Jump to content
  • Microsoft patches Windows zero-day used to drop ransomware

    alf9872000

    • 507 views
    • 3 minutes
     Share


    • 507 views
    • 3 minutes

    Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver payloads in Magniber ransomware attacks.

     

    The attackers used malicious standalone JavaScript files to exploit the CVE-2022-44698 zero-day to bypass Mark-of-the-Web security warnings displayed by Windows to alert users that files originating from the Internet should be treated with caution.

     

    "An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Redmond explained on Tuesday.

     

    According to Microsoft, this security flaw can only be exploited using three attack vectors:

     

    • In a web-based attack scenario, an attacker could host a malicious website that exploits the security feature bypass.
    • In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file to exploit the bypass.
    • Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass.

     

    However, in all these scenarios, the threat actors would have to trick their targets into opening malicious files or accessing attacker-controlled websites with CVE-2022-44698 exploits.

     

    Microsoft released security updates to address this zero-day during the November 2022 Patch Tuesday after working on a fix for this actively exploited zero-day vulnerability since late October, as the company told BleepingComputer.

    Exploited in ransomware attacks

    HP's threat intelligence team first reported in October that phishing attacks were distributing the Magniber ransomware using standalone.JS JavaScript files digitally signed with a malformed as discovered by Will Dormann, a senior vulnerability analyst at ANALYGENCE.

     

    This would cause SmartCheck to error out and allow the malicious files to execute without throwing any security warnings and install the Magniber ransomware, even though it got tagged with a MoTW flag.

     

    magniber-chain(1).png

    Magniber's JS infection chain (BleepingComputer)

     

    Last month, the same Windows zero-day vulnerability was also abused in phishing attacks to drop the Qbot malware without displaying MOTW security warnings.

     

    As security researcher ProxyLife found, threat actors behind this recent QBot phishing campaign switched to the Windows Mark of the Web zero-day by distributing JS files signed with the same malformed key used in the Magniber ransomware attacks.

     

    QBot (aka Qakbot) is a Windows banking trojan that has evolved into a malware dropper that will steal emails for use in subsequent phishing attacks or deliver additional payloads such as Brute RatelCobalt Strike, and other malware.

     

    The EgregorProlock, and Black Basta ransomware operations are also known to have partnered with QBot to gain access to victims' corporate networks.

     

    During the November 2022 Patch Tuesday, Microsoft also fixed a publicly disclosed zero-day (CVE-2022-44710) that would allow attackers to gain SYSTEM privileges on unpatched Windows 11 systems.

     

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...