Microsoft fixed the vulnerability during the December 2022 Patch Tuesday.
About the vulnerability
According to Microsoft, the vulnerability (CVE-2022-44698) allows attackers to bypass an inbuilt security feature in Windows, which works with its Mark of the Web (MOTW) functionality.
MOTW supports SmartScreen to perform a reputation check by flagging files downloaded from the internet.
Bypassing this feature allows the download of malicious files from the internet without raising any flags.
To exploit the vulnerability, attackers craft a malicious file, leading to a limited loss of MOTW tagging integrity and availability of security features such as Protected View in Microsoft Office.
Abusing the vulnerability
This vulnerability can be exploited using three attack vectors including malicious websites, compromised websites with specifically crafted content, and malicious attachments (.url files) delivered over email or messaging services.
In all cases, an attacker requires the potential victim to visit the malicious website or open a malicious attachment with CVE-2022-44698 exploits, to bypass SmartScreen.
Exploitation in the wild
Microsoft confirmed this vulnerability has been exploited in the recent phishing attacks to deliver Magniber and Qbot malware.
It caused SmartCheck to error out and allow the malicious files to execute and install the Magniber without displaying MOTW security warnings.
Last month, attackers exploited the same vulnerability in phishing attacks to drop the Qbot malware without raising MOTW security warnings.
The attackers switched to the vulnerability by distributing JS files signed with the same malformed signatures used in Magniber ransomware attacks.
Zero-day exploits are much more effective for initial exploitation and, once publicly exposed, these can be rapidly reused by other nation-state and criminal actors for espionage. Organizations are recommended to apply patches as soon as released to safeguard against such diverse threats from diverse sources.