Home » Technology » Hackers Use Zero-Day To Sneak Through Windows Security

Hackers Use Zero-Day To Sneak Through Windows Security

Cybercriminals have found a way to get malicious code into their victims’ systems via manipulated email attachments without known security instructions. A zero-day vulnerability in Windows is exploited.

This emerges from a report by the Bleeping Computer. Incidentally, the security researchers at Trend Micro had already reported on a similar phenomenon about a month ago. Microsoft then fixed an initial vulnerability in the signatures on Patch Day in November.

Attacks via phishing emails that exploit a Windows vulnerability to spread the Qbot malware without displaying the so-called “Mark of the Web” security warning have now become known.

These warnings are usually seen when files are downloaded from an untrustworthy location, such as the Internet or an email attachment. Windows then simply add this special Mark of the Web (MotW) attribute.

MotW attribute helps decide to run files

Normally, when a user tries to open a file with a MotW attribute, Windows displays a security warning and asks if the user really wants to open the file.

“While files from the Internet can be useful, this type of file can potentially damage your computer. If you do not trust the source, do not open this software,” Windows warns. The MoTW attribute is now prevented by the zero-day vulnerability. Windows then automatically allows the program to run – this allows the malware to reach the victim system unmolested. In the recently discovered Qbot campaigns, the attackers distribute JS files signed with bad signatures.

The phishing e-mails contain a link to an alleged personal document including a password. Victims are instructed to open the document using the password. However, a file is then opened and executed without any security warning.

The malware then starts its evil game: After a short time, the malware loader injects the Qbot DLL into legitimate Windows processes to bypass detection. Microsoft has known about this zero-day vulnerability since October. It is still unknown whether the fix will be made by December Patch Day.