Magnibar Ransomware Abusing MoTW Zero Day


Brief Summary

MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from URL. Over time, it even contributed to preventing certain types of files from running.

If you open a file flagged with MOTW, at the bare minimum you should see one of several messages, depending on if you’re looking at file properties, or attempting to open a file which you’ve downloaded. It might be this:

MOTW Message.

If attackers signed the malicious file as a malformed signature  instead of being flagged by Microsoft SmartScreen and showing the MoTW security warning, Windows automatically allows the program to run on the victim device.

According to our research Magniber Ransomware has been abusing this exploit since 2022-11-01, to achieve MoTW Bypass.

Magniber Ransomware delivered via ZIP folder, contains an JavaScript file with a malformed signature in it :

Delivered Magniber Ransomware

Malformed signature inside JavaScript file.

Virustotal scan results can show, delivered ZIP folder contains a malicious JavaScript file.

A report from HP’s threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10 and Windows 11 builds.

Magniber’s new infection chain (HP)

Process Tree of Magniber Ransomware :

Ransom note after the successful encryption :

SHA 256 – IOC 
5c1be821d8ae29d8569ddc1b76f79ff2ec7017ce018c6c585e949114f1d99d8a
831f88fcd634385833fe84b4e4d88d03432f255a818e8d353c0c4de0a0f8ead4
8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274
Technique NameTTP ID 
Command and Scripting Interpreter: JavaScriptT1059.007
User Execution: Malicious FileT1204.002
Obfuscated Files or InformationT1027
Phishing: Spearphishing AttachmentT1566.001
Data Encrypted for ImpactT1486

Leave a Reply

Your email address will not be published. Required fields are marked *