Microsoft fixed another zero-day bug used by attackers to bypass the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising any red flags.
Attackers have been using malicious MSI files signed with a specially crafted Authenticode signature to exploit this security feature circumvention vulnerability (tracked as CVE-2023-24880).
Although the signature is invalid, it was enough to trick SmartScreen into preventing Mark-of-the-Web (MotW) security alerts from appearing and warning users to be careful when opening files from the Internet.
The actively exploited zero-day CVE-2023-24880 was discovered by the Google Threat Analysis Group (TAG), who reported it to Microsoft on February 15.
“TAG has seen more than 100,000 downloads of malicious MSI files since January 2023, with more than 80% to users in Europe, a notable difference from Magniber’s typical targeting, which typically targets South Korea and Taiwan. says Google TAG.
The Magniber ransomware operation has been active since at least October 2017 as a successor to the Cerber ransomware, when its payloads were deployed via malvertising using the Magnitude Exploit Kit (EK).
While initially focused on attacking South Korea, the gang has now expanded attacks around the world, shifting targets to other countries including China, Taiwan, Malaysia, Hong Kong, Singapore and now Europe.
Magniber has been quite active since the beginning of the year, with hundreds of samples submitted for analysis on the ID Ransomware platform.
Narrow patches lead to shunt
CVE-2023-24880 is a variant of another Windows SmartScreen security feature that is bypassed as CVE-2022-44698 and is also exploited as a zero-day to infect targets with malware via stand-alone JavaScript files with malformed signatures.
Microsoft patched CVE-2022-44698 during the December 2022 Patch Tuesday after months of exploitation and was used to remove Qbot malware and Magniber ransomware.
Other ransomware operations, including Egregor, Prolock, and Black Basta, have also been known to partner with Qbot to gain access to corporate networks.
As Google TAG explained today, CVE-2023-24880 was made possible because Microsoft released a limited patch for CVE-2022-44698 that only fixed one aspect of the bug instead of fixing the root cause.
“When fixing a security issue, there is a tension between a localized, trusted fix and a potentially more difficult fix of the underlying root cause issue,” Google TAG concluded.
“Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug.”
