A ransomware family targeting individual computer users is using a zero-day Windows bug to infect users, ANALYGENCE senior vulnerability analyst Will Dormann has found.
HP Wolf Security researchers recently published a blog post on the Magniber ransomware campaign’s ability to use JavaScript to disguise a malicious file as an antivirus or Windows 10 update. Magniber targets single computer users with a $2,500 ransom demand rather than targeting larger companies.
The campaign appears to have first come to light via a forum post in April.
The ransomware, the HP researchers noted, leverages “clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.”
As Dormann observed, it’s recently added a new technique to its arsenal.
Also read: How to Recover From a Ransomware Attack
Sidestepping Windows MOTW Warnings
While it first spread largely through MSI and .exe files, the HP researchers noted that starting in September 2022, Magniber was distributed using JavaScript files.
In response to the HP report, Dormann last week observed that the JavaScript files distributed by Magniber are signed with a malformed Authenticode signature, which allows the file to be opened by Windows without a Mark-of-the-Web (MOTW) warning dialog.
An unsigned JavaScript file gets a warning dialog, Dormann noted, while a corruptly signed file just runs without triggering the dialog.
ACROS Security CEO Mitja Kolsek responded, “Damn it, we’ve just patched the Windows unzip bug to make sure extracted files have MOTW, and now apparently MOTW doesn’t matter because you can slap any signature-looking blob on the file and Windows will trust it?”
Dormann provided little comfort by pointing out, “Well, this appears to only affect things relying on Authenticode.”
Also read: How to Decrypt Ransomware Files – And What to Do When That Fails
Introduced with Windows 10
Dormann later observed that Windows 8.1 does provide a warning dialog, suggesting that the flaw was likely introduced with the release of Windows 10.
As he explained to BleepingComputer, the bug is linked to Windows 10’s “Check apps and files” SmartScreen feature at Windows Security > App & browser control > Reputation-based protection settings.
“This issue is in the new-as-of-Win10 SmartScreen feature,” Dormann said. “And disabling ‘Check apps and files’ reverts Windows to the legacy behavior, where MOTW prompts are unrelated to Authenticode signatures,” he said.
So there’s a trade-off: if you activate the feature, Windows scans for unsigned files, but it doesn’t take much effort to sidestep it. As Dormann told BleepingComputer, “baddies that take advantage of this bug can get a LESS-SECURE behavior from Windows compared to when the feature is disabled.”
Update: 0patch has released a free temporary micropatch to fix the MOTW problem until Microsoft releases an official fix.
Read next: Is the Answer to Vulnerabilities Patch Management as a Service?
