Advisory ID: NCC-CSIRT-2811-057
Summary: ProxyLife security researcher discovered a new phishing exploit on Windows zero-day vulnerability to drop a Qbot malware without displaying Mark of the Web (MoTW) security warnings. The MoTW is a unique property that Windows adds to files when they are downloaded from an untrusted remote location, such as the Internet or an email attachment. When a user tries to open a file that has a MoTW attribute, Windows will ask them if they are sure they want to access the file by displaying a security warning. Consequently, the malicious QBot malware could be loaded onto a compromised device through the exploit without causing any Windows security alerts.
Vulnerable Platform(s): Windows Operating Systems
Threat Type:
- Phishing Attacks
- Malware
Product : Windows-based products
Version: All versions of Windows
Description: According to the researcher, to take advantage of the Windows Mark of the Web zero-day vulnerability, threat actors have switched to a new phishing strategy that involves propagating JS files (plain text files that include JavaScript code) signed with forged signatures. The newest phishing attempt begins with an email that contains a password for the file along with a link to an allegedly important document. When the link is clicked, a password-protected ZIP folder that includes another zip file and an IMG file is downloaded. Normally, launching the JS file in Windows would result in a Mark of the Web security warning because it is an Internet-based file. However, the forged signature permits the JS script to function and load the malicious QBot program without triggering any Windows security alerts.
Consquences: Load a malicious QBot malware on the compromised device without triggering any Windows security alerts.
Impact/Probability: HIGH/HIGH