Microsoft has patched another zero-day bug used by attackers to circumvent the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising any red flags.
The attackers have been using malicious MSI files signed with a specially crafted Authenticode signature to exploit this security feature bypass vulnerability (tracked as CVE-2023-24880).
Although the signature is invalid, it’s been enough to fool SmartScreen and prevent Mark-of-the-Web (MotW) security alerts from popping up and warning users to be cautious when opening files from the Internet.
The actively exploited CVE-2023-24880 zero-day was discovered by Google Threat Analysis Group (TAG), who reported it to Microsoft on February 15.
“TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe – a notable divergence from Magniber’s typical targeting, which usually focuses on South Korea and Taiwan,” Google TAG says.
The Magniber ransomware operation has been active since at least October 2017 as the successor of Cerber ransomware, when its payloads were being deployed via malvertising using the Magnitude Exploit Kit (EK).
While initially focused on targeting South Korea, the gang has now expanded attacks worldwide, switching targets to other countries, including China, Taiwan, Malaysia, Hong Kong, Singapore, and now Europe.
Magniber has been quite active since the start of the year, with hundreds of samples being submitted for analysis on the ID Ransomware platform.
Narrow patches lead to bypass
CVE-2023-24880 is a variant of another Windows SmartScreen security feature bypass tracked as CVE-2022-44698 and also exploited as a zero-day to infect targets with malware via standalone JavaScript files with malformed signatures.
Other ransomware operations, including Egregor, Prolock, and Black Basta, are also known to have partnered with Qbot to gain access to corporate networks.
As Google TAG explained today, CVE-2023-24880 was made possible because Microsoft released a narrow patch for CVE-2022-44698 that only fixed a single aspect of the bug rather than fixing the root cause.
“When patching a security issue, there is tension between a localized, reliable fix, and a potentially harder fix of the underlying root cause issue,” Google TAG concluded.
“Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug.”