Magniber ransomware actors are actively exploiting another Microsoft SmartScreen zero-day vulnerability, according to new research by Google’s Threat Analysis Group.
In a blog post on Tuesday, Google detailed the flaw, tracked as CVE-2023-24880, which attackers are leveraging to bypass security warnings that indicate a user is about to download a potentially malicious file. First identified in 2017, the Magniber ransomware gang is known for targeting victims primarily located in South Korea by seeking out individual PCs rather than large organizations’ networks.
Google TAG researchers observed Magniber actors exploiting the flaw by sending malicious MSI files signed with an invalid but specially crafted Authenticode signature that bypasses SmartScreen security warnings for untrusted files. Google reported its findings, which revealed Magniber found a way to bypass mitigations for an earlier SmartScreen flaw, to Microsoft on February 15. Microsoft’s Patch Tuesday update included a fix for CVE-2023-24880.
The ability to bypass SmartScreen defenses is significant because the security tool aims to protect against phishing or malware websites and applications, a threat that continues to rise. For example, earlier this month, threat actors hacked NameCheap’s email system to deploy a phishing campaign. Essentially, SmartScreen screens for malicious files and issues a “do not download” warning for users.
More alarming, this is not the first time Magniber campaigns have leveraged a SmartScreen zero-day vulnerability. In October, HP Threat Research discovered Magniber ransomware actors were using new tactics. Shortly after, security research Will Dormann discovered the threat actors were exploiting a zero-day security feature bypass in SmartScreen. According to Google, the flaw, tracked as CVE-2022-44698, “allowed an attacker to use a malformed Authenticode signature to bypass SmartScreen security warnings.”
Google’s report said threat actors associated with Qakbot malware either copied the technique or may have purchased the security bypass from the same provider and exploited the zero-day vulnerability as well.
Microsoft patched CVE-2022-44698 in December. But Magniber ransomware actors quickly found a workaround that led to a new variant, CVE-2023-24880. Google started seeing attacks exploiting the new vulnerability within a month.
“This security bypass is an example of a larger trend Project Zero has highlighted previously: vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants,” Google wrote in the blog post. “When patching a security issue, there is tension between a localized, reliable fix and a potentially harder fix of the underlying root cause issue. Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug.”
Google highlighted several problems with Microsoft’s original remediation, which addressed a flaw in smartscreen.exe. For one, Google emphasized how attackers took a new route where the CVE-2022-44698 patch was not applicable.
“The problem with this patch is that THROW_HR is called from many other places in smartscreen.exe when different errors are encountered,” the blog post read. “Every one of these is a potential opportunity for an attacker to return an error to shdocvw.dll, which will fail open and not display a security warning.”
Some differences between the current Magniber ransomware campaign and past attacks were geographic targeting and the file formats. While exploiting CVE-2023-24880, Google observed 80% of users that downloaded malicious files were based in Europe — “a notable divergence” from typical targets located in South Korea and Taiwan. Additionally Google highlighted how previous campaigns against SmartScreen used Jscript files, while the most recent one leveraged “MSI files with a different type of malformed signature.”
As Google emphasized in the blog, vendor patches are not always sufficient. Another recent example of attackers bypassing security updates occurred in December, when Play ransomware actors discovered a workaround to Microsoft’s ProxyNotShell mitigations that affected vulnerable Exchange servers.