{
	"id": "45e6a324-bb39-448c-9834-18e36e03a447",
	"created_at": "2026-04-06T00:13:10.078398Z",
	"updated_at": "2026-04-10T03:24:29.549773Z",
	"deleted_at": null,
	"sha1_hash": "41ceda8dec86a850a8d522b2f8df781aa724025c",
	"title": "Magniber ransomware actors used a variant of Microsoft SmartScreen bypass",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56835,
	"plain_text": "Magniber ransomware actors used a variant of Microsoft\r\nSmartScreen bypass\r\nBy Benoit Sevens\r\nPublished: 2023-03-14 · Archived: 2026-04-05 21:51:23 UTC\r\nMar 14, 2023\r\n7 min read\r\nFinancially motivated threat actors used an unpatched security bypass to deliver ransomware without any security\r\nwarnings\r\nB\r\nBenoit Sevens\r\nThreat Analysis Group\r\nGoogle’s Threat Analysis Group (TAG) recently discovered usage of an unpatched security bypass in Microsoft’s\r\nSmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware\r\nwithout any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted\r\nAuthenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing\r\nthe security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which\r\nindicates a potentially malicious file has been downloaded from the internet.\r\nTAG reported its findings to Microsoft on February 15, 2023. The security bypass was patched today as CVE-2023-24880 in Microsoft’s Patch Tuesday release.\r\nTAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users\r\nin Europe — a notable divergence from Magniber’s typical targeting, which usually focuses on South Korea and\r\nTaiwan. Google Safe Browsing displayed user warnings for over 90% of these downloads.\r\nThe Previous SmartScreen Bypass: CVE-2022-44698\r\nIn September 2022, Magniber ransomware was delivered using JScript files. In October, HP Threat Research\r\nblogged about these Magniber campaigns, upon which a security researcher noticed a bug in SmartScreen that\r\nallowed an attacker to use a malformed Authenticode signature to bypass SmartScreen security warnings. On\r\nOctober 28, 0patch published additional research and patch recommendations.\r\nIn mid-November, other threat actors adopted the same bypass to spread the Qakbot malware. The Authenticode\r\nsignatures in the November 2022 Qakbot campaigns were strikingly similar to those used by Magniber, suggesting\r\nthe two operators either purchased the bypasses from the same provider, or copied each others’ technique.\r\nMicrosoft patched the security bypass in December 2022 as CVE-2022-44698.\r\nhttps://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/\r\nPage 1 of 4\n\nSimilar to the bypass occurring now, Magniber ransomware actors used CVE-2022-44698 before a patch was\r\nmade available. However, the Magniber actors used JScript files during the previous campaigns, whereas in the\r\ncurrent campaign they are using MSI files with a different type of malformed signature.\r\nSecurity Bypass Details\r\nCVE-2022-44698\r\nRoot cause analysis\r\nAs described in 0patch’s blog, when the explorer.exe process runs a file, the shdocvw.dll module will perform a\r\nrequest to the AppReputationService interface implemented in smartscreen.exe to get a verdict.\r\nHigh level overview of security warning dialog logic\r\nBy default, shdocvw.dll’s DoSafeOpenPromptForShellExec will not display a security warning, and if the\r\nsmartscreen.exe request returns an error for whatever reason, DoSafeOpenPromptForShellExec proceeds with\r\nusing the default option and runs the file without displaying any security warnings to the user.\r\nshdocvw.dll’s DoSafeOpenPromptForShellExec pseudocode\r\nIn CVE-2022-44698’s case, a JScript file with a malformed signature was used to force the SmartScreen request\r\nto return an error, triggering the behavior described above to bypass the security warning. The error was raised\r\nwhile parsing the file’s signature in the function windows::security::signature_info::retrieve of smartscreen.exe.\r\nsmartscreen.exe’s windows::security::signature_info::retrieve pseudocode\r\nSpecifically, this function will first call WTGetSignatureInfo in wintrust.dll to retrieve a CERT_CONTEXT\r\nstructure pointer cert_context and a HANDLE wvt_state_data. The cert_context, for a well formed signature, will\r\npoint to the signer certificate, which is the first certificate in the certificate chain.\r\nNext, the function calls WTHelperProvDataFromStateData on wvt_state_data, which returns a\r\nCRYPT_PROVIDER_DATA structure pointer crypt_provider_data. Now, if crypt_provider_data and its member\r\nhMsg are non-NULL, but cert_context is NULL, an E_INVALIDARG error is raised.