Researchers have recently discovered a zero-day vulnerability that allows threat actors to run malware (opens in new tab) on target Windows endpoints (opens in new tab) without the victim devices raising any kind of alarms.
The vulnerability, which is still reportedly yet to be patched, allows threat actors to bypass Mark of the Web, a Windows feature that labels files downloaded from untrusted internet locations.
The malware being distributed is Qbot (AKA Quakbot), an old and well-known banking trojan, but one that still poses a major threat to victims.
Running ISO files
The distribution starts with a phishing email, which contains a link to a password-protected ZIP archive. That, in turn, carries a disk image file, either an .IMG or .ISO file which, if mounted, brings up a standalone JavaScript file with malformed signatures, a text file, and a folder with a .DLL file. The JavaScript file carries a VB script that reads the contents of the text file, which trigger the execution of the .DLL file.
As Windows did not label ISO images with Mark of the Web flags properly, they were allowed to launch without any warnings. In fact, on devices running Windows 10 or newer, simply double-clicking on a disk image file automatically mounts the file as a new drive letter.
This is not the first time hackers are abusing vulnerabilities surrounding the Mark of the Web feature. Recently, threat actors were observed deploying a similar method to distribute the Magniber ransomware, BleepingComputer says, reminding us of a recent HP report that discovered the campaign.
In fact, the same malformed key was used in both this, and the Magniber campaign, the publication found.
Microsoft has apparently been well aware of the flaw since at least October 2022, but has yet to release a patch just yet, but given that it’s now been observed as being used in the wild, it’s safe to assume we’ll see a fix as part of the upcoming December Patch Tuesday update.
Via: BleepingComputer (opens in new tab)
