Posted By ,

Distribution of Magniber Ransomware Stops (Since February 5th)

The ASEC analysis team constantly monitors ‘malvertising’ which is a term for the distribution of malware via browser online advertisement links. The team has recently discovered that Magniber ransomware, a typical malware distributed via malvertising has stopped its distribution.

The malvertising distribution method of Magniber in Internet Explorer is to attempt at infecting the target by only accessing via a vulnerability, and in Chromium-based browsers (E.g. Edge, Chrome), it disguises itself as a browser update installer (.appx) and prompts the user to download it. The two distributions explained above have stopped since February 5th, 2022.

  • Magniber exploiting vulnerability of Internet Explorer
Change in Magniber Ransomware Vulnerability (CVE-2021-40444)
  • Magniber distributed disguised as update installer (.appx) for Chromium-based browsers
Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome

Figures 1 – 3 below are graphs of the number of distribution cases of the two methods above confirmed by AhnLab’s ASD (AhnLab Smart Defense) infrastructure. Around 500 – 600 cases were being distributed per day, but on February 5th, the number of distribution cases via Internet Explorer vulnerability was 0 (See Figure 1 and 2), and the distribution cases of Edge and Chrome are also falling to 0 (See Figure 3). No ransomware files were created since February 5th, thus it appears that the two methods have stopped their distributions at the same time.

Figure 1. Number of distribution cases of Magniber via Internet Explorer vulnerability (win 10)

Figure 2. Number of distribution cases of Magniber via Internet Explorer vulnerability (win 7)

Figure 3. Number of distribution cases of Magniber via Edge and Chrome browsers

This blog explained how Magniber which is distributed via malvertising has stopped its distribution. Magniber is ransomware that quickly adopts new vulnerabilities and quickly changes its method of distribution. The discontinuance of distribution may paradoxically be an indication of a change to a new vulnerability or a method of distribution, so consistent scanning is required.

[V3 Detection]

  • Exploit/MDP.CVE-2021-26411.M3751 (Behavior Detection)
  • Exploit/MDP.CVE-2021-40444.M3970 (Behavior Detection)
  • Exploit/JS.CVE-2021-40444.XM129 (Process Memory Detection)
  • Ransomware/Win.Magniber.XM135(File Detection)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments