Detection of Vulnerability (CVE-2021-26411) via V3 Memory Scan (Magniber)

Starting from March 2021, Magniber ransomware that operates in a fileless form has used the script that utilizes CVE-2021-26411 vulnerability instead of using CVE-2020-0968 vulnerability. There are still numerous damage reports that involve Magniber ransomware in Korea, and as the malware is being distributed via IE vulnerability (CVE-2021-26411), it is absolutely crucial for users of IE to apply the security patch. Detecting and blocking the latest Magniber is possible with V3’s ‘Process Memory Scan’ feature.

Magniber ransomware infects via IE browser vulnerability, operates as a fileless malware via injection and it does not need to create a separate file.  Hence, normal processes of the infected system are the ones that perform ransomware behavior.

The figure below shows the operation process of Magniber ransomware: It operates simply via process (1) – (4), and the process marked as yellow is the process that performs ransomware behavior. The running processes are all normal processes.

V3 product contains ‘Process Memory Scan‘ feature which detects and repairs malicious areas of process memory area in real-time. The injection process that involves normal processes run by the ransomware in stage (4) is detected and blocked in real-time, preventing the ransomware infection. (As normal processes are also targets for remediation, the user’s normal processes may shut down.)

V3 product’s Process Memory Scan feature

Upon activating V3’s real-time ‘Process Memory Scan’ feature, fileless Magniber is blocked.

The video below shows the blocking of Magniber ransomware using Process Memory Detection, which is one of the block features of V3.

[V3 product initiating behavior detection & blocking Magniber ransomware] / OS: Windows 10 64bit

[V3 product initiating behavior detection & blocking of Magniber ransomware] / OS: Windows 7 32bit

[V3 Detection Alias]

  • Behavior Detection Alias: Ransom/MDP.Magniber.M3431
  • Process Memory Detection Alias (Engine ver.):
    • Ransomware/Win.Magniber.XM101 (2021.04.16.00)
    • Ransomware/Win.Magniber.XM102 (2021.04.16.00)
    • Ransomware/Win.Magniber.XM103 (2021.04.16.00)
    • Ransomware/Win.Magniber.XM104 (2021.04.16.00)
5 5 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments