Magnibar Ransomware Abusing MoTW Zero Day

Brief Summary

MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from URL. Over time, it even contributed to preventing certain types of files from running.

If you open a file flagged with MOTW, at the bare minimum you should see one of several messages, depending on if you’re looking at file properties, or attempting to open a file which you’ve downloaded. It might be this:

MOTW Message.

If attackers signed the malicious file as a malformed signature  instead of being flagged by Microsoft SmartScreen and showing the MoTW security warning, Windows automatically allows the program to run on the victim device.

According to our research Magniber Ransomware has been abusing this exploit since 2022-11-01, to achieve MoTW Bypass.

Magniber Ransomware delivered via ZIP folder, contains an JavaScript file with a malformed signature in it :

Delivered Magniber Ransomware

Malformed signature inside JavaScript file.

Virustotal scan results can show, delivered ZIP folder contains a malicious JavaScript file.

A report from HP’s threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10 and Windows 11 builds.

Magniber’s new infection chain (HP)

Process Tree of Magniber Ransomware :

Ransom note after the successful encryption :

SHA 256 – IOC 
Technique NameTTP ID 
Command and Scripting Interpreter: JavaScriptT1059.007
User Execution: Malicious FileT1204.002
Obfuscated Files or InformationT1027
Phishing: Spearphishing AttachmentT1566.001
Data Encrypted for ImpactT1486

Leave a Reply

Your email address will not be published. Required fields are marked *