Microsoft announced an important zero-day that threat actors used for launching ransomware attacks was resolved during the latest Patch Tuesday. The team has been working to find a solution since October.
The CVE-2022-44698 zero-day vulnerability was actively exploited in several attacks that delivered Magniber ransomware and Qbot malware payloads.
How Did Threat Actors Exploit the Windows Zero-day?
According to cyber researchers, malicious stand-alone JavaScript files were used for exploiting the CVE-2022-44698 zero-day, in order to go around Mark-of-the-Web security warnings that Windows displayed to prevent its users that something was wrong.
An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging
Microsoft said the vulnerability could only be exploited over three instances:
- The threat actor hosts a malicious site that exploits the bypass in a web-based attack
- Through an email or instant message that would contain a specially crafted URL file to exploit the bypass
- Through websites that are either compromised, accept, or host the content provided by users that could hold specially crafted content to exploit the security feature bypass.
No matter the method of choice, threat actors had to deceive their targets to open the malicious files or access the attacker-controlled websites with CVE-2022-44698 exploits.
Attacks That Used the CVE-2022-44698 Vulnerability
In October, HP’s threat intelligence team reported the discovery of phishing attacks that stand-alone JS JavaScript files were delivering Magniber ransomware.
The SmartCheck was tricked to allow the malicious files to execute with no warning being displayed and install the Magniber ransomware, although it was MoTW flagged.
The same Windows zero-day was exploited during November for phishing attacks that successfully dropped Qbot malware without any MOTW warnings being displayed.
Cyber researchers claim that the same malformed key used in the Magniber ransomware attacks was used for the JS files used in the QBot phishing campaign.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.