Caution! Magniber Ransomware Being Distributed in Korea Using CVE-2021-26411 Vulnerability

The distributor of Magniber ransomware has continued to evolve to avoid V3’s detection. It goes without saying that subscribers of ASEC Blog are well aware of the fact that AhnLab has been fighting the developers of Magniber ransomware for a long time, and that the history almost resembles a cat-and-mouse chase.

This time, the distributor of Magniber waited for the anniversary day of AhnLab (March 15th), which is also a traditional holiday for AhnLab. On this day, the distributor swiftly changed the vulnerability to CVE-2021-26411, from the previously used vulnerability (CVE-2020-0968). ASEC analysis team has been configuring and operating automatic response and collection systems to swiftly detect an attempt to bypass detection such as this. Thanks to the systems, they swiftly detected the change to the latest CVE-2021-26411 vulnerability script. On March 9th, MS has distributed a security patch regarding this vulnerability, therefore the users using Internet Explorer should apply the patch as soon as possible. For the users who use V3, it can preemptively block such a fileless attack via behavior detection feature.

In terms of its features, the latest modified CVE-2021-26411 vulnerability is strikingly similar to the vulnerability code of Internet Explorer that North Korea used to steal information of researchers working in security divisions of companies such as Google and Microsoft.

l Reference websites
New campaign targeting security researchers (Google)
ZINC attacks against security researchers (Microsoft)
Hacking group also used an IE zero-day against security researchers (Assumed to be Lazarus Group)
Internet Explorer 0-day Analysis

In all 3 mentioned attempts to steal information, the MHTML file was used to prompt access to codevexillium[.]org through Internet Explorer (prompting the use of Internet Explorer which is the default process for MHTML execution). The web page (codevexillium[.]org) included a JS code that has the vulnerability, and it is very similar to the code that the collected Magniber below uses.

[Part of collected Magniber decryption code – Object declaration for luring user to vulnerability]

[Part similar to codevexillium[.]org collection code -1] *Source:

[Part of collected Magniber decryption code – Shellcode load]
[Part similar to codevexillium[.]org collection code -2] *Source:

Users of Internet Explorer are highly vulnerable to Magniber attacks. Seeing how the aforementioned attack against security researchers was distributed as MHTML file to prompt the use of Internet Explorer, users must refrain from using programs with weak security.

AhnLab blocks the attack shown above using the behavior-based detection before the file encryption is performed.

V3 Behavior Detection Aliases
– Malware/MDP.Inject.M2906
– Malware/MDP.Inject.M3431

The shift in V3 behavior detection aliases after the change of vulnerability is as follows: Behavior rule M3379 previously detected an average of 400-600 block logs per day, but on March 15th, only 129 cases were found, which is a significant reduction compared to other days. For behavior rule M2906 on the other hand, the number increased exponentially to 545 cases. Given that the developer of Magniber can quickly switch the vulnerability to a new one, users must remain vigilant.

Change of behavior detection rule before and after the change of vulnerability
5 1 vote
Article Rating
Inline Feedbacks
View all comments