Fraud Management & Cybercrime , Patch Management , Ransomware

Magniber Ransomware Group Exploiting Microsoft Zero-Day

Microsoft Patches Another SmartScreen Signature-Based Vulnerability
Magniber Ransomware Group Exploiting Microsoft Zero-Day

A financially motivated hacking group has been exploiting a now-patched zero-day vulnerability in the Windows operating system to deliver ransomware.

See Also: The Gorilla Guide to Modern Data Protection

Google Threat Analysis Group attributed the campaign to Magniber ransomware group, which it says began exploiting the zero-day prior to Microsoft releasing the patch for the vulnerability as part of its latest monthly dump of fixes.

The vulnerability, tracked as CVE-2023-24880, is a moderately severe flaw that affects Microsoft's anti-phishing and anti-malware component, SmartScreen Security, which is embedded by the company as an endpoint protection service in products including Windows and Microsoft Edge.

Magniber delivers Microsoft Software Installer files, signing it with a malformed signature. The file triggers an error in the application upon its execution, causing an error that bypasses Microsoft's warning against executing untrusted files downloaded from the internet.

Google TAG has observed more than 100,000 downloads of malicious MSI files since the beginning of this year, and the majority of them were downloaded by devices in Europe. This is a change in targets for Magniber, which previously focused on victims in South Korea and Taiwan, TAG says.

Prior to its latest campaign, Magniber exploited another SmartScreen bypass vulnerability tracked as CVE-2022-44698. The hackers used JavaScript files instead of MSI, HP threat researchers who spotted the campaign wrote.

Malformed Windows signatures used by the operators behind the November 2022 Qakbot campaigns were similar to Magniber's earlier campaign, "suggesting the two operators either purchased the bypasses from the same provider, or copied each others' technique," Google says.

The fact that Microsoft has had to issue multiple fixes for signature-based SmartScreen bypass highlights a dilemma with patches, Google says. Should software developers such as Microsoft issue a targeted, reliable fix that patches the immediate problem? But unless the root cause is also fixed, hackers can iterate their techniques to discover new attacks.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.