Researchers recently discovered a zero-day vulnerability that allows threat actors to run malware (opens in a new tab) on the target Windows final point (opens in a new tab) without the victim device giving any kind of alarm.
This vulnerability, which is believed to remain unpatched, allows threat actors to bypass Mark of the Web, a Windows feature that marks files downloaded from untrusted internet locations.
The malware being distributed is Qbot (AKA Quakbot), an old and well-known banking trojan, but still a major threat to victims.
Run the ISO file
Distribution begins with a phishing email containing a link to a password-protected ZIP archive. It, in turn, carries a disk image file, an .IMG or .ISO file that, if mounted, displays a standalone JavaScript file with malformed signatures, a text file, and the directory containing the .DLL file. A JavaScript file that carries a VB script that reads the contents of a text file, which triggers the execution of the .DLL file.
Since Windows does not label ISO images with the Mark of the Web flag properly, they are allowed to launch without any warning. In fact, on devices running Windows 10 or later, simply double-clicking a disk image file will automatically mount the file as a new drive letter.
This is not the first time hackers have abused vulnerabilities around the Mark of the Web feature. Recently, threat actors have been observed deploying a similar method to distribute the Magniber ransomware, BleepingComputer say, reminds us of a recent HP report that uncovered this campaign.
In fact, the same malformed key was used in both this and the Magniber campaign, the publication found.
Microsoft has apparently been aware of this vulnerability since at least October 2022, but has yet to release any patches, but since it is currently observed in real-world use, it is possible assuming we’ll safely see the fix. part of the upcoming Tuesday December Patch update.
Through the: BleepingComputer (opens in a new tab)
