Microsoft fixes Windows zero-day ransomware

Microsoft fixed the security flaw used by threats actors to bypass Windows SmartScreen and provide Magniber ransomware or Qbot malware payloads.

To exploit the zero-day bypass Mark-of-the-Web Security Warnings, the attackers created malicious JavaScript files that were used to execute JavaScript code.

Redmond described Tuesday that an attacker could create a malicious file to evade Mark of the Web defenses. This would result in a small loss of integrity, availability of security features like Protected View, Microsoft Office and MOTW tags.

Microsoft states that this vulnerability can be only exploited by three types of attack.

  • An attacker can host a malicious site that bypasses security features in a web-based attack situation.
  • An attacker can send a targeted user an.url file in an instant messaging attack or email to bypass the bypass.
  • Websites that are compromised or accept user-provided material could have specially written content in order to bypass security features.

In all of these cases, however, threat actors will have to convince their victims to open malicious files, or gain access via attacker-controlled websites using CVE-222-44698 exploits.

Microsoft issued security updates for the zero-day issue during Tuesday’s December 2022 Patch Tuesday. This was after Microsoft had been working since October to fix the zero-day actively exploited vulnerability, according to BleepingComputer .

Malware attacks: Exploited

In October, HP’s threat intelligence group reported that phishing attacks had been reported by the via standalone.JS JavaScript files. Will Dormann (an analyst senior at ANALYGENCE) discovered signature.

SmartCheck would then fail to detect the threat and the malware files could be executed without warning. The Magniber ransomware was also installed, even though the MoTW flag had been removed.

Magniber’s JS infection chain (BleepingComputer)

The same Windows zero day vulnerability was used in phishing attacks , without any MOTW warnings.

ProxyLife that the QBot phishing attack was carried out by threat actors who distributed JS files with the same key as the Magniber ransomware.

QBot, also known as Qakbot, is a Windows trojan. It can steal email addresses for subsequent phishing attacks, or provide additional payloads like and .

QBot is also known to be a partner of the and ransomware operators.

Microsoft fixed CVE-2022-44710, a public zero-day vulnerability that allowed attackers to access SYSTEM privileges in unpatched Windows 11 computers.