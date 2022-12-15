Microsoft has patched a zero-day vulnerability that let malicious actors bypass Windows SmartScreen to deliver Qbot malware and Magniber ransomware payloads.

Threat actors exploited the flaw by using JavaScript files to get around the Mark of the Web (MOTW) security warnings displayed by the operating system.

“An attacker can craft a malicious file that would evade MOTW defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

The vulnerability — tracked as CVE-2022-44698 — was exploitable through three attack vectors:

In a web-based attack scenario, an attacker could host a malicious website that exploits the security feature bypass.

In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file designed to exploit the bypass.

Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass.

For any of the above scenarios to work, the attacker would need to dupe the targets into opening malicious files or navigating to attacker-controlled websites.

According to Bleeping Computer, attackers exploited the vulnerability multiple times in the wild.

In October 2022, phishing attacks were found to be distributing the Magniber ransomware, causing SmartCheck errors and allowing the malicious files to execute without alerting the target.

In November, attackers exploited the same flaw to deliver the Qbot malware without displaying MOTW warnings.

