The vulnerability reportedly exists in the Mark-of-the-Web (MoTW) feature, which flags files downloaded from the Internet as requiring caution.
Vulnerability analyst Will Dorman assessed publicly that the Magniber campaign leveraging the zero-day used a malformed key to sign malicious files impersonating Windows messages. According to Dorman, “When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware […] Using this technique, threat actors can bypass the normal security warnings shown when opening downloaded JS files and automatically execute the script.”
Dorman also informed Bleeping computer that threat actors can modify any Authenticode-signed file, including executables, to bypass the MoTW security warnings using a hex editor to change some of the bytes in the signature portion of the file.
Note: Microsoft reported to Bleeping Computer that they were unable to recreate the issue but are investigating further.
Because Microsoft is currently investigating, there is not currently a patch available for the reported zero-day, but members are encouraged to remain alert for Microsoft updates regarding the issue.
For the Magniber campaign leveraging the zero day, HP researchers provided the following defensive recommendations:
- Follow the principle of least privilege by only using administrator accounts if you really need to. Many home users have administrator privileges but rarely need them.
- Download software updates from trusted sources. The campaign depends on tricking people into opening fake software updates. Only download updates from trustworthy sources such as Windows Update and official software vendor websites.
- Back up your data regularly. Backing up your data will give you peace of mind should the worst happen.