Change in Magniber Ransomware (*.cpl → *.jse) – September 8th

After Magniber changed its method of distribution from an MSI format to a CPL format on July 20th, it has been monitored to show decreased distribution activity as of mid-August. While continuously monitoring for changes, the ASEC analysis team found that the distribution format of Magniber has changed from *.CPL (DLL type) to *.JSE (script) format starting from September 8th, 2022. As Magniber is one of the most damaging ransomware to Korean users and is employing various methods to bypass anti-malware detection besides being actively distributed, users are advised to take particular caution. (Reference: https://asec.ahnlab.com/en/37012/)

As you can see from the figure above, the cases of using CPL files for distribution are decreasing. The attacker of Magniber likely changed the method of distribution from distributing CPL files to JSE files. The downloaded file format is different for Chrome and Edge. Inside the ZIP file downloaded from the Edge browser is the same JSE type file as the one in the downloaded file from Chrome.

• (September 7th, 2022) system_update_win10.****************.cpl
• (September 8th, 2022) Antivirus_Upgrade_Cloud.****************.jse (Chrome)
• (September 8th, 2022) Antivirus_Upgrade_Cloud.****************.jse (Edge)

The difference is thought to prevent the security policies of each browser from preventing the download.

Magniber is currently being distributed in a typosquatting method that exploits typos made when entering URLs, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.

AhnLab is currently responding to Magniber as shown in the following:

[IOC]
[File Detection]
– Ransomware/JS.Magniber (2022.09.08.02)

[MD5]
– f63468170387166b6631bf0c851bd356

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.