The Magniber ransomware group has been exploiting a zero-day vulnerability in the Windows operating system to deliver ransomware, according to Google’s Threat Analysis Group. The vulnerability affects Microsoft’s SmartScreen Security component, which is embedded in Windows and Microsoft Edge.
Magniber delivers Microsoft Software Installer files signed with a malformed signature that bypasses Microsoft’s warning against executing untrusted files downloaded from the internet.
Since the beginning of this year, Google TAG has observed more than 100,000 downloads of malicious MSI files, most of which were downloaded by devices in Europe.
This is a change in targets for Magniber, which previously focused on victims in South Korea and Taiwan, TAG says.
Prior to its latest campaign, Magniber exploited another SmartScreen bypass vulnerability.
Malformed Windows signatures used by the operators behind the November 2022 Qakbot campaigns were similar to Magniber’s earlier campaign, “suggesting the two operators either purchased the bypasses from the same provider, or copied each others’ technique,” Google says.
Microsoft has had to issue multiple fixes for signature-based SmartScreen bypasses, which highlights a dilemma with patches.
Should developers such as Microsoft issue a targeted, reliable fix that patches the immediate problem? But unless the root cause is also fixed, hackers can iterate their techniques to discover new attacks.
