Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames
On December 9th, 2022, the ASEC analysis team discovered that Magniber Ransomware is being distributed again. During the peak of the COVID-19 outbreak, Magniber was found being distributed with COVID-19 related filenames alongside the previous security update related filenames.
| C:\Users\$USERS\Downloads\COVID.Warning.Readme.2f4a204180a70de60e674426ee79673f.msi C:\Users\$USERS\Downloads\COVID.Warning.Readme.502ef18830aa097b6dd414d3c3edd5fb.msi C:\Users\$USERS\Downloads\COVID.Warning.Readme.a179a9245f8e13f41d799e775b71fdff.msi |
Table 1. COVID-19 related filenames in circulation
In the past, Magniber exploited Internet Explorer’s vulnerability to infect user PCs via Drive by Download which only required users to visit a web page. However, after Microsoft stopped supporting Internet Explorer, Magniber’s operator gave up on exploiting vulnerabilities of new browsers and instead started using social engineering techniques to lead users to execute the files themselves, while only distributing the ransomware with security update or COVID-19 related filenames.
This not only applies to Magniber; the threat actor who used to distribute GandCrab, BlueCrab, and now LockBit 3.0, changed the initial infection vector (MITRE ATT&CK ID: TA0001) from exploiting vulnerabilities to having users execute the file themselves through social engineering techniques. This means that it is easier to lure users to execute the ransomware instead of putting in the effort to attack supply chains or employ vulnerability attacks.
As covered in previous posts, Magniber is downloaded in .msi file format from Chrome browsers and .zip file format from Edge browsers. However, there is no warning prompt for the execution of files from external sources, and Magniber is executed immediately upon being clicked. So, users must be careful about visiting untrusted websites.
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)
| COVID.Warning.Readme.[random value] MS.Update.Center.Security.KB[random value] SYSTEM.Antivirus.Hotfix.[random value] ERROR.Software.Log.Hotfix.[random value] |
Table 2. Some of the filenames used in the distribution of Magniber
As can be seen in the filenames listed above, the threat actor uses security-related or socially trending terms to lead users to execute the ransomware. To recap, users must refrain from visiting untrusted websites and not execute files downloaded without their knowledge.
[File Detection]
- Ransomware/Win.Magniber.R541176 (2022.12.12.02)
