Posted By ,

Change in Magniber Ransomware (*.msi → *.cpl) – July 20th

Since February 2022, Magniber has been using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution.

Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd)

The ransomware includes a valid certificate and was distributed as DLL form inside the MSI file. However, starting from July 20th (Wednesday), it is now being distributed as a CPL file extension instead of MSI.

Figure 1. Previous distribution cases of the MSI file

As the cases of using an MSI file for distribution are decreasing, the attacker of Magniber likely has changed the method of distribution.

(July 19th, 2022) MS.Upgrade.Database.Cloud.msi
(July 20th, 2022) MS.Upgrade.Database.Cloud.cpl (Chrome)
(July 20th, 2022) MS.Upgrade.Database.Cloud.zip (Edge)

Figure 2. A webpage that distributes ransomware, redirected from websites for advertising or faking domains (Chrome)

The CPL file is directly downloaded in Chrome. For Edge, it is distributed as a compressed zip file since downloading CPL files are blocked in the browser.

Figure 3. Downloading .cpl file is blocked in Edge

Figure 4. A webpage that distributes ransomware, redirected from websites for advertising or faking domains (Edge)

The attacker originally distributed the ransomware through .cpl files in Edge. Once the download was blocked, the file was quickly changed to .zip file for distribution.

Figure 5. Windows Control Panel file (.cpl) downloaded from a webpage that distributes Magniber

Figure 6. Process tree of Magniber being downloaded through Chrome

When users open the downloaded [Magniber].cpl file, a Windows normal process named control.exe runs the cpl file using rundll32.exe.

Figure 7. Ransom note of Magniber

Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.

AhnLab is currently responding to Magniber as shown in the following:

[IOC]
[File Detection]
Ransomware/Win.Magniber.C5211694 (2022.07.20.02)

[.cpl MD5]
C49DD67AFB59A85FBCBC77C412338255

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
Subscribe
Notify of
guest

2 Comments
Inline Feedbacks
View all comments
trackback
Change in Magniber Ransomware (*.cpl → *.jse) – September 8th - ASEC BLOG
1 year ago

[…] After Magniber changed its method of distribution from an MSI format to a CPL format on July 20th, it has been monitored to show decreased distribution activity as of mid-August. While continuously monitoring for changes, the ASEC analysis team found that the distribution format of Magniber has changed from *.CPL (DLL type) to *.JSE (script) format starting from September 8th, 2022. As Magniber is one of the most damaging ransomware to Korean users and is employing various methods to bypass anti-malware detection besides being actively distributed, users are advised to take particular caution. (Reference: https://asec.ahnlab.com/en/37012/) […]

0
Reply
trackback
Rapidly Evolving Magniber Ransomware - ASEC BLOG
11 months ago

[…] Change in Magniber Ransomware (*.msi → *.cpl) – July 20th Figure 3. Magniber ransomware (distributed on July 20th, 2022) […]

0
Reply