CVE-2023-24880: Vulnerability Exploited by Magniber Ransomware Group

Keep up to date with latest blog posts

On March 14, 2023, Microsoft MSRC published a blog post about a security bypass zero-day vulnerability, CVE-2023-24880, affecting newer versions like Windows 10, 11 and Server 16 and later releases. [1]. This vulnerability is characterized as a Windows SmartScreen security bypass issue, allowing attackers to bypass the Mark-of-the-Web designation featured in Windows' endpoint protection offerings.

Google TAG researchers have linked this vulnerability to the delivery of Magniber ransomware [2]. Fortunately, Picus Labs have added attack simulations for Magniber ransomware to its Threat Library. In this blog, we explain how threat actors exploit the CVE-2023-24880 vulnerability to deliver Magniber ransomware.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Magniber Ransomware

First detected in late 2017, the Magniber ransomware targeted South Korean users through malvertising attacks using the Magnitude Exploit Kit [3]. Since then, it has continued to evolve, adopting new obfuscation strategies and evasion techniques. In April 2022, the ransomware drew attention when it masqueraded as a Windows update file, luring victims into installing it [4]. 

Later, in September 2022, threat actors started exploiting the Windows’ SmartScreen Bypass vulnerability, CVE-2022-44698, through JavaScript for the deployment of the malware [5]. Following this, Microsoft released a patch for this vulnerability in December 2022. 

As of March 2023, Magniber ransomware actors are exploiting a zero-day vulnerability, CVE-2023-24880, that renders the patch for the previous SmartScreen Bypass vulnerability ineffective in deploying the malware onto target systems.

Windows SmartScreen CVE-2022-44698 Vulnerability

The CVE-2023-24880 is not a stand alone vulnerability, but rather caused by a previous SmartScreen Bypass CVE-2022-44698 [6] vulnerability in smartscreen.exe. 

The vulnerability lies in the shdocvw.dll module's DoSafeOpenPromptForShellExec function, which, by default, does not display a security warning. However, if the SmartScreen request somehow returns an error, the function in speech proceeds to execute the file without any warning to the user. 

The error occurs while parsing the file's signature in the smartscreen.exe's windows::security::signature_info::retrieve function. In September 2022, adversaries managed to exploit the CVE-2022-44698 vulnerability to deploy Magniber ransomware [5] using a JavaScript file with a malformed signature forcing the SmartScreen request to return an error, bypassing the security warning. 

SIGNATURE_INFO * windows::security::signature_info::retrieve(SIGNATURE_INFO *signature_info, HANDLE handle) {
HANDLE wvt_state_data;
CERT_CONTEXT *cert_context;
CRYPT_PROVIDER_DATA *crypt_provider_data;

. . .
  path:: from_file(handle, io).c_str(), 

  §cert_context, Swvt_state_data);

. . .
if (wvt_state_data)
  crypt_provider_data = WHelperProvDatafromStateData(wvt_state_data);
  crypt_provider_data = NULL;
if (crypt_provider_data &§ crypt_provider_data->hMsg) { // The JScript's Authenticode signatures lead to non-NULL values for these.
  if (!cert_context) {                                 // cert_context is NULL.
      THROW_HR (E_INVALIDARG) ;                        // An error gets raised.

  windows::security::authenticode_information::create<enum SIGNATURE_STATE>( // This will be relevant for CVE-2023-24880.


      . . .);

    . . .
  } else {

      . . .



Example 1: Pseudocode of the windows::security::signature_info::retrieve [2].

The bypass technique was later adopted by other threat actors and still actively used to spread Qakbot malware in 2023 [7]. 

CVE-2023-24880: Windows SmartScreen Security Feature Bypass Vulnerability

Even though Microsoft patched this vulnerability in December 2022, and they did not raise an error in this specific case of CVE-2022-44698, it does not address other instances where THROW_HR is called due to different errors within smartscreen.exe.

if (crypt_provider_data && crypt_provider_data->hMsg) {
    if (!cert_context) {
        if     (wil::details::FeatureImpl<__WilfeatureTraits_Feature_MSRC75366_Servicing_Malformed_Authenticode_Check>::__private_IsEnabled()){

          . . .                      // If patch is enabled, do not raise an error for this specific case.
        } else {
            THROW_HR(E_INVALIDARG) ; // Else, raise an error.



Figure 2. Pseudocode of the patch of the CVE-2022-44698 vulnerability [2].

Each instance presents a potential opportunity for attackers to exploit the system by returning an error to shdocvw.dll, which would then fail to display a security warning. Attackers have managed to bypass security by using signatures that lead to a valid cert_context, rendering the CVE-2022-44698 patch ineffective. 

This vulnerability impacts newer Windows versions, specifically Windows 10 and 11, in addition to Server 2016 and later releases.

How Picus Helps Simulate Magniber Ransomware Attacks?

We also strongly suggest simulating Magniber ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware that might exploit the CVE-2023-24880 vulnerability within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Magniber ransomware

Threat ID

Threat Name

Attack Module


Magniber Ransomware Email Threat

E-mail Infiltration


Magniber Ransomware Download Threat

Network Infiltration

Moreover, Picus Threat Library contains 300+ threats containing 2000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email 7800+, and data exfiltration 200+ threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Magniber ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Magniber ransomware:

Security Control

Signature ID

Signature Name

Fortigate AV



Forcepoint NGFW



Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.


[1] “Security Update Guide - Microsoft Security Response Center.” [Online]. Available: [Accessed: Mar. 17, 2023]

[2] B. Sevens, “Magniber ransomware actors used a variant of Microsoft SmartScreen bypass,” Google, Mar. 14, 2023. [Online]. Available: [Accessed: Mar. 17, 2023]

[3] Chi_Shanger, “Malware Analysis - Magniber Ransomware,” TXOne Networks, Feb. 03, 2023. [Online]. Available: [Accessed: Mar. 17, 2023]

[4] L. Abrams, “Fake Windows 10 updates infect you with Magniber ransomware,” BleepingComputer, Apr. 30, 2022. [Online]. Available: [Accessed: Mar. 17, 2023]

[5] P. Schläpfer, “Magniber Ransomware Targets Users with Fake Software Updates,” HP Wolf Security, Oct. 13, 2022. [Online]. Available: [Accessed: Mar. 17, 2023]

[6] M. Kolsek, “0patch Blog.” [Online]. Available: [Accessed: Mar. 17, 2023]

[7] “QakBot Malware Bypass Windows Security Using Unpatched Vulnerability.” [Online]. Available: [Accessed: Mar. 17, 2023]


Keep up to date with latest blog posts