The Qbot malware is dropped by new phishing assaults using a Windows zero-day vulnerability without the Mark of the Web security warnings being shown.
The Mark of the Web is a unique property that Windows adds to files when they are downloaded from an untrusted remote location, such as the Internet or an email attachment.
This Mark of the Web (MoTW) is an alternative data stream that includes details about it, including its referrer, download URL, and the URL security zone from which it came.
When a user tries to open a file that has a MoTW attribute, Windows will ask them if they are sure they want to access the file by displaying a security warning.
“While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” reads the warning from Windows.
The HP threat intelligence team revealed last month that JavaScript files were being used in a phishing attack to spread the Magniber ransomware.
These standalone JavaScript files, which have the.JS extension and are run by the Windows Script Host, are not the same as the ones used on webpages (wscript.exe).
Will Dormann, a senior vulnerability analyst at ANALYGENCE, examined the files and found that the threat actors were utilising a fresh Windows zero-day flaw that prevented the display of Mark of the Web security warnings.
To exploit this vulnerability, a JS file (or other types of files) could be signed using an embedded base64 encoded signature block, as described in this Microsoft support article.
However, when a malicious file with one of these malformed signatures is opened, instead of being flagged by Microsoft SmartScreen and showing the MoTW security warning, Windows automatically allows the program to run.
QBot malware campaign uses Windows zero-day
Recent QBot malware phishing campaigns have distributed password-protected ZIP archives containing ISO images. These ISO images contain a Windows shortcut and DLLs to install the malware.
ISO images were being used to distribute the malware as Windows was not correctly propagating the Mark of the Web to files within them, allowing the contained files to bypass Windows security warnings.
As part of the Microsoft November 2022 Patch Tuesday, security updates were released that fixed this bug, causing the MoTW flag to propagate to all files inside an opened ISO image, fixing this security bypass.
In a new QBot phishing campaign discovered by security researcher ProxyLife, the threat actors have switched to the Windows Mark of the Web zero-day vulnerability by distributing JS files signed with malformed signatures.
This new phishing campaign starts with an email that includes a link to an alleged document and a password to the file.
When the link is clicked, a password-protected ZIP archive is downloaded that contains another zip file, followed by an IMG file.
In Windows 10 and later, when you double-click on a disk image file, such as an IMG or ISO, the operating system will automatically mount it as a new drive letter.
This IMG file contains a .js file (‘WW.js’), a text file (‘data.txt’), and another folder that contains a DLL file renamed to a .tmp file (‘resemblance.tmp’) [VirusTotal], as illustrated below. It should be noted that the file names will change per campaign, so they should not be considered static.
The JS file contains VB script that will read the data.txt file, which contains the ‘vR32’ string, and appends the contents to the parameter of the shellexecute command to load the ‘port/resemblance.tmp’ DLL file. In this particular email, the reconstructed command is:
regSvR32 port\\resemblance.tmp
A Mark of the Web security warning would appear if you launched the JS file in Windows because it comes from the Internet.
The JS script is, however, signed using the same faulty key that was used in the Magniber ransomware operations to take advantage of the Windows zero-day vulnerability, as you can see from the image of the script up top.
The launched process below demonstrates how this falsified signature permits the JS script to run and load the QBot malware without triggering any security alerts from Windows.
After a short period, the malware loader will inject the QBot DLL into legitimate Windows processes to evade detection, such as wermgr.exe or AtBroker.exe.
Microsoft has known about this zero-day vulnerability since October, and now that other malware campaigns are exploiting it, we will hopefully see the bug fixed as part of the December 2022 Patch Tuesday security updates.
The QBot malware
QBot, also known as Qakbot, is a Windows malware initially developed as a banking trojan but has evolved to be a malware dropper.
Once loaded, the virus will capture emails and stealthily operate in the background, installing other payloads like Brute Ratel, Cobalt Strike, and malware while also being used in other phishing attempts.
Data theft and ransomware attacks are frequently launched after installing the Brute Ratel and Cobalt Strike post-exploitation toolkits.
In the past, the QBot distributors collaborated with the Egregor and Prolock ransomware operations to access corporate networks. More recently, networks that had been infected with QBot began to experience Black Basta ransomware attacks.
Suggest an edit to this article
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.