Change in Injection Method of Magniber Ransomware

The ASEC analysis team is constantly monitoring Magniber, which has a higher number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed as a Windows installer package file (.msi) on Edge and Chrome browsers.

Magniber, which is being distributed as Windows installation package file (.msi), has hundreds of distribution logs reported every day (see Figure 1).

Figure 1. Recent distribution cases of Magniber

When users access inappropriate websites used for advertising or websites disguised as normal websites by faking domains (typosquatting), they are redirected to a webpage for downloading msi files (see Figure 2). When redirected, a Windows installer package file (.msi) disguised as an MS update file is downloaded from the webpage (see Figure 3).

Figure 2. Webpage that distributes ransomware, redirected from websites for advertising or faking domains

Figure 3. Windows installer package file (.msi) downloaded from the website (Magniber)

Figure 4 shows the modified operation method of Magniber distributed through the msi file. The ransomware was run on msiexec.exe previously, but starting from early May, it was changed to inject ransomware into the user’s normal processes.

Figure 4. Recent modified operation method of Magniber (normal process injection)

As shown in Figure 5, the msi file drops Injector DLL through CustomAction feature of the Windows installer package (msi) and loads it to run the export function (udxleoyjaionwdbkwf).

Figure 5. DLL registered by CustomAction of the Windows installer package

Figure 6 displays the code of the export function (udxleoyjaionwdbkwf). The code traverses the loop statement (do-while) through the decoding (XOR) process (see Figures 7 and 8) and injects ransomware payloads into the normal processes that are currently being run.

Figure 6. Export function (udxleoyjaionwdbkwf) of Injector DLL

Figure 7. Decoded main function (for injecting payload into normal processes)

Figure 8. Inject_Ransomware function

After being injected into a normal process through the method mentioned above, Magniber starts encrypting files. It then creates a ransom note demanding money in the encrypted folder path (see Figure 9).

Figure 9. Ransom note of Magniber

Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.

AhnLab is currently responding to Magniber as shown in the following:

[DLL Creation Path]
– C:\Windows\Installer\MSI[random 4 characters].tmp

[DLL File Detection]
– Ransomware/Win.Magniber (2022.07.01.00)

[msi File Detection]
– Ransomware/MSI.Magniber (2022.07.01.00)

[Privilege Escalation Behavior Detection]
– Escalation/MDP.Magniber.M4217 (2022.02.25.03)

[msi MD5]

[Injector dll MD5]

Categories:Malware Information

5 2 votes
Article Rating
Inline Feedbacks
View all comments