Magniber ransomware “came” to Europe after years of activity in Asia

According to new report Google Threat Analysis Group financially motivated hackers exploited a previously unknown Microsoft vulnerability for several months in a row smart screen to distribute the Magniber ransomware.

Cybercriminals reportedly actively exploited the SmartScreen zero-day vulnerability ( CVE-2023-24880 ) since December last year. The Google team notified Microsoft of the vulnerability in mid-February, and only a couple of days ago, on March 14, the Redmond-based company finally released a fix.

SmartScreen is designed to detect phishing attempts and malware on Windows 10 and 11, as well as the Edge web browser. Microsoft representatives have already stated that users of the aforementioned products who have applied the latest security patch are reliably protected.

Google analysts said they have seen more than 100,000 downloads of malicious “.msi” files used in the ransomware campaign since January 2023. Moreover, 80% of these downloads were made by users in Europe. The “.msi” container, like the familiar “.exe”, is used to install and run Windows programs.

The researchers noted that previously, Magniber ransomware targeted mainly organizations in South Korea and Taiwan. And only now, 6 years after the discovery of Magniber, the vector of attacks has shifted to Europe.

The Google team’s research builds on previous work done by HP experts who discovered last October that Magniber campaigns exploited another SmartScreen vulnerability under the ID CVE-2022-44698 . During the last Magniber campaign, hackers used malformed JScript files to force SmartScreen to return an error, which ultimately allowed the attackers to bypass the security warning and activate the malware.

When Microsoft blocked this path, the Magniber team found a similar way to break SmartScreen. Google researchers found that infected “.msi” files caused the Microsoft product to behave in the same way as it did with JScript files: SmartScreen returned an error, allowing attackers to bypass the security warning.

“This security bypass is an example of a larger trend that Project Zero has highlighted in the past: Software vendors often release narrow patches, leaving attackers with options to bypass and further exploit the vulnerability,” Google researchers said in a statement.

First discovered in late 2017, Magniber ransomware was active exclusively in South Korea for many years before spreading to Taiwan and then to other countries. Previously, cybercriminals have been implicated in attacks exploiting several other Microsoft vulnerabilities, including CVE-2022-41091 And infamous PrintNightmare vulnerability under id CVE-2021-34527 .