Hackers Exploit Bug in Windows Security Feature to Drop Ransomware

About the vulnerability

• MOTW supports SmartScreen to perform a reputation check by flagging files downloaded from the internet. 
• Bypassing this feature allows the download of malicious files from the internet without raising any flags.
• To exploit the vulnerability, attackers craft a malicious file, leading to a limited loss of MOTW tagging integrity and availability of security features such as Protected View in Microsoft Office.

Abusing the vulnerability

• This vulnerability can be exploited using three attack vectors including malicious websites, compromised websites with specifically crafted content, and malicious attachments (.url files) delivered over email or messaging services.
• In all cases, an attacker requires the potential victim to visit the malicious website or open a malicious attachment with CVE-2022-44698 exploits, to bypass SmartScreen.

Exploitation in the wild

• In October, attackers were using standalone.JS JavaScript files digitally signed with a malformed key to exploit the Windows MOTW zero-day vulnerability.
• It caused SmartCheck to error out and allow the malicious files to execute and install the Magniber without displaying MOTW security warnings.
• Last month, attackers exploited the same vulnerability in phishing attacks to drop the Qbot malware without raising MOTW security warnings.
• The attackers switched to the vulnerability by distributing JS files signed with the same malformed signatures used in Magniber ransomware attacks.

Conclusion