MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from URL. Over time, it even contributed to preventing certain types of files from running.
If you open a file flagged with MOTW, at the bare minimum you should see one of several messages, depending on if you’re looking at file properties, or attempting to open a file which you’ve downloaded. It might be this:
If attackers signed the malicious file as a malformed signature instead of being flagged by Microsoft SmartScreen and showing the MoTW security warning, Windows automatically allows the program to run on the victim device.
According to our research Magniber Ransomware has been abusing this exploit since 2022-11-01, to achieve MoTW Bypass.
Delivered Magniber Ransomware
A report from HP’s threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10 and Windows 11 builds.
Magniber’s new infection chain (HP)
Process Tree of Magniber Ransomware :
Ransom note after the successful encryption :
|SHA 256 – IOC|
|Technique Name||TTP ID|
|User Execution: Malicious File||T1204.002|
|Obfuscated Files or Information||T1027|
|Phishing: Spearphishing Attachment||T1566.001|
|Data Encrypted for Impact||T1486|