Security News > 2022 > November > New attacks use Windows security bypass zero-day to drop malware

This Mark of the Web is an alternate data stream that contains information about the file, such as the URL security zone the file originates from, its referrer, and its download URL. When a user attempts to open a file with a MoTW attribute, Windows will display a security warning asking if they are sure they wish to open the file.
After analyzing the files, Will Dormann, a senior vulnerability analyst at ANALYGENCE, discovered that the threat actors were using a new Windows zero-day vulnerability that prevented Mark of the Web security warnings from being displayed.
ISO images were being used to distribute the malware as Windows was not correctly propagating the Mark of the Web to files within them, allowing the contained files to bypass Windows security warnings.
As part of the Microsoft November 2022 Patch Tuesday, security updates were released that fixed this bug, causing the MoTW flag to propagate to all files inside an opened ISO image, fixing this security bypass.
In a new QBot phishing campaign discovered by security researcher ProxyLife, the threat actors have switched to the Windows Mark of the Web zero-day vulnerability by distributing JS files signed with malformed signatures.
As the JS file originates from the Internet, launching it in Windows would display a Mark of the Web security warning.
News URL
Related news
- New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner (source)
- DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks (source)
- Play ransomware exploited Windows logging flaw in zero-day attacks (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection (source)
- Critical auth bypass bug in CrushFTP now exploited in attacks (source)
- New Windows 11 trick lets you bypass Microsoft Account requirement (source)
- Open-source malware doubles, data exfiltration attacks dominate (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- Windows 11 Forces Microsoft Account Sign In & Removes Bypass Trick Option (source)