The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has issued a warning that new phishing attacks that take advantage of a zero-day Windows vulnerability can infect a compromised device with the malicious QBot malware without invoking any Windows security alerts.
According to NCC-advisory, CSIRT’s the vulnerability, which affects all versions of Windows-based products, manifests as malware and phishing attacks.
The Mark of the Web (MoTW) security warnings are not displayed when a new phishing attack uses a Windows zero-day vulnerability to infect a computer with the Qbot malware, according to NCC-CSIRT.
“To take advantage of the Windows Mark of the Web zero-day vulnerability, threat actors have switched to a new phishing strategy that involves propagating JS files (plain text files that include JavaScript code) signed with forged signatures. The newest phishing attempt begins with an email that contains a password for the file along with a link to an allegedly important document.
“When the link is clicked, a password-protected ZIP folder that includes another zip file and an IMG file is downloaded. Normally, launching the JS file in Windows would result in a Mark of the Web security warning because it is an Internet-based file. However, the forged signature permits the JS script to function and load the malicious QBot program without triggering any Windows security alerts,” the advisory said.
Accordingly, NCC-CSIRT advised that users apply updates per vendor instructions.
The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.
The CSIRT also works collaboratively with ngCERT, established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.