Threat Actors Leverage Windows Zero-Day Vulnerability to Deploy QBot Malware
In a triple-threat assault on Microsoft® Windows® users, threat actors emboldened by a Windows zero-day vulnerability are using phishing attacks to deploy Qbot malware — without displaying a telltale Mark of the Web (MoTW) security warning to prevent the attack.
Normally, when files are downloaded from remote locations, such as the Internet or from email attachments, Windows will attach a specific attribute to the file known as Mark of the Web. This calling card is an alternate data stream that contains information about the file origins, the referrer, and its download URL. When a user attempts to open a file with the MoTW attribute, Windows will display a security warning and ask the user to verify that they want to open the file.
Zero-Day Vulnerabilities, Exploited
After discovery of phishing attacks distributing Magniber ransomware using JavaScript files, researchers analyzed the files and discovered that this latest Windows zero-day vulnerability could be exploited by signing an embedded base64-encoded signature block, described in this Microsoft support article.
This signature, when attached to a file, bypasses the Microsoft SmartScreen and MoTW security warning, automatically causing windows to run the program — and any malicious code embedded by threat actors.
QBot Takes Advantage of Windows Zero-Day Vulnerability
QBot, also known as Qakbot, is Windows-based malware that started as a banking Trojan and later evolved into a malware dropper. Various ransomware gangs leverage QBot to gain access to corporate networks. Phishing is generally used to start the deployment process for QBot through malicious email attachments and similar lures.
After a Microsoft patch made QBot harder to deploy, threat actors switched to exploiting this latest zero-day vulnerability by distributing JavaScript (and other) files with the altered signatures, originating from an email that includes a link to a lure document and a password to open the desired file.
When the link is clicked, a password-protected .zip file is downloaded, which contains another .zip file with an .img file inside.
In Windows® 10 and later, when .img files are double-clicked, the operating system will automatically mount it as a new drive, ready to run various files. This specific .img file contains other files and folders orchestrated with a malicious JavaScript file that contains the malformed signature, bypasses the MoTW security warning, and allows QBot to run.
After a short time, the malware loader will inject the QBot dynamic link library (DLL) into legitimate Windows processes to evade detection, allowing the threat actor to pursue its objectives unbeknownst to the user.
BlackBerry Customers Using CylancePROTECT and CylanceOPTICS Have Added Security From Exploits
If a file bypasses the Microsoft Defender SmartScreen safety feature, CylancePROTECT® is designed to prevent it from executing. The BlackBerry Product Security Team also recommends customers enable Script Control in CylancePROTECT to block execution of malicious scripts. It is important to note that CylancePROTECT and CylancePROTECT modules, such as Script Control, do not use or rely on the SmartScreen application and are therefore unaffected by this latest exploit.
Moreover, the MoTW bypass vulnerability is caused by malformed file signatures, often triggered by malicious email attachments or other phishing-related activities that can be difficult for legacy AV platforms to detect. BlackBerry recommends customers activate proprietary CylanceOPTICS® rules that can provide protection from threats which have invalid file signatures.
These recommended CylanceOPTICS rules include:
- Office Launched Unsigned Process: A Microsoft® Office application has spawned a new child process that is not signed.
- Internet Browser Launched Unsigned Process: An Internet browser has spawned a new child process that is not signed
BlackBerry also recommends users strictly follow the vendor upgrade or patching guidelines provided by Microsoft (when available) to reduce the risk on any potentially affected systems.
