Domains Used for Magniber Distribution in Korea

On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution of Magniber. With the typosquatting method—which exploits typos—when the user accesses the wrongly entered domain, the msi file (Magniber) is downloaded after redirecting to an advertisement page. Examination of Zone.Identifier created at this stage reveals the URL from where the file was downloaded from, as shown below.

Figure 1. Zone.Identifier identified when Magniber was collected Upon investigating the domains and IPs based on this, we identified that about 215 IP addresses and 511 domains were used during October and November.

Figure 2. IPs and domains used in the distribution of Magniber As a wide variety of domains is used in the ransomware’s distribution, they are registered and used through multiple domain registration companies. Currently, AhnLab blocks the identified IP addresses and URLs, and when the user activates the Block Harmful Websites option in V3 products, any access to Magniber distribution sites is blocked.

Figure 3. Blocking Magniber distribution sites The nature of IP addresses and domains leaves the possibility of other normal users being allocated these resources and using them, in which case they can file a report through the AhnLab customer center for appropriate measures to be taken. 

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.