Recent phishing attacks use a zero-day Windows vulnerability to drop the Qbot malware without displaying Windows’ usual security warnings, BleepingComputer reports.

When users download files from an ‘untrusted’ remote location, such as an Internet website or an email attachment, Windows adds a special attribute to the file called ‘Mark of the Web’ (MoTW). The attribute contains information about the file, BleepingComputer explains. Among other things, the MoTW attribute can reveal the URL security zone the file originates from.

Windows uses URL security zones to group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust. The MoTW can include data on the file’s referrer as well as the actual URL from which the file was downloaded. When a user tries to open a file with a MoTW attribute, Windows displays a security warning asking if they are sure they wish to open the file.

Last month, HP’s threat intelligence team disclosed that phishing attackers were distributing Magniber ransomware through JavaScript files. Will Dormann, a senior vulnerability analyst at Analygence, discovered that the attackers used a new Windows zero-day vulnerability that prevents security warnings from popping up.

How the attack works

Cyberattackers could exploit the vulnerability by digitally signing a JS file using an embedded base64 encoded signature block.

This week, security researcher ProxyLife discovered a new QBot phishing campaign. It seems the threat actors are exploiting the Windows MoTW zero-day vulnerability by distributing JS files signed with malformed signatures. When a malicious file with one of these malformed signatures is opened, Windows automatically allows the program to run rather than first displaying the MoTW warning.

The phishing campaign starts with an email that includes a link to an alleged document and a password to the file. When the file is opened, it loads the Qbot malware. QBot, also known as Qakbot, was initially developed as a banking trojan. It evolved into a malware dropper over time.

Once loaded, the malware will quietly run in the background while stealing emails for use in other phishing attacks or to install additional payloads such as Brute Ratel, Cobalt Strike and other malware.