Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Windows zero-day vulnerability exploited by hackers

Hackers are bypassing Windows’ security warnings issued for questionable software thanks to a new Windows zero-day vulnerability.

user iconDaniel Croft
Tue, 22 Nov 2022
Windows zero-day vulnerability exploited by hackers
expand image

The zero-day vulnerability allows JavaScript (JS) files to bypass security warnings.

The bypass disables Mark of the Web (MoTW), which is a piece of code that is added to files downloaded from untrustworthy locations, indicating where it came from for security purposes.

The vulnerability is being used to deliver QBot malware, a phishing tool designed to steal passwords. It is often delivered via email, but when an individual usually opens a malicious file infected with QBot, windows will issue a MoTW warning, deterring the user from proceeding. The new exploit works around this.

============
============

“While files from the internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” says the warning.

The workaround was discovered by senior vulnerability analyst for ANALYGENCE, Will Dormann. Without the MoTW warnings being displayed, users are much more likely to launch software that could steal or lock down their personal data.

As the vulnerability allows JS files to bypass security messages, hackers have been signing JS or other file types with an embedded base64 encoded signature block.

When Microsoft SmartScreen sees the file and modified signature, it then doesn’t flag it as dangerous, but instead allows it to run automatically.

QBot was originally distributed through a phishing campaign that used ISO images, as Windows was not correctly assigning MoTW to files within.

When Microsoft released its November 2022 patch, it fixed the issue by causing MoTW to propagate all files within an ISO image. Since then, hackers have switched to signing JS files with changed signatures as a means of avoiding security warning messages.

Microsoft has not announced a date for when it expects the exploit to be entirely patched but is actively working on it.

“This is only the beginning — changes take time,” Microsoft’s Bill Demirkapi said with the release of the last patch.

“There are still variants and other MoTW issues that we recently became aware of. Although MotW bypasses do not typically meet MSRC’s bar for servicing, we can make exceptions for issues that are exploited in the wild.”

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.