On the morning of January 28th, the ASEC analysis team discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files. According to AhnLab’s log system as seen in Figure 1, it can be noted that the distribution increased starting from January 27th.
The site that is currently distributing Magniber is using the bypass method that the team has covered here in the past where domain blocks that use MOTW (Mark of the Web) are bypassed by adding the download data within an <a> tag.
When a Magniber file (zip or msi), which has the href of its <a> tag encoded in base64, is added as a script and downloaded, it remains on the HostUrl as about:internet. This has been confirmed as being for the purpose of evading domain blocks.
As shown above, Magniber tries to delete everything that could interfere with file encryption.
Needless to say, Magniber’s file-based detection evasion of signature-based anti-malware products is actively being altered and distributed.
The MDS product, which is a APT detection solution, first run suspected files in a sandbox environment through the MDS Agent to determine if they are malware.
MDS checks suspiciously injected MSI files for file encryptions in a sandbox environment. When confirmed as ransomware, MDS lets the user know that the file in question is a piece of malware.
EDR, which records and detects suspicious behaviors at endpoints, detects the Magniber distribution file (.zip) as ransomware when it is downloaded and executed, as shown in Figure 6.
The downloaded MSI package file has a type of installation framework that is also used in normal Windows updates. The malware was distributed by including the Magniber ransomware DLL within the MSI package file.
By default, MSI provides a feature of DLL’s export function calling through the Custom Action table. The attacker exploited this feature to have the export function of Magniber executed when MSI is run.
The executed DLL encodes files, deletes volume shadow copies, and infects the user PC with the ransomware.
Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.
AhnLab is currently responding to Magniber as shown in the following:
[IOC] [Magniber dll Creation Path] – C:\Users\[UserName]\AppData\Local\Temp\MSI[Random 4 digits].tmp
[Magniber dll File Detection] – Ransomware/Win.Magniber.C554966 (2022.01.30.01)
[Magniber msi File Detection] – Ransomware/Win.Magniber (2022.01.30.01)
[Magniber dll MD5]
[Magniber msi MD5]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.