Magniber ransomware actors used a variant of Microsoft SmartScreen bypass

Threat Analysis Group Mar 14, 2023 [[read-time]] min read Financially motivated threat actors used an unpatched security bypass to deliver ransomware without any security warnings Benoit Sevens Threat Analysis Group Google’s Threat Analysis Group (TAG) recently discovered usage of an unpatched security bypass in Microsoft’s SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet.TAG reported its findings to Microsoft on February 15, 2023. The security bypass was patched today as CVE-2023-24880 in Microsoft’s Patch Tuesday rel...