Microsoft has fixed a vulnerability that was used by threat actors to bypass the Windows SmartScreen security feature and deliver payloads in Magniber ransomware attacks.
“An attacker could create a malicious file that would bypass Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office that rely on MOTW tagging.” explains Redmond on Tuesday.
According to Microsoft, this vulnerability can only be exploited using three attack vectors:
- In a web-based attack scenario, an attacker could host a malicious website that exploits the security feature bypass.
- In an email or instant messaging attack scenario, the attacker could send the targeted user a specially crafted .url file to exploit the redirect.
- Compromised websites or websites that accept or host user-provided content may contain specially crafted content to exploit the security feature bypass.
In all these scenarios, the threat actors would have to trick their targets into opening malicious files or accessing attacker-controlled websites with CVE-2022-44698 exploits.
Microsoft released security updates to address this zero-day during the November 2022 Patch Tuesday after working on a fix for this actively exploited zero-day vulnerability since late October, the company told BleepingComputer.
Exploited in ransomware attacks
This would cause SmartCheck to throw an error and be able to execute the malicious files without generating security alerts and installing the Magniber ransomware, even though it is tagged with a MoTW flag.
Last month, the same Windows zero-day vulnerability was also exploited in phishing attacks to drop the Qbot malware without displaying MOTW security alerts.
As a security researcher ProxyLife found itthreat actors behind this recent QBot phishing campaign switched to the Windows Mark of the Web zero-day by distributing JS files signed with the same malformed key used in the Magniber ransomware attacks.
QBot (aka Qakbot) is a Windows banking trojan that has evolved into a malware dropper that steals emails for use in subsequent phishing attacks or delivers additional payloads such as Brute Ratel, Cobalt Strike, and other malware.
Egregor, Prolock, and Black Basta ransomware operations are also known to collaborate with QBot to gain access to victims’ corporate networks.
During the November 2022 Patch Tuesday, Microsoft also fixed a publicly disclosed zero-day (CVE-2022-44710) that allowed attackers to gain SYSTEM privileges on unpatched Windows 11 systems.