Detection of JavaScript Vulnerability (CVE-2021-26411) via V3 Behavior Detection (Magniber)

Attackers are using the CVE-2021-26411 JavaScript vulnerability to actively distribute fileless Magniber ransomware via IE browser. Its internal code flow is changing rapidly, and there are still numerous damage reports that involve Magniber ransomware in Korea. As it is being distributed via an IE vulnerability (CVE-2021-26411), it is absolutely crucial for IE users to apply the security patch. Currently, V3 products can detect and block the latest Magniber ransomware using the ‘Behavior Detection’ feature.

Figure 1 shows the infection process of the latest Magniber ransomware. The ransomware infects via IE browser vulnerability and operates as a fileless malware via injection. It does not need to create a separate file. Hence, normal processes of the infected system are the ones that perform ransomware behavior.

The operation flow is quite simple as shown in Figure 1. The processes marked with yellow shapes are the normal processes existing in the user PC that carry out ransomware activities.

Figure 1. Infection flow diagram of Magniber

Recent Magniber ransomware has the architecture shown in Figure 1, but the attacker is continuously changing the internal shellcode pattern and the malware injection method like shown in Figure 2.

Figure 2. Timeline of Magniber Exploit Kit alterations

The timeline shows that Magniber Exploit Kit, which had been using the CVE-2020-0968 vulnerability until earlier this year, shifted to a new vulnerability based on the revealed CVE-2021-26411 POC code on March 15, 2021.

After changing into a new vulnerability, the attacker has been adopting various strategies to bypass V3’s behavior detection and memory scan, such as obfuscating shellcodes and changing injection targets. However, the current latest V3 engine can perform behavior detection and memory scan on the vulnerability.

Let’s examine the changes in shellcodes and injection targets. The attacker obfuscated shellcodes on April 22 to bypass the V3 memory scan applied to the V3 engine on April 15.

Figure 3. Changes in shellcodes (previous → obfuscated)

Then, on May 4th, the attacker changed the injection targets from previous 32-bit processes to 64-bit processes, meaning that for users using 64-bit environment, the number of normal processes injected with Magniber has been increased. (32-bit users were targets of 32-bit process injection).

Figure 4. 32-bit process verification routine (Inject Magniber code to 32-bit process)
Figure 5. 64-bit process verification routine (Inject Magniber code to 64-bit process)

As seen from the video, the latest V3 engine detects the abnormal behavior of the CVE-2021-26411 vulnerability script when the user visits a vulnerable web page.

The behavior detection feature was distributed to all clients using V3 as of June 18, 2021, allowing V3 to detect and block ransomware in advance before it encrypts users’ documents. However, the most important prevention for ransomware infection is to maintain up-to-date security version. Hence, users should always apply the latest security updates and refrain from visiting untrusted sites.

[Behavior Detection]
– Exploit/MDP.Magniber.M3773 (2021.06.18.00)

[Memory Scan]
– Ransomware/Win.Magniber.XM101 (2021.06.10.02)

[MS Security Update]

4.3 3 votes
Article Rating
Notify of

Inline Feedbacks
View all comments