Microsoft has patched another zero-day bug used by attackers to bypass the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising a red flag.

Attackers used malicious MSI files signed with a specially crafted Authenticode signature to exploit this security feature bypass vulnerability (tracked as CVE-2023-24880).

Although the signature was invalid, it was enough to fool SmartScreen and prevent Mark-of-the-Web (MotW) security alerts from appearing and warning users to be careful when opening files from the Internet.

Actively exploited zero-day CVE-2023-24880 was discovered by Google Threat Analysis Group (TAG), which reported it to Microsoft on February 15.

“TAG has observed more than 100,000 malicious MSI file downloads since January 2023, with more than 80% of users in Europe – a notable departure from Magniber’s typical targeting, which typically focuses on South Korea and Taiwan. “, Google TAG said.

Operation Magniber ransomware has been active since at least October 2017 as successor to Cerber ransomwarewhen its payloads were deployed via malicious advertisements using the Magnitude (EK) exploit kit.

While initially focusing on targeting South Korea, the gang has now widespread attacks around the worldshifting its targets to other countries including China, Taiwan, Malaysia, Hong Kong, Singapore and now Europe.

Magniber has been quite active since the beginning of the year, with hundreds of samples submitted for analysis on the ID Ransomware platform.

Magniber ID Ransomware Submissions 2023
Magniber ransomware submissions (ID Ransomware)

Narrow patches lead to bypass

​CVE-2023-24880 is a variant of another Windows SmartScreen security feature bypass tracked as CVE-2022-44698 and also exploited as zero-day to infect targets with malware via standalone JavaScript files with malformed signatures.

Microsoft patched CVE-2022-44698 on Patch Tuesday of December 2022 after months of exploitation and use to drop Qbot Malware And Magniber ransomware.

Other ransomware operations, including Egregore, ProlockAnd basta blackare also known to have partnered with Qbot to access corporate networks.

As Google TAG explained today, CVE-2023-24880 was made possible because Microsoft released a narrow patch for CVE-2022-44698 that fixes only one aspect of the bug rather than fixing the root cause. first.

“When patching a security issue, there is a tension between a localized, reliable fix and a potentially more difficult fix to the underlying root-cause issue,” Google TAG concluded.

“Since the root cause of the SmartScreen security bypass has not been resolved, attackers were able to quickly identify a different variant of the original bug.”

Source link