Microsoft has patched a security vulnerability used by threat actors to bypass the Windows SmartScreen security feature and deliver payloads in Magniber ransomware attacks.

Attackers used malicious stand-alone JavaScript files to exploit the CVE-2022-44698 zero-day to bypass Mark-of-the-Web security warnings displayed by Windows to alert users that files from the Internet should be treated with caution.

“An attacker can create a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW marking” , Redmond Explain tuesday.

According to Microsoft, this security flaw can only be exploited using three attack vectors:

  • In a web attack scenario, an attacker could host a malicious website that exploits the security feature bypass.
  • In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file to exploit the circumvention.
  • Compromised websites or websites that accept or host user-provided content may contain specially crafted content to exploit the security feature bypass.

However, in all of these scenarios, threat actors should trick their targets into opening malicious files or accessing websites controlled by attackers with CVE-2022-44698 exploits.

Microsoft released security updates on Tuesday to resolve this zero day during the November 2022 patch after working on a patch for this zero day vulnerability that has been actively exploited since late October, when the company says BleepingComputer.

Exploited in ransomware attacks

HP’s Threat Intelligence team first reported in October that phishing attacks were distributing the Magniber ransomware using digitally signed standalone.JS JavaScript files with a malformed ace discovered by Will Dormann, Principal Vulnerability Analyst at ANALYGENCE.

This would cause SmartCheck to fail and allow malicious files to run without throwing security warnings and installing Magniber ransomware, even if it was marked with a MoTW flag.

Magniber's JS infection chain
Magniber JS infection chain (BleepingComputer)

Last month, the same Windows zero-day vulnerability was also exploited in phishing attacks drop the Qbot malware without displaying MOTW safety warnings.

As a ProxyLife Security Researcher foundThe threat actors behind this recent QBot phishing campaign went Windows Mark of the Web zero-day by distributing JS files signed with the same malformed key used in the Magniber ransomware attacks.

QBot (aka Qakbot) is a Windows banking Trojan that has evolved into a malware dropper that will steal emails for use in later phishing attacks or deliver additional payloads such as Brute Honey Badger, Cobalt Strikeand other malware.

The Egregore, Prolockand basta black ransomware operations are also known to have partnered with QBot to gain access to victims’ corporate networks.

During November 2022 Patch TuesdayMicrosoft also patched a publicly disclosed zero-day (CVE-2022-44710) that would allow attackers to gain SYSTEM privileges on unpatched Windows 11 systems.





Source link