Researchers from Google TAG have discovered a previously unknown bug that allows an attacker to bypass security features in Microsoft’s SmartScreen and deploy Magniber ransomware without triggering security warnings.
SmartScreen is a browser security feature designed to help Windows users defend against phishing attacks, malware, and downloading potentially malicious applications and files. It analyses users’ visited sites and screen downloads and generates alerts if suspicious activities are detected.
Threat actors can successfully evade this detection by delivering MSI files with “an invalid but specifically crafted Authenticode signature.” This pushes SmartScreen to use the default setting for the file shdocvw.dll, which does not display a security warning.
The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a MoTW, which indicates a potentially malicious file has been downloaded from the internet
Google’s TAG reported the issue to Microsoft on February 15, 2023. The bug, tracked under CVE-2023-24880,was addressed today as a part of Microsoft’s Patch Tuesday.
As per Google, Magniber has mostly targeted victims in South Korea and Taiwan, but in this case over 80% of affected users reside in Europe. Like Google, Trend Micro has observed Magniber using fake installers to Windows updates and malformed digital signatures to bypass blocking features used by Mark of the Web.
Microsoft’s previous patches managed to close off certain specific pathways to causing this error, but Google researchers note that attackers can call out and trigger the same error in many ways, generating the same effect and making it vulnerable to bypass. Each pathway represents a potential opportunity for an attacker to return an error…which will fall to open and not display a security warning.
As per the microsoft statement “We released a fix on March 14 and customers who have applied the update are already protected. Microsoft Defender for Endpoint and Microsoft Defender antivirus also provide protections against Magniber ransomware,”
The number of users who could have potentially been exposed numbers in the hundreds of thousands. TAG researchers say there were 100,000 observed downloads of malicious MSI Windows installer files since start of this year.