Brief Summary

MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from URL. Over time, it even contributed to preventing certain types of files from running.

If you open a file flagged with MOTW, at the bare minimum you should see one of several messages, depending on if you’re looking at file properties, or attempting to open a file which you’ve downloaded. It might be this:

MOTW Message.

If attackers signed the malicious file as a malformed signature  instead of being flagged by Microsoft SmartScreen and showing the MoTW security warning, Windows automatically allows the program to run on the victim device.

According to our research Magniber Ransomware has been abusing this exploit since 2022-11-01, to achieve MoTW Bypass.

Magniber Ransomware delivered via ZIP folder, contains an JavaScript file with a malformed signature in it :

Delivered Magniber Ransomware

Malformed signature inside JavaScript file.

Virustotal scan results can show, delivered ZIP folder contains a malicious JavaScript file.

A report from HP’s threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10 and Windows 11 builds.

Magniber’s new infection chain (HP)

Process Tree of Magniber Ransomware :

Ransom note after the successful encryption :

SHA 256 – IOC

5c1be821d8ae29d8569ddc1b76f79ff2ec7017ce018c6c585e949114f1d99d8a

831f88fcd634385833fe84b4e4d88d03432f255a818e8d353c0c4de0a0f8ead4

8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274

Technique Name	TTP ID
Command and Scripting Interpreter: JavaScript	T1059.007
User Execution: Malicious File	T1204.002
Obfuscated Files or Information	T1027
Phishing: Spearphishing Attachment	T1566.001
Data Encrypted for Impact	T1486