Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber ransomware has halted.
Recently, the creator of Magniber undertook various attempts to evade antivirus detection via injections, change in file extensions, and UAC bypassing technique. With the ASEC analysis team’s continuous responsive measures including file, memory, and AMSI diagnosis, Magniber’s file distribution method was fixed to the MSI extension format since October.
Following such changes in Magniber’s distribution method, the ASEC analysis team added various diagnoses including Ransomware/Win.Magniber.XG20 and Ransomware/Win.Magniber.XG21, whose main purposes are detecting Magniber with the MSI file format. As a result of our active response, we discovered that the distribution of Magniber ransomware has stopped as of November 29th.
Figure 1 below shows the trend change of Magniber’s distribution volume following the addition of Ransomware/Win.Magniber.XG20 and Ransomware/Win.Magniber.XG21 diagnoses. After the Ransomware/Win.Magniber.XG20 diagnosis was added, we detected that Magniber had ceased its propagation temporarily for about one day on November 15th, 2022. As for the Ransomware/Win.Magniber.XG21 diagnosis, we identified that Magniber had stopped its propagation temporarily for about one day on November 22nd, 2022, which was the date the diagnosis became active. Afterward, distribution restarted for approximately one week, but from November 29th, 2022 onward, the distribution of the MSI type Magniber stopped and has not been detected for about one week now.
In this post, we focused on covering Magniber’s cessation of distribution and the ASEC analysis team’s response process. Magniber is a ransomware that is distributed with various antivirus evasion techniques and also has a rapidly evolving method of distribution. As this halt in distribution could actually be an indication that a change may occur in the distribution method or that it may return with a new antivirus evasion technique, continuous monitoring is necessary.
[File Detection]
- Ransomware/Win.Magniber.XG20 (2022.11.08.03)
- Ransomware/Win.Magniber.XG21 (2022.11.22.00)
[Behavior Detection]
- Ransom/MDP.Edit.M1947
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information