Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd)
In the morning of February 22nd, the ASEC analysis team has discovered the redistribution of Magniber that disguised itself as normal Windows Installers (MSI) instead of the previous Windows app (APPX) The distributed Magniber files have MSI as their extension, disguised as Windows update files.
- Critical.Update.Win10.0-kb4215776.msi
- Critical.Update.Win10.0-kb6253668.msi
- Critical.Update.Win10.0-kb5946410.msi
MSI package files are install frameworks that are also used for normal Windows updates. The malware was distributed by including the Magniber ransomware DLL within the MSI package file.
Figure 1. Package that has fup6xl85 binary (DLL)
By default, MSI provides a feature of DLL’s export function calling through the Custom Action table. The attacker exploited this feature to have the export function of Magniber executed when MSI is run.
https://docs.microsoft.com/en-us/windows/win32/msi/custom-actions
Figure 2. Calling k7167475hu export function of fup6xl85 that is stated within CustomAction
When file encryption ends due to executed DLL, it drops executable (PE file) that performs privilege escalation and volume shadow deletion to”C:\Users\Public” and runs it.
One thing to note is that the malware has the same MSI file certificate used in the previous Windows app (APPX) file.
Figure 3. Certificate information of Magniber
Magniber is currently being distributed in a typosquating method that exploits typos made when entering domains, and it is targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domain, extra caution is required. The attacker is also distributing Magniber to users with older Internet Explorer versions by reusing the CVE-2021-40444 vulnerability that was explained in previous blog posts, therefore, users should refrain from visiting websites of unknown sources.
AhnLab is currently responding to Magniber as shown in the following:
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
