Change in Magniber Ransomware Vulnerability (CVE-2021-40444)

Magniber is a fileless ransomware using an IE vulnerability and it is one of the ransomware that causes damage to numerous Korean users. It is difficult to prevent infection if not detected and blocked in advance during the vulnerability occurrence phase, which makes it difficult for anti-malware programs to detect it. Magniber ransomware had been distributed since March 15th, 2021 using CVE-2021-26411 vulnerability up to recently, but on September 16th, it was discovered that it changed to CVE-2021-40444 vulnerability. This is the latest vulnerability with MS security patch applied on September 14th, and many users are at risk for infection. (Vulnerability changed in Win10 environment only and still uses CVE-2021-26411 in others.)

When the vulnerability occurs, a file with the name of calc.inf is created in the path shown below. Magniber ransomware is then run by a normal Windows process with the name of control.exe.

  • 2021/09/16: %SystemDrive%:\Users\%UserName%\AppData\Local\Temp\Low\calc.inf
  • 2021/09/17: %SystemDrive%:\Users\%UserName%\AppData\Local\Temp\Low\winsta.inf

The figure below shows the calling process of iexplore.exe -> control.exe form and the operation process of calc.inf file when a vulnerability occurs.

Figure. Process structure at the time of vulnerability occurrence

The figure below shows that the distribution of Magniber with the filename of calc.inf began after September 16th, 2021, 09:00, and there are around 300 cases of V3 detection logs.

Figure. Time of vulnerability change (September 16th)

V3 products respond to this attempt at changing the vulnerability by blocking infections in advance via memory scan and file detection using the following aliases:

[V3 Detection]

  • Ransomware/Win.Magniber.C4633813 (File detection: calc.inf)
  • Exploit/JS.CVE-2021-40444.XM129 (Process memory scan)

[Manual Response Measure]

Set ActiveX control to stop installing in Internet Explorer

(1) Copy the text below to Notepad and save it as “.reg” extension

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
“1001”=dword:00000003
“1004”=dword:00000003

(2) After running the saved reg file, reboot

[Vulnerability Target Systems]

  • Windows 8.1, RT 8.1
  • Windows 10 : 1607, 1809, 1909, 2004, 20H2, 21H1
  • Windows Server 2008 SP 2, 2008 R2 SP 1
  • Windows Server 2012, 2012 R2
  • Windows Server 2016, 2019, 2022
  • Windows Server version 2004, 20H2

[References]

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments