At the beginning of this year, ASEC analysis team published the change of vulnerability which is used by the developer of Magniber to distribute the ransomware.
Since September 23, 2019, CVE-2019-1367 vulnerability, which the developer of Magniber used for distribution, stopped operating in the systems with emergency security patch (Version 1903) applied. In response, the developer changed the latest vulnerability to CVE-2020-0968, expanding the infection target range. On top of this occurrence, CVE-2020-0968 security patch (distributed on April 15, 2020) cannot be applied to Windows 7 as it is no longer supported as of January 14, 2020. For better understanding of the changes, see figures below which are the comparisons between the codes before the change (including POC) and the those after the change.
Upon comparing POC code and the vulnerability script that is being distributed, there are convolutions in variable names, but changes in the code are not found. The two vulnerabilities are similar in that they both use the UAF vulnerability of jscript.dll, but there is a difference in the method of how regular expression object pointer is leaked. The steps that follow after the pointer is leaked are not different from those of CVE-2019-1367. V3 detects these two vulnerabilities that use vulnerable jscript.dll via behavior-based detection, and this detection feature has been distributed to all users of V3 as of December 17, 2020.
The developer of Magniber is not only attempting to change the vulnerability of the distribution script but also attempting to apply various changes to bypass behavior-based detection of V3. The table below shows the flow of changes for the API call sequence that the developer of Magniber used to inject Magniber ransomware.
|Date||API Used for Injection|
|March 9th||OpenProcess -> WriteProcessMemory -> SetThreadContext -> ResumeThread|
|April 10th||ZwCreateSection -> ZwMapViewOfSection -> RtlMoveMemory -> ZwMapViewOfSection -> ZwUnMapViewOfSection -> ZwCreateThreadEx -> GetThreadContext -> SetThreadContext -> ZwResumeThread|
|April 29th||ZwCreateSection -> ZwMapViewOfSection -> RtlMoveMemory -> ZwMapViewOfSection -> ZwCreateThreadEx|
|May 6th||NtCreateSection -> NtMapViewOfSection -> RtlMoveMemory -> RtlCreateUserThread|
|May 7th||OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> NtCreateThreadEx -> GetThreadContext -> SetThreadContext -> NtResumeThread|
|May 19th||NtCreateSection -> NtMapViewOfSection -> RtlMoveMemory -> NtMapViewOfSection -> NtCreateThreadEx -> GetThreadContext -> SetThreadContext -> NtResumeThread|
|June 9th||OpenProcess -> DuplicateHandle -> VirtualAllocEx -> WriteProcessMemory -> RtlCreateUserThread|
|June 10th||Distribution ceased (until June 25th)|
|June 26th – present||NtCreateSection -> NtMapViewOfSection -> NtMapViewOfSection -> NtCreateThreadEx -> NtGetContextThread -> NtSetContextThread ->NtResumeThread|
The developer did not change API call sequence since late June, but when calling injection API, they applied a technique called ‘Heaven’s Gate.’ The Heaven’s Gate technique is a method that malware uses to bypass user hooking of anti-malware software. For example, if the attacker allocates SysCall index which is Call, and calls KiFastSystemCall directly instead of proceeding through normal API Call to bypass a specific API that anti-malware software is hooking, this case can be seen as a Heaven’s Gate attack.
Magniber is currently being distributed via Internet Explorer, and many normal users are using x64 environment. The steps Magniber shellcode takes to call NtOpenProcess API via Heaven’s Gate technique in Internet Explorer 32-bit process that runs with WOW64 mode are described below.
Instead of calling NtOpenProcess API in a normal way, Magniber shellcode sends SysCall index (0x23) directly to argument and calls fs:[C0] area (Reserved for Wow64). When 32-bit process of WOW64 environment calls fs:[C0] area, X86SwitchTo64BitMode of wow64cpu.dll is called. Because Magniber shellcode uses Heaven’s Gate technique to call 64-bit API directly from the 32-bit process (Internet Explorer), it is difficult to detect API call via common hooking.
V3 uses TrueEyes, Ahnlab’s in-house fileless detection module, to detect vulnerability as well as Heaven’s Gate. The two detection features are distributed to all V3 users as of today (December 17, 2020), and the vulnerability, as well as the injection technique Magniber uses to bypass hooking, can be pre-detected and blocked before encryption via V3’s behavior engine.