A new phishing campaign has been discovered to be using a Windows zero-day vulnerability to carry out its malicious activities. The campaign leads users to install Qbot malware on their systems.
By default, when users download unknown content from the Internet, Windows marks this file with a setting known as “Mark of the Web (MoTW)”. This small attribute tells Windows that the file was downloaded from an external source, and therefore should be considered “unknown”.
This is what allows the system to present a small window to users, asking if they really want to open the file – as well as an indication that it originated from unknown sources and may contain malware.
However, Security investigators From the company ANALYGENCE, it recently revealed that it has discovered a new malware campaign, in which attackers are able to circumvent this system by exploiting a vulnerability in the Windows operating system. When exploited, files downloaded from the Internet can bypass MoTW protection, which basically allows them to run without any kind of alert, bypassing protections like Microsoft SmartScreen.
With this, Windows allows files to be executed directly, which leads to malware installation.
Campaign use javascript files To distribute malicious content, these files are executed directly on the system by the Windows Script Host (wscript.exe). However, these files were usually distributed as .ISO image files, which ignored the MoTW attributes when extracted to the system.
Criminals will take advantage of this to execute files without the traditional Windows wake. Microsoft will fix this issue in the meantime with its latest Patch Tuesday update, though the main recommendation is still that users be careful about where they download files and where they come from.