Posted By cka0 , February 17, 2023

Tracking Distribution Site of Magniber Ransomware Using EDR

AhnLab ASEC has been blocking the Magniber ransomware through various means since its distribution has continued even after, “Redistribution of Magniber Ransomware in Korea (January 28th),” was posted back in January.

Redistribution of Magniber Ransomware in Korea (January 28th)

A particular finding at the time was that the ransomware used the <a> tag to bypass domain blocks. In order to detect this, we have researched response measures by tracking the distribution site URL through a different method. The team is working hard to prevent damages through means such as file diagnosis and blocking the distribution site based on the information collected from the improved and applied infrastructure.

Real-time response to Magniber is challenging as modified versions keep getting distributed to bypass the detection of anti-malware products. This makes tracking the ransomware during its inflow stage critical to prevent further damage.

AhnLab EDR is considerably helpful when it comes to detecting whether users are connected to the Magniber distribution site and tracking the inflow path to prevent additional harm from being done.

Figure 1. AhnLab EDR detecting suspicious EDR behavior

Figure 2. AhnLab EDR diagram displaying connection with Magniber distribution site being detected

By checking the details of the host, it is possible to track what kind of method was used to connect to the Magniber distribution site.

Figure 3. Tracking of Magniber inflow path through host details

By utilizing the EDