Magniber Ransomware Group Exploiting Microsoft Zero-DayMicrosoft Patches Another SmartScreen Signature-Based Vulnerability
A financially motivated hacking group has been exploiting a now-patched zero-day vulnerability in the Windows operating system to deliver ransomware.
Google Threat Analysis Group attributed the campaign to Magniber ransomware group, which it says began exploiting the zero-day prior to Microsoft releasing the patch for the vulnerability as part of its latest monthly dump of fixes.
The vulnerability, tracked as CVE-2023-24880, is a moderately severe flaw that affects Microsoft's anti-phishing and anti-malware component, SmartScreen Security, which is embedded by the company as an endpoint protection service in products including Windows and Microsoft Edge.
Magniber delivers Microsoft Software Installer files, signing it with a malformed signature. The file triggers an error in the application upon its execution, causing an error that bypasses Microsoft's warning against executing untrusted files downloaded from the internet.
Google TAG has observed more than 100,000 downloads of malicious MSI files since the beginning of this year, and the majority of them were downloaded by devices in Europe. This is a change in targets for Magniber, which previously focused on victims in South Korea and Taiwan, TAG says.
Malformed Windows signatures used by the operators behind the November 2022 Qakbot campaigns were similar to Magniber's earlier campaign, "suggesting the two operators either purchased the bypasses from the same provider, or copied each others' technique," Google says.
The fact that Microsoft has had to issue multiple fixes for signature-based SmartScreen bypass highlights a dilemma with patches, Google says. Should software developers such as Microsoft issue a targeted, reliable fix that patches the immediate problem? But unless the root cause is also fixed, hackers can iterate their techniques to discover new attacks.