Magniber ransomware actors used a variant of Microsoft SmartScreen bypass

In September 2022, Magniber ransomware was delivered using JScript files. In October, HP Threat Research blogged about these Magniber campaigns, upon which a security researcher noticed a bug in SmartScreen that allowed an attacker to use a malformed Authenticode signature to bypass SmartScreen security warnings. On October 28, 0patch published additional research and patch recommendations.

In mid-November, other threat actors adopted the same bypass to spread the Qakbot malware. The Authenticode signatures in the November 2022 Qakbot campaigns were strikingly similar to those used by Magniber, suggesting the two operators either purchased the bypasses from the same provider, or copied each others’ technique. Microsoft patched the security bypass in December 2022 as CVE-2022-44698.

Similar to the bypass occurring now, Magniber ransomware actors used CVE-2022-44698 before a patch was made available. However, the Magniber actors used JScript files during the previous campaigns, whereas in the current campaign they are using MSI files with a different type of malformed signature.