The ASEC analysis team is constantly monitoring Magniber, which has a higher number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed as a Windows installer package file (.msi) on Edge and Chrome browsers.
Magniber, which is being distributed as Windows installation package file (.msi), has hundreds of distribution logs reported every day (see Figure 1).
When users access inappropriate websites used for advertising or websites disguised as normal websites by faking domains (typosquatting), they are redirected to a webpage for downloading msi files (see Figure 2). When redirected, a Windows installer package file (.msi) disguised as an MS update file is downloaded from the webpage (see Figure 3).
Figure 4 shows the modified operation method of Magniber distributed through the msi file. The ransomware was run on msiexec.exe previously, but starting from early May, it was changed to inject ransomware into the user’s normal processes.
As shown in Figure 5, the msi file drops Injector DLL through CustomAction feature of the Windows installer package (msi) and loads it to run the export function (udxleoyjaionwdbkwf).
Figure 6 displays the code of the export function (udxleoyjaionwdbkwf). The code traverses the loop statement (do-while) through the decoding (XOR) process (see Figures 7 and 8) and injects ransomware payloads into the normal processes that are currently being run.
After being injected into a normal process through the method mentioned above, Magniber starts encrypting files. It then creates a ransom note demanding money in the encrypted folder path (see Figure 9).
Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.
AhnLab is currently responding to Magniber as shown in the following:
[DLL Creation Path]
– C:\Windows\Installer\MSI[random 4 characters].tmp
[DLL File Detection]
– Ransomware/Win.Magniber (2022.07.01.00)
[msi File Detection]
– Ransomware/MSI.Magniber (2022.07.01.00)
[Privilege Escalation Behavior Detection]
– Escalation/MDP.Magniber.M4217 (2022.02.25.03)
[Injector dll MD5]