Change in Magniber Ransomware (*.msi → *.cpl) – July 20th

Since February 2022, Magniber has been using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution.

Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd)

The ransomware includes a valid certificate and was distributed as DLL form inside the MSI file. However, starting from July 20th (Wednesday), it is now being distributed as a CPL file extension instead of MSI.

As the cases of using an MSI file for distribution are decreasing, the attacker of Magniber likely has changed the method of distribution.

(July 19th, 2022) MS.Upgrade.Database.Cloud.msi
(July 20th, 2022) MS.Upgrade.Database.Cloud.cpl (Chrome)
(July 20th, 2022) MS.Upgrade.Database.Cloud.zip (Edge)

The CPL file is directly downloaded in Chrome. For Edge, it is distributed as a compressed zip file since downloading CPL files are blocked in the browser.

The attacker originally distributed the ransomware through .cpl files in Edge. Once the download was blocked, the file was quickly changed to .zip file for distribution.

When users open the downloaded [Magniber].cpl file, a Windows normal process named control.exe runs the cpl file using rundll32.exe.

Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.

AhnLab is currently responding to Magniber as shown in the following:

[File Detection]
Ransomware/Win.Magniber.C5211694 (2022.07.20.02)

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.