Change in Magniber Ransomware (*.js → *.wsf) – September 28th

The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension.

Change in Magniber Ransomware (*.cpl → *.jse) – September 8th

The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection methods such as anti-malware products like V3.

*.MSI (Feb 22, 2022) → *.CPL (Jul 20, 2022) → *.JSE (Sep 08, 2022) → *.JS (Sep 16, 2022) → *.WSF (Sep 28, 2022)

The newly changed WSF file is distributed as a singular WSF file form for both Chrome and Edge browsers (See Figures 1 and 2).

Magniber is being distributed in a typosquatting method that exploits typos made when entering domains, targeting mainly Chrome and Edge users. As users may download ransomware by entering incorrect domains, extra caution is required.

Currently, AhnLab is responding to the Magniber ransomware with not only file detection but also with various detection methods. Thus, it is recommended that users activate the Process Memory Scan and the Malicious Script Detection (AMSI) options in [V3 Preferences] – [PC Scan Settings].

[IOC]
[MD5 (Alias)] – WSF Script File Detection
– 326cd431aa11014dd61a7a22b5038fb8 (Ransomware/WSF.Magniber (2022.09.28.02))

[Process Memory Detection]
– Ransomware/Win.Magniber.XM153 (2022.09.15.03)

[MD5 (Alias)] – AMSI Detection (.NET DLL)
– e59d7d6db1fcc8dfa57c244ebffc6de7 (Ransomware/Win.Magniber.R519329 (2022.09.15.02))

 

MD5

e59d7d6db1fcc8dfa57c244ebffc6de7

f75c520810b136867a66b1c24f610a5b