Discover Security researchers recently released a critical vulnerability that allows hackers to run malware on Windows PCs without the targeted devices triggering any kind of alarm.
The vulnerability, which has not yet been patched, allows hackers to bypass Mark of the Web, a Windows feature that labels files downloaded from untrusted websites.
The malware distributed through the vulnerability is Qbot, which belongs to the Trojan software category. It is software targeting the banking sector, and although it is old and well-known, it still poses a great threat to victims.
explained Security researchers have determined that the distribution of the malware, also known as Quakbot, begins with a phishing email containing a link to a password-protected ZIP archive.
The ZIP archive contains an ISO or IMG disc image file that, when downloaded, displays a standalone JavaScript file with garbled signatures, a text file, and a folder with a DLL file. The javascript file loads a VB script that reads the contents of the text file, which then runs the DLL file.
Since Microsoft’s Windows system did not correctly name the ISO disc image file with Mark of the Web, it allowed the software to run without any warnings. On Windows 10 or Windows 11 devices, double-clicking a disk image file will automatically mount the file as a new drive letter.
It is noteworthy that this is not the first time that hackers have abused the vulnerabilities surrounding the Mark of the Web feature, recently, it was observed that hackers published a similar method to distribute the Magniber ransomware, according to the website Bleeping Computer, as well as a recent HP report that discovered the campaign. It has also been noted that the same distorted key was used in both this campaign and the Magniber campaign.
It is believed that Microsoft knew regarding the vulnerability since last October, but did not release a patch for it, but given that the company realizes that the vulnerability is really being exploited, it is expected that it will release a patch for it in the Patch Tuesday update for next December.