Hackers have been abusing a security feature bypass vulnerability in Windows SmartScreen. It was exploited using malicious standalone JavaScript files to deliver malware such as Magniber and Qbot in recent phishing attacks.

Microsoft fixed the vulnerability during the December 2022 Patch Tuesday.

About the vulnerability

According to Microsoft, the vulnerability (CVE-2022-44698) allows attackers to bypass an inbuilt security feature in Windows, which works with its Mark of the Web (MOTW) functionality.
  • MOTW supports SmartScreen to perform a reputation check by flagging files downloaded from the internet. 
  • Bypassing this feature allows the download of malicious files from the internet without raising any flags.
  • To exploit the vulnerability, attackers craft a malicious file, leading to a limited loss of MOTW tagging integrity and availability of security features such as Protected View in Microsoft Office.

Abusing the vulnerability

  • This vulnerability can be exploited using three attack vectors including malicious websites, compromised websites with specifically crafted content, and malicious attachments (.url files) delivered over email or messaging services.
  • In all cases, an attacker requires the potential victim to visit the malicious website or open a malicious attachment with CVE-2022-44698 exploits, to bypass SmartScreen.

Exploitation in the wild

Microsoft confirmed this vulnerability has been exploited in the recent phishing attacks to deliver Magniber and Qbot malware.
  • In October, attackers were using standalone.JS JavaScript files digitally signed with a malformed key to exploit the Windows MOTW zero-day vulnerability.
  • It caused SmartCheck to error out and allow the malicious files to execute and install the Magniber without displaying MOTW security warnings.
  • Last month, attackers exploited the same vulnerability in phishing attacks to drop the Qbot malware without raising MOTW security warnings.
  • The attackers switched to the vulnerability by distributing JS files signed with the same malformed signatures used in Magniber ransomware attacks.

Conclusion

Zero-day exploits are much more effective for initial exploitation and, once publicly exposed, these can be rapidly reused by other nation-state and criminal actors for espionage. Organizations are recommended to apply patches as soon as released to safeguard against such diverse threats from diverse sources.
Cyware Publisher

Publisher

Cyware