Multiple Threat Actors Exploiting Windows 0Day That Prevents Generation of MotW Warnings

A phishing campaign has been detected that exploits a zero-day Windows vulnerability to drop Qbot malware, a password-stealing Trojan cum malware dropper. QBot has been observed delivering the Brute Ratel and Cobalt Strike post-exploitation tool kits, and ransomware payloads such as Egregor and Black Basta.

When files are downloaded from the Internet from untrusted locations, a Mark of the Web attribute is added to the files that generate a pop-up security warning to alert the user that the file could potentially harm their computer, and to only proceed with opening the file if the user trusts the source of the file.

In the phishing campaign, a Windows zero-day vulnerability is exploited which prevents the Mark of the Web attribute from being added to the file, thus ensuring no security warning is generated. Double-clicking the file attachment will execute the file and will drop QBot malware.

In this phishing campaign, a link is supplied to a password-protected ZIP archive, with the password for opening the file included in the email. Within that ZIP archive is another ZIP file, which contains an IMG file. On Windows 10 and later, if these files are opened the disk image will be mounted on a new drive.

The IMG file includes a .JS file, and .txt file, and a DLL file named as a .tmp file. If run, the .JS file reads the text file, and executes the DLL file, and injects QBot into a legitimate Windows process to prevent detection. The .JS file has a malformed signature which exploits the Windows zero-day to prevent the Mark of the Web warning from being displayed.

Last month, ANALYGENCE senior vulnerability analyst, Will Dormann, reported that a phishing campaign was exploiting the vulnerability to deliver malware. Dormann suggested in an interview with Bleeping Computer that the zero-day bug appears to be related to SmartScreen, which was introduced in Windows 10. The latest campaign exploiting the vulnerability to drop QBot was identified by security researcher ProxyLife. Microsoft is aware of the bug and is expected to issue a fix on December Patch Tuesday.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of