Cybercriminals have been exploiting a zero-day vulnerability in the Microsoft SmartScreen security feature to deliver the Magniber ransomware, according to Google’s Threat Analysis Group (TAG). The vulnerability, tracked as CVE-2023-24880, has been exploited since at least January, until it was patched with Microsoft’s latest Patch Tuesday updates.
The SmartScreen feature is designed to protect users against phishing and malware, including by flagging potentially malicious files downloaded from the web. The cybercriminals have exploited the vulnerability by delivering specially crafted MSI files that are signed with an Authenticode signature that is invalid but crafted in a way that causes SmartScreen to return an error. This bypasses the Mark-of-the-Web (MotW) security feature, used to prevent execution of potentially malicious files from the internet.
The Magniber ransomware operation has mainly targeted South Korea and Taiwan, but over 80% of the more than 100,000 malicious MSI file downloads have been associated with users in Europe. Google’s Safe Browsing mechanism did warn users in more than 90% of cases. The same attackers have exploited a similar vulnerability, CVE-2022-44698, to deliver malicious JScript files since at least September 2022.
Google has made available technical details for both CVE-2023-24880 and CVE-2022-44698, as well as indicators of compromise (IoCs) for the Magniber and Qakbot attacks. The internet giant has also warned of a larger trend Project Zero has highlighted before, wherein vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants.
In conclusion, a zero-day vulnerability in the Microsoft SmartScreen security feature has been exploited to deliver the Magniber ransomware. The threat actor has also previously used CVE-2022-44698 to deliver malicious JScript files. Microsoft has released a patch for the vulnerability, but Google has warned of a larger trend wherein vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants.
Key Points:
- A zero-day vulnerability in the Microsoft SmartScreen security feature has been exploited to deliver the Magniber ransomware.
- The vulnerability, tracked as CVE-2023-24880, has been exploited since at least January until it was patched with Microsoft’s latest Patch Tuesday updates.
- The same attackers have exploited a similar vulnerability, CVE-2022-44698, to deliver malicious JScript files since at least September 2022.
- Google has warned of a larger trend wherein vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants.
