Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames

On December 9th, 2022, the ASEC analysis team discovered that Magniber Ransomware is being distributed again. During the peak of the COVID-19 outbreak, Magniber was found being distributed with COVID-19 related filenames alongside the previous security update related filenames.

C:\Users\$USERS\Downloads\COVID.Warning.Readme.2f4a204180a70de60e674426ee79673f.msi
C:\Users\$USERS\Downloads\COVID.Warning.Readme.502ef18830aa097b6dd414d3c3edd5fb.msi
C:\Users\$USERS\Downloads\COVID.Warning.Readme.a179a9245f8e13f41d799e775b71fdff.msi
Table 1. COVID-19 related filenames in circulation

In the past, Magniber exploited Internet Explorer’s vulnerability to infect user PCs via Drive by Download which only required users to visit a web page. However, after Microsoft stopped supporting Internet Explorer, Magniber’s operator gave up on exploiting vulnerabilities of new browsers and instead started using social engineering techniques to lead users to execute the files themselves, while only distributing the ransomware with security update or COVID-19 related filenames.

This not only applies to Magniber; the threat actor who used to distribute GandCrab, BlueCrab, and now LockBit 3.0, changed the initial infection vector (MITRE ATT&CK ID: TA0001) from exploiting vulnerabilities to having users execute the file themselves through social engineering techniques. This means that it is easier to lure users to execute the ransomware instead of putting in the effort to attack supply chains or employ vulnerability attacks.

Figure 1. Magniber’s .msi file being distributed again

As covered in previous posts, Magniber is downloaded in .msi file format from Chrome browsers and .zip file format from Edge browsers. However, there is no warning prompt for the execution of files from external sources, and Magniber is executed immediately upon being clicked. So, users must be careful about visiting untrusted websites.

Figure 2. The changed desktop after being infected with Magniber
COVID.Warning.Readme.[random value]
MS.Update.Center.Security.KB[random value]
SYSTEM.Antivirus.Hotfix.[random value]
ERROR.Software.Log.Hotfix.[random value]
Table 2. Some of the filenames used in the distribution of Magniber

As can be seen in the filenames listed above, the threat actor uses security-related or socially trending terms to lead users to execute the ransomware. To recap, users must refrain from visiting untrusted websites and not execute files downloaded without their knowledge.

[File Detection]

  • Ransomware/Win.Magniber.R541176 (2022.12.12.02)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments