To discover Security researchers have recently released a critical vulnerability that allows hackers to run malware on Windows PCs without the targeted devices triggering any sort of alarms.
The vulnerability, which has not yet been patched, allows hackers to bypass Mark of the Web, a Windows feature that tags files downloaded from untrusted websites.
The malware distributed through the vulnerability is Qbot, which belongs to the category of software trojans, it is a software intended for the banking sector, and although it is old and well known, it still poses a great threat to the victims.
explained Security researchers have determined that the distribution of the malware, also known as Quakbot, begins with a phishing email containing a link to a password-protected ZIP archive.
The ZIP archive contains an ISO or IMG disk image file which, when downloaded, displays a self-contained JavaScript file with garbled signatures, a text file, and a folder with a DLL file. The javascript file loads a VB script which reads the contents of the text file, which then executes the DLL file.
Since Microsoft’s Windows system did not correctly name the ISO disk image file with Mark of the Web, it allowed the software to run without any warning. On Windows 10 or Windows 11 devices, double-clicking a disk image file will automatically mount the file as a new drive letter.
Interestingly, this isn’t the first time hackers have abused vulnerabilities surrounding the Mark of the Web feature, recently hackers were observed to have released a similar method to distribute Magniber ransomware, according to the website Computer that playsas well as a recent HP report uncovering the campaign. It was also noted that the same twisted key was used in both this campaign and the Magniber campaign.
It is believed that Microsoft has been aware of the vulnerability since last October, but has not released a patch for it, but given that the company realizes that the vulnerability is indeed being exploited, it is expected that they will release a patch for it in the Patch Update of the Tuesday for next December.
