It goes away and it comes back… Aged 14, the Qbot malware specializes in collecting bank data or installing ransomware. It crashes into Windows again via a phishing attack bypassing the protections of Windows 10 and 11.
The Trojan horseTrojan horse Qbot is once again in the news after a period of calm. the malwaremalwarewhich dates from 2008, is spreading via phishing campaigns and its objective is to collect users’ banking information. It has evolved to bring in other malware, like Brute RattleRattleEgregor, CobaltCobalt Strike, or to implant ransomwareransomware in companies with Egregor, Prolock or recently Black Basta.
Futura mentioned his return at the end of last July. For this attack, QBot was hiding in a copy of the calculator of Windows 7Windows 7 which pretended to be that of later versions.
While it is neutralized each time a phishing campaign is detected to carry it, this time Qbot managed to sneak through a zero-day flaw present in Windows. The new vulnerability exploited by Qbot has been detected by a company analyst Analygenceafter a phishing attack with the Magniber ransomware was identified by HP Threat Intelligence.
A fake signature to trick Windows
The researchers noticed that the attack was via JavaScript files executed using Windows Script Host. The course of the infection is as follows. A person receives an email prompting them to click a link to download a file. The file is a compressed archive in Zip format. It encloses an image ISOISO and it is password protected. This is provided in the message.
At this stage, from the moment the victim tries to open the file, an alert message should be displayed thanks to a security system that has been put in place with Windows 10Windows 10. This makes it possible to block the execution of files coming from an unidentified external source and this is indeed the case here. However, this does not work because the injection of QBot takes place without the slightest signal.
How is the security system bypassed? When the ISO disc image file or its IMG equivalent is opened, Windows automatically adds it as if it were a new storage medium. However, this ISO file contains a JavaScript file with a signature that will prove to Windows that the file does not come from the Web, but from the storage medium. The porteporte is therefore opened and the JavaScript reads the command from a text file which allows it to launch a DLL file. It is the latter who implements QBot. The damage is done.
To correct the situation, with the important update of November 2022, MicrosoftMicrosoft added security updates that were released. The breach is thus filled, until the hackers again find another trick to bring QBot back.
