Skip to content

Malicious JS files deploy QBot malware exploiting Windows 0-day

  • by
  • 2 min read

In a new QBot distribution phishing campaign discovered by security researcher Proxylife, threat actors are using JavaScript files signed by malformed signatures from Microsoft to bypass the Mark of the Web token issued by Windows security and run the malicious payload on victims’ computers unchecked. 

Every time a user downloads a file from an untrusted source, Windows automatically adds a Mark of the Web (MOTW) token to the file. When this file is opened or executed, Windows reminds users that the file comes from an untrusted source and shouldn’t be opened unless the user themselves trust the source. 

This new campaign uses the aforementioned JavaScript files and signs them using an embedded base64 signature block as described by Microsoft in a support article. When a malicious file signed with these signatures is opened, Windows fails to append any security flags to them, allowing them to execute unchecked on the victim’s system. 

The revelation comes following the HP threat intelligence team’s discovery of a phishing attack distributing the Magniber ransomware using JavaScript files back in October. Will Dormann, a senior vulnerability analyst at Analygence, further discovered that threat actors were exploiting a new Windows zero-day vulnerability to bypass Mark of the Web security warnings using said JavaScript files. 

The infection process involves the user visiting a malicious URL and downloading a password-protected ZIP archive, which contains another ZIP archive containing an ISO file. Since Windows 10 and later support directly mounting an ISO file, the JavaScript files inside the image (WW.js), in addition to a text file and a folder containing a DLL, are free to run and infect the target PC without any security warnings displayed by Windows. 

This particular exploit has been used in the past with ISO files being used to distribute QBot, where Windows would not correctly append the MOTW flag to ISO files allowing them to bypass the warning. However, as part of the November 2022 Patch Tuesday, Microsoft fixed the bug to propagate the flag to any ISO files downloaded from untrusted sources.

In the News: Novel AXlocker ransomware can encrypt your files and steal your Discord

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>