Posted By ,

Domains Used for Magniber Distribution in Korea

On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution of Magniber.

With the typosquatting method—which exploits typos—when the user accesses the wrongly entered domain, the msi file (Magniber) is downloaded after redirecting to an advertisement page. Examination of Zone.Identifier created at this stage reveals the URL from where the file was downloaded from, as shown below.

Figure 1. Zone.Identifier identified when Magniber was collected

Upon investigating the domains and IPs based on this, we identified that about 215 IP addresses and 511 domains were used during October and November.

Figure 2. IPs and domains used in the distribution of Magniber

As a wide variety of domains is used in the ransomware’s distribution, they are registered and used through multiple domain registration companies.
Currently, AhnLab blocks the identified IP addresses and URLs, and when the user activates the Block Harmful Websites option in V3 products, any access to Magniber distribution sites is blocked.

Figure 3. Blocking Magniber distribution sites

The nature of IP addresses and domains leaves the possibility of other normal users being allocated these resources and using them, in which case they can file a report through the AhnLab customer center for appropriate measures to be taken.

[IOC]
IP / Domain
45.82.87.54 hidwant.quest
45.82.86.103 betdate.uno
192.161.184.122 halldie.fit
192.161.184.121 putdear.email
45.82.86.93 lowroll.uno
45.82.86.107 lossend.casa
209.94.59.32 putdear.email
45.82.86.93 losthow.monster
192.161.184.121 perwish.email
209.94.59.32 perwish.email
192.161.184.110 owered.space
192.161.184.110 longate.monster
192.161.184.122 dofight.monster
45.82.86.97 askills.quest
192.161.184.86 logharm.space
192.161.184.100 spitecs.com
192.161.184.86 csmoved.space
and etc.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:

0 0 votes
Article Rating
Subscribe
Notify of
guest

2 Comments
Inline Feedbacks
View all comments
trackback
Redistribution of Magniber Ransomware in Korea (January 28th) - ASEC BLOG
7 months ago

[…] Domains Used for Magniber Distribution in Korea […]

0
Reply
trackback
Redistribution of Magniber Ransomware in Korea (January 28th) - Ciberdefensa
7 months ago

[…] Domains Used for Magniber Distribution in Korea […]

0
Reply