Microsoft squashes Windows bug exploited to inflict ransomware misery

Criminals are exploiting a Microsoft SmartScreen bug to deliver Magniber ransomware, potentially infecting hundreds of thousands of devices, without raising any security red flags, according to Google's Threat Analysis Group (TAG).

TAG discovered the in-the-wild exploit, and reported it to Microsoft last month. Redmond has patched the Windows-Office vulnerability, tracked as CVE-2023-24880, today in its monthly Patch Tuesday event.  

It's related to a similar Windows SmartScreen security feature bypass vulnerability, CVE-2022-44698, which Microsoft patched in December — but not before miscreants found it and used it to sling the same malware.

The root cause of both is a flaw in Microsoft's Mark-of-the-Web (MotW) feature. This is supposed to set a flag in the metadata for files obtained from the internet, USB sticks, and other untrusted sources to ensure that when files are opened, extra security protections are supposed to kick in.

Both vulnerabilities allow crooks to bypass this feature, which means their victims can download malicious files packed with ransomware that do not carry the MotW flag, which would trigger this added layer of security.

While miscreants used JScript files to deliver Magniber ransomware via the earlier bug, the new campaign uses Microsoft Software Installer (MSI) files with a different type of malformed signature, according to TAG.

The Google threat hunters have documented more than 100,000 downloads of the malicious MSI files since January 2023, and said over 80 percent of these were downloaded by European users, which is notable because Magniber usually targets victims in South Korea and Taiwan.

This second security bypass highlights a larger problem, according to the Google team, and it's an issue that researchers have previously pointed out: vendors need to fix the root cause of the security flaw, not just issue a quicker, localized patch. 

Here's what happened. In the fall, security researchers discovered ransomware campaigns, first Magniber and then Qakbot, exploiting the Windows bug and bypassing Microsoft's MotW. They did this using a JScript file with a malformed signature that forced the SmartScreen request to return an error and trigger the default option — thus bypassing MotW and allowing the victim to open the file without triggering the security warning. 

• Microsoft ain't the only one squashing exploited-in-the-wild bugs this month
• Unofficial fix emerges for Windows bug abused to infect home PCs with ransomware
• LockBit brags: We'll leak thousands of SpaceX blueprints stolen from supplier
• Google euthanizes Chrome Cleanup Tool because it no longer has a purpose

Some third-party vendors released unofficial patches before Redmond finally plugged CVE-2022-44698 in December.

The problem with the December fix, according to TAG, is that "Microsoft patched CVE-2022-44698 in smartscreen.exe, by not raising an error in this specific case, but rather taking an alternative path."

This allowed miscreants to raise an error using a different path — in this case, an MSI file signed with an invalid but specially crafted Authenticode signature — to, yet again, bypass the security warning and the December patch. 

According to the TAG team: "Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug."

Today, Google also published indicators of compromise for both Magniber campaigns as well as the Qakbot campaign. ®