Threat Actors Leverage Windows Zero-Day Vulnerability to Deploy QBot Malware
In a triple-threat assault on Microsoft® Windows® users, threat actors emboldened by a Windows zero-day vulnerability are using phishing attacks to deploy Qbot malware — without displaying a telltale Mark of the Web (MoTW) security warning to prevent the attack.
Normally, when files are downloaded from remote locations, such as the Internet or from email attachments, Windows will attach a specific attribute to the file known as Mark of the Web. This calling card is an alternate data stream that contains information about the file origins, the referrer, and its download URL. When a user attempts to open a file with the MoTW attribute, Windows will display a security warning and ask the user to verify that they want to open the file.
Zero-Day Vulnerabilities, Exploited
This signature, when attached to a file, bypasses the Microsoft SmartScreen and MoTW security warning, automatically causing windows to run the program — and any malicious code embedded by threat actors.
QBot Takes Advantage of Windows Zero-Day Vulnerability
QBot, also known as Qakbot, is Windows-based malware that started as a banking Trojan and later evolved into a malware dropper. Various ransomware gangs leverage QBot to gain access to corporate networks. Phishing is generally used to start the deployment process for QBot through malicious email attachments and similar lures.
When the link is clicked, a password-protected .zip file is downloaded, which contains another .zip file with an .img file inside.
After a short time, the malware loader will inject the QBot dynamic link library (DLL) into legitimate Windows processes to evade detection, allowing the threat actor to pursue its objectives unbeknownst to the user.
BlackBerry Customers Using CylancePROTECT and CylanceOPTICS Have Added Security From Exploits
If a file bypasses the Microsoft Defender SmartScreen safety feature, CylancePROTECT® is designed to prevent it from executing. The BlackBerry Product Security Team also recommends customers enable Script Control in CylancePROTECT to block execution of malicious scripts. It is important to note that CylancePROTECT and CylancePROTECT modules, such as Script Control, do not use or rely on the SmartScreen application and are therefore unaffected by this latest exploit.
Moreover, the MoTW bypass vulnerability is caused by malformed file signatures, often triggered by malicious email attachments or other phishing-related activities that can be difficult for legacy AV platforms to detect. BlackBerry recommends customers activate proprietary CylanceOPTICS® rules that can provide protection from threats which have invalid file signatures.
These recommended CylanceOPTICS rules include:
- Office Launched Unsigned Process: A Microsoft® Office application has spawned a new child process that is not signed.
- Internet Browser Launched Unsigned Process: An Internet browser has spawned a new child process that is not signed
BlackBerry also recommends users strictly follow the vendor upgrade or patching guidelines provided by Microsoft (when available) to reduce the risk on any potentially affected systems.