Tracking Distribution Site of Magniber Ransomware Using EDR
AhnLab ASEC has been blocking the Magniber ransomware through various means since its distribution has continued even after, “Redistribution of Magniber Ransomware in Korea (January 28th),” was posted back in January.
Redistribution of Magniber Ransomware in Korea (January 28th)
A particular finding at the time was that the ransomware used the <a> tag to bypass domain blocks. In order to detect this, we have researched response measures by tracking the distribution site URL through a different method. The team is working hard to prevent damages through means such as file diagnosis and blocking the distribution site based on the information collected from the improved and applied infrastructure.
Real-time response to Magniber is challenging as modified versions keep getting distributed to bypass the detection of anti-malware products. This makes tracking the ransomware during its inflow stage critical to prevent further damage.
AhnLab EDR is considerably helpful when it comes to detecting whether users are connected to the Magniber distribution site and tracking the inflow path to prevent additional harm from being done.
By checking the details of the host, it is possible to track what kind of method was used to connect to the Magniber distribution site.
By utilizing the EDR tracking, we can see an ad page connected to the Magniber distribution site was accessed while searching for material through a search engine.
As shown above, simply connecting to the result displayed on the search engine can lead to the distribution of Magniber, in addition to the typosquatting method that distributes it by exploiting domain typos. Therefore, users must also be cautious when seeing abnormal domains in their search results and never execute downloaded files (.msi or .zip).
AhnLab is currently responding to Magniber in the following way.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
