Microsoft fixes Windows zero-day exploited in ransomware attacks

Microsoft has patched another zero-day bug used by attackers to circumvent the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising any red flags.

The attackers have been using malicious MSI files signed with a specially crafted Authenticode signature to exploit this security feature bypass vulnerability (tracked as ).

Although the signature is invalid, it’s been enough to fool SmartScreen and prevent Mark-of-the-Web (MotW) security alerts from popping up and warning users to be cautious when opening files from the Internet.

The actively exploited CVE-2023-24880 zero-day was discovered by Google Threat Analysis Group (TAG), who reported it to Microsoft on February 15.

“TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe – a notable divergence from Magniber’s typical targeting, which usually focuses on South Korea and Taiwan,” Google TAG .

The Magniber ransomware operation has been  as the successor of , when its payloads were being deployed via malvertising using the Magnitude Exploit Kit (EK).

While initially focused on targeting South Korea, the gang has now , switching targets to other countries, including China, Taiwan, Malaysia, Hong Kong, Singapore, and now Europe.

Magniber has been quite active since the start of the year, with hundreds of samples being submitted for analysis on the ID Ransomware platform.

Magniber ID Ransomware submissions 2023
Magniber ransomware submissions (ID Ransomware)

Narrow patches lead to bypass

​CVE-2023-24880 is a variant of another Windows SmartScreen security feature bypass tracked as  and also exploited as a zero-day to infect targets with malware via standalone JavaScript files with malformed signatures.

Microsoft  during the December 2022 Patch Tuesday after months of exploitation and being used to drop  and .

Other ransomware operations, including , , and , are also known to have partnered with Qbot to gain access to corporate networks.

As Google TAG explained today, CVE-2023-24880 was made possible because Microsoft released a narrow patch for CVE-2022-44698 that only fixed a single aspect of the bug rather than fixing the root cause.

“When patching a security issue, there is tension between a localized, reliable fix, and a potentially harder fix of the underlying root cause issue,” Google TAG concluded.

“Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug.”