Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -> CVE-2020-0968) and Attempted to Bypass Behavior Detection

At the beginning of this year, ASEC analysis team published the change of vulnerability which is used by the developer of Magniber to distribute the ransomware.

Since September 23, 2019, CVE-2019-1367 vulnerability, which the developer of Magniber used for distribution, stopped operating in the systems with emergency security patch (Version 1903) applied. In response, the developer changed the latest vulnerability to CVE-2020-0968, expanding the infection target range. On top of this occurrence, CVE-2020-0968 security patch (distributed on April 15, 2020) cannot be applied to Windows 7 as it is no longer supported as of January 14, 2020. For better understanding of the changes, see figures below which are the comparisons between the codes before the change (including POC) and the those after the change.

Figure 1. POC code of CVE-2019-1367
Figure 2. Code of vulnerability (CVE-2019-1367) used for Magniber (before change)
Figure 3. Part of UAF code of CVE-2020-0968 vulnerability
Figure 4. Changed Magniber code (orange box displays POC code in Figure 3.)

Upon comparing POC code and the vulnerability script that is being distributed, there are convolutions in variable names, but changes in the code are not found. The two vulnerabilities are similar in that they both use the UAF vulnerability of jscript.dll, but there is a difference in the method of how regular expression object pointer is leaked. The steps that follow after the pointer is leaked are not different from those of CVE-2019-1367. V3 detects these two vulnerabilities that use vulnerable jscript.dll via behavior-based detection, and this detection feature has been distributed to all users of V3 as of December 17, 2020.

The developer of Magniber is not only attempting to change the vulnerability of the distribution script but also attempting to apply various changes to bypass behavior-based detection of V3. The table below shows the flow of changes for the API call sequence that the developer of Magniber used to inject Magniber ransomware.

DateAPI Used for Injection
March 9thOpenProcess -> WriteProcessMemory -> SetThreadContext -> ResumeThread
April 10thZwCreateSection -> ZwMapViewOfSection -> RtlMoveMemory -> ZwMapViewOfSection -> ZwUnMapViewOfSection -> ZwCreateThreadEx -> GetThreadContext -> SetThreadContext -> ZwResumeThread
April 29thZwCreateSection -> ZwMapViewOfSection -> RtlMoveMemory -> ZwMapViewOfSection -> ZwCreateThreadEx
May 6thNtCreateSection -> NtMapViewOfSection -> RtlMoveMemory -> RtlCreateUserThread
May 7thOpenProcess -> VirtualAllocEx -> WriteProcessMemory -> NtCreateThreadEx -> GetThreadContext -> SetThreadContext -> NtResumeThread
May 19thNtCreateSection -> NtMapViewOfSection -> RtlMoveMemory -> NtMapViewOfSection -> NtCreateThreadEx -> GetThreadContext -> SetThreadContext -> NtResumeThread
June 9thOpenProcess -> DuplicateHandle -> VirtualAllocEx -> WriteProcessMemory -> RtlCreateUserThread
June 10thDistribution ceased (until June 25th)
June 26th – presentNtCreateSection -> NtMapViewOfSection -> NtMapViewOfSection -> NtCreateThreadEx -> NtGetContextThread -> NtSetContextThread ->NtResumeThread

The developer did not change API call sequence since late June, but when calling injection API, they applied a technique called ‘Heaven’s Gate.’ The Heaven’s Gate technique is a method that malware uses to bypass user hooking of anti-malware software. For example, if the attacker allocates SysCall index which is Call, and calls KiFastSystemCall directly instead of proceeding through normal API Call to bypass a specific API that anti-malware software is hooking, this case can be seen as a Heaven’s Gate attack.

Magniber is currently being distributed via Internet Explorer, and many normal users are using x64 environment. The steps Magniber shellcode takes to call NtOpenProcess API via Heaven’s Gate technique in Internet Explorer 32-bit process that runs with WOW64 mode are described below.

Instead of calling NtOpenProcess API in a normal way, Magniber shellcode sends SysCall index (0x23) directly to argument and calls fs:[C0] area (Reserved for Wow64). When 32-bit process of WOW64 environment calls fs:[C0] area, X86SwitchTo64BitMode of wow64cpu.dll is called. Because Magniber shellcode uses Heaven’s Gate technique to call 64-bit API directly from the 32-bit process (Internet Explorer), it is difficult to detect API call via common hooking.

Figure 5. Heaven’s Gate operation flow
Figure 6. NtOpenProcess SysCall index

V3 uses TrueEyes, Ahnlab’s in-house fileless detection module, to detect vulnerability as well as Heaven’s Gate. The two detection features are distributed to all V3 users as of today (December 17, 2020), and the vulnerability, as well as the injection technique Magniber uses to bypass hooking, can be pre-detected and blocked before encryption via V3’s behavior engine.

[Behavior Detection]
– Malware/MDP.Exploit.M3036
– Malware/MDP.Exploit.M3417
– Malware/MDP.Exploit.M3431

[Video-1] Magniber infection in an environment without V3 installation

[Video-2] Magniber block in an environment with V3 installation

5 5 votes
Article Rating
Inline Feedbacks
View all comments