\r\nBypass\r\nAuthenticode signatures are encoded in PKCS #7 SignedData structures. A SignedData structure contains amongst\r\nother things a list of certificates that are required to validate the signature and a SignerInfo structure. The\r\nSignerInfo structure in its turn contains the issuer and serial number of the signer certificate, which can then be\r\nlooked up in the SignedData certificates.\r\nIn practice, the attackers achieved a NULL cert_context by providing an Authenticode signature where the\r\nSignerInfo certificate serial number can not be found among the SignedData certificates. This leads to wintrust.dll\r\nnot being able to find the certificate for the signer, in which case WTGetSignatureInfo will return a NULL value\r\nfor cert_context.\r\nhttps://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/\r\nPage 2 of 4\n\nMagniber used CVE-2022-44698 by providing a signer certificate serial number that is not present in the signature\r\ncertificates.\r\nIt’s noteworthy that the signatures in the November 2022 Qakbot campaigns are highly similar to the Magniber\r\nsignatures, except for a few randomized fields.\r\nComparison between the certificates included in a Magniber and Qakbot signature\r\nCVE-2023-24880\r\nRoot cause analysis\r\nMicrosoft patched CVE-2022-44698 in smartscreen.exe, by not raising an error in this specific case, but rather\r\ntaking an alternative path.\r\nCVE-2022-44698 patch of windows::security::signature_info::retrieve\r\nThe problem with this patch is that THROW_HR is called from many other places in smartscreen.exe when\r\ndifferent errors are encountered. Every one of these is a potential opportunity for an attacker to return an error to\r\nshdocvw.dll, which will fail open and not display a security warning.\r\nThis is exactly the route the attackers took with the new bypass. The signature in this case leads to a valid\r\ncert_context, so the CVE-2022-44698 patch is not applicable. Further on\r\nwindows::security::signature_info::retrieve calls windows::security::authenticode_information::create. This\r\nfunction checks if crypt_provider_data-\u003epPDSip-\u003epsIndirectData is non-NULL. If not, it calls THROW_HR\r\nwhich will again return an error to shdocvw.dll.\r\nsmartscreen.exe’s windows::security::authenticode_information::create pseudocode\r\nBypass\r\nTo obtain a NULL crypt_provider_data-\u003epPDSip-\u003epsIndirectData, the attackers corrupted the ASN1 numerical\r\nidentifier (NID) of the SPC_INDIRECT_DATA_OBJID, a Authenticode specific Object Identifier (OID) which\r\ncontains, for example, the message digest of the signed file.\r\nMagniber corrupted the SPC_INDIRECT_DATA_OBJID NID, which leads to crypt_provider_data-\u003epPDSip-\r\n\u003epsIndirectData being NULL and an error being raised.\r\nConclusion\r\nThis security bypass is an example of a larger trend Project Zero has highlighted previously: vendors often release\r\nnarrow patches, creating an opportunity for attackers to iterate and discover new variants. When patching a\r\nsecurity issue, there is tension between a localized, reliable fix, and a potentially harder fix of the underlying root\r\ncause issue. Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were\r\nable to quickly identify a different variant of the original bug. Project Zero has written and presented extensively\r\non this trend, and recommends several practices to ensure bugs are correctly and comprehensively fixed.\r\nhttps://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/\r\nPage 3 of 4\n\nIndicators of compromise (IoCs)\r\nad89fb8819f98e38cddf6135004e1d93e8c8e4cba681ba16d408c4d69317eb47 (CVE-2022-44698,\r\nMagniber)\r\n77e3a3bc905f9a172e95ba70bf01c3236e6c6423f537fa728b1bda5a40a77fe3 (CVE-2022-44698, Qakbot)\r\n8efb4e8bc17486b816088679d8b10f8985a31bc93488c4b65116f56872c1ff16 (CVE-2023-24880,\r\nMagniber)\r\nSource: https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/\r\nhttps://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/"
	],
	"report_names": [
		"magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434390,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41ceda8dec86a850a8d522b2f8df781aa724025c.pdf",
		"text": "https://archive.orkl.eu/41ceda8dec86a850a8d522b2f8df781aa724025c.txt",
		"img": "https://archive.orkl.eu/41ceda8dec86a850a8d522b2f8df781aa724025c.jpg"
	}
}