Researchers at Google’s Threat Analysis Group have uncovered a zero-day vulnerability that allows an attacker to bypass security features in Microsoft's SmartScreen and deploy Magniber ransomware without triggering security warnings.
SmartScreen is a browser security feature designed to help Windows users defend against phishing attacks, malware, and downloading potentially malicious applications and files. It analyzes users' visited sites and screen downloads, and generates alerts if suspicious activities are detected.
However, Google found that ransomware attackers can successfully evade this detection by delivering MSI files with "an invalid but specifically crafted Authenticode signature." This pushes SmartScreen to use the default setting for the file shdocvw.dll, which does not display a security warning.
"The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web, which indicates a potentially malicious file has been downloaded from the internet," the post noted.
Google's Threat Analysis Group said it reported the issue to Microsoft on February 15, 2023. The bug, tracked under CVE-2023-24880,was addressed today as a part of Microsoft's Patch Tuesday.
CISA added the vulnerability to its Known Exploitable Vulnerability Catalog on Tuesday.
According to Google, Magniber has mostly targeted victims in South Korea and Taiwan, but in this case over 80% of affected users reside in Europe. That tracks with findings from Trend Micro in January that the actors behind Magniber have been steadily expanding their geographic footprint beyond Asia since 2021. Like Google, Trend Micro has observed Magniber using fake installers to Windows updates and malformed digital signatures to bypass blocking features used by Mark of the Web.
It’s not the first time a SmartScreen bypass has been used as a vehicle to deliver ransomware.
In October 2022, security researcher Will Dormann identified a similar bug (CVE-2022-44698) in SmartScreen that also allows attackers to bypass Windows' warning against untrusted sources and deploy Magniber ransomware using JScript files and another type of malformed signature.
In November last year, researchers at Proxylife found attackers using the same Jscript bypass to distribute Qakbot malware. Google said it’s “noteworthy” that apart from a few randomized fields, the signatures captured for both the Magniber and Qakbot campaigns are “highly similar.”
Microsoft’s previous patches managed to close off certain specific pathways to causing this error, but Google researchers note that attackers can call out and trigger the same error in many different ways, generating the same effect and making it vulnerable to bypass. Each pathway represents “a potential opportunity for an attacker to return an error…which will fall to open and not display a security warning.”
“This security bypass is an example of a larger trend Project Zero has highlighted previously: vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants,” Google noted. “When patching a security issue, there is tension between a localized, reliable fix, and a potentially harder fix of the underlying root cause issue. Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug.”
The number of users who could have been potentially been exposed numbers in the hundreds of thousands. TAG researchers say there were 100,000 observed downloads of malicious MSI Windows installer files since January alone.
Google’s research did not provide details around the extent to which the latest bypass vulnerability may have been exploited in the wild. In response, a Microsoft spokesperson sent a statement to SC Media that did not address questions around exploitation.
"We released a fix on March 14 and customers who have applied the update are already protected. Microsoft Defender for Endpoint and Microsoft Defender antivirus also provide protections against Magniber ransomware," the spokesperson said.
Kev Breen, director of cyber threat research at Immersive Labs, told SC Media that "Mark-of-the-Web" related vulnerabilities, including CVE-2023-24880, have been actively exploited in the wild and "should be high on the list of things to patch."
"Macro based malware is still frequently seen as part of initial compromises and users have grown accustomed to the prompts protecting them from dangerous files. Protected View and Mark-of-the-Web should be part of your defense in depth strategy and not a single layer of protection," Breen said.
Click here to read the full blog post by Google's Threat Analysis Group.