This research investigates a recent QakBot phishing campaign's ability to evade Mark-of-the-Web (MoTW) security features, allowing for escape from the designated security zone and successful installation of malicious software on victim device.
REFERENCES: https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature
TAGS: qakbot, black basta, motw, qakbot loader, qakbot malware, loader, malware, qbot, phishing, LOLBAS, LOLBINS, MS Office macros
MALWARE FAMILIES: Black Basta, QakBot
ATT&CK IDS: T1102 - Web Service, T1574 - Hijack Execution Flow, T1564 - Hide Artifacts, T1068 - Exploitation for Privilege Escalation, T1027 - Obfuscated Files or Information, T1047 - Windows Management Instrumentation, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1059 - Command and Scripting Interpreter, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1204 - User Execution, T1218 - Signed Binary Proxy Execution, T1497 - Virtualization/Sandbox Evasion, T1566 - Phishing
Read More:
ความคิดเห็น