Ransomware actors caught using unpatched Microsoft SmartScreen security bypass

Google's Threat Analysis Group (TAG) recently caught financially motivated threat actors using an unpatched security bypass in Microsoft's SmartScreen to deliver the Magniber ransomware. The findings were to Microsoft on February 15, 2023, and the security bypass was patched as CVE-2023-24880 in Patch Tuesday release.

According to the TAG team, the Magniber actors were using MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialogue displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the web.

Since January 2023, TAG has observed more than 100,000 downloads of the malicious MSI files. Surprisingly, over 80% of these downloads were made by users located in Europe. This is significant because Magniber typically targets South Korea and Taiwan.

"When patching a security issue, there is tension between a localized, reliable fix, and a potentially harder fix of the underlying root cause issue. Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug," Google wrote in a post.

You can find more details about the security bypass here.