTW) is an alternate data stream that contains information about the file, such as the URL safe zone from which the file originates, its referrer, and its download URL.

When a user tries to open a file with a MoTW attribute, Windows will display a security warning asking if they are sure they want to open the file.

“While Internet files can be useful, this type of file can potentially harm your computer. If you don’t trust the source, don’t open this software,” the Windows warning read.

Windows Mark of the Web Security Warning
Windows Mark of the Web Security Warning
Source: Bleeping Computer

Last month, HP’s threat intelligence team reported that a phishing attack was distributing Magniber ransomware using JavaScript files.

These JavaScript files are not the same as those used by websites, but are separate files with the ‘.JS’ extension that run with the Windows Script Host (wscript.exe).

After analyzing the files, Will Dormann, a senior vulnerability analyst at ANALYGENCE, discovered that threat actors were using a new Windows zero-day vulnerability that prevented Mark of the Web security warnings from being displayed.

To exploit this vulnerability, a JS file (or other types of files) could be signed by using an embedded base64-encoded signature block, as described in this Microsoft support article.

JavaScript file used to install Magniber Ransomware
JavaScript file used to install Magniber Ransomware
Source: Bleeping Computer

However, when a malicious file with one of these malformed signatures is opened, instead of Microsoft SmartScreen flagging it and displaying the MoTW security warning, Windows automatically allows the program to run.

QBot malware campaign uses Windows zero-day

Recent QBot malware phishing campaigns have distributed password-protected ZIP files containing ISO images. These ISO images contain a Windows shortcut and DLL files to install the malware.

ISO images were used to distribute the malware, as Windows did not properly propagate the Web Mark to the files they contained, allowing the contained files to bypass Windows security warnings.

As part of Microsoft’s November 2022 Patch Tuesday, security updates were released that fixed this bug, causing the MoTW flag to propagate to all files within an open ISO image, fixing this security bypass.

In a new QBot phishing campaign discovered by security researcher ProxyLifethreat actors have switched to the Windows Mark of the Web zero-day vulnerability by distributing JS files signed with malformed signatures.

This new phishing campaign begins with an email that includes a link to a supposed document and a password for the file.

Phishing email with a link to download a malicious file
Phishing email with a link to download a malicious file
Source: Bleeping Computer

When the link is clicked, a password protected ZIP file containing another zip file is downloaded, followed by an IMG file.

In Windows 10 and later, when you double-click a disk image file, such as an IMG or ISO, the operating system will automatically mount it as a new drive letter.

This IMG file contains a .js file (‘WW.js’), a text file (‘data.txt’) and another folder containing a DLL file renamed as a .tmp file (‘similarity.tmp’) [VirusTotal], as illustrated below. It should be noted that the file names will change by campaign, so they should not be considered static.

Mounted IMG file
Mounted IMG file
Source: Bleeping Computer

The JS file contains a VB script that will read the data.txt file, which contains the string ‘vR32’, and add the contents to the shellexecute command parameter to load the ‘port/semblance.tmp’ DLL. In this particular email, the reconstructed command is:

regSvR32 port\\resemblance.tmp
JS file with a malformed signature to exploit Windows zero-day
JS file with a malformed signature to exploit Windows zero-day
Source: Bleeping Computer

Since the JS file originates from the Internet, launching it on Windows would display a Mark of the Web security warning.

However, as you can see in the image of the JS script above, it is signed with the same malformed key that was used in the Magniber ransomware campaigns to exploit the Windows zero-day vulnerability.

This malformed signature allows the JS script to run and load the QBot malware without displaying any Windows security warnings, as shown in the process started below.

Regsvr32.exe starting the QBot DLL
Regsvr32.exe starting the QBot DLL
Source: Bleeping Computer

After a short time, the malware loader will inject the QBot DLL into legitimate Windows processes to evade detection, such as wermgr.exe or AtBroker.exe.

Microsoft has known about this zero-day vulnerability since October, and now that other malware campaigns are exploiting it, we expect to see the bug fixed as part of the December 2022 Patch Tuesday security updates.

QBot malware

QBot, also known as Qakbot, is a Windows malware initially developed as a banking Trojan, but has evolved into a malware launcher.

Once loaded, the malware will run silently in the background while it steals emails for use in other phishing attacks or to install additional payloads such as Brute Ratel, Cobalt Strike, and other malware.

Installing the Brute Ratel and Cobalt Strike post-exploitation toolkits often leads to more disruptive attacks, such as data theft and ransomware attacks.

In the past, the Egregor and Prolock ransomware operations have partnered with QBot distributors to gain access to corporate networks. More recently, Black Basta ransomware attacks have been seen on networks after QBot infections.


#attacks #zeroday #Windows #security #bypass #drop #malware

Leave a Comment

Your email address will not be published. Required fields are marked *