Security News > 2023 > March > Microsoft squashes Windows bug exploited to inflict ransomware misery

Criminals are exploiting a Microsoft SmartScreen bug to deliver Magniber ransomware, potentially infecting hundreds of thousands of devices, without raising any security red flags, according to Google's Threat Analysis Group.

Redmond has patched the Windows-Office vulnerability, tracked as CVE-2023-24880, today in its monthly Patch Tuesday event.

It's related to a similar Windows SmartScreen security feature bypass vulnerability, CVE-2022-44698, which Microsoft patched in December - but not before miscreants found it and used it to sling the same malware.

Both vulnerabilities allow crooks to bypass this feature, which means their victims can download malicious files packed with ransomware that do not carry the MotW flag, which would trigger this added layer of security.

While miscreants used JScript files to deliver Magniber ransomware via the earlier bug, the new campaign uses Microsoft Software Installer files with a different type of malformed signature, according to TAG. The Google threat hunters have documented more than 100,000 downloads of the malicious MSI files since January 2023, and said over 80 percent of these were downloaded by European users, which is notable because Magniber usually targets victims in South Korea and Taiwan.

In the fall, security researchers discovered ransomware campaigns, first Magniber and then Qakbot, exploiting the Windows bug and bypassing Microsoft's MotW. They did this using a JScript file with a malformed signature that forced the SmartScreen request to return an error and trigger the default option - thus bypassing MotW and allowing the victim to open the file without triggering the security warning.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/03/14/windows_ransomware_zero_day_patched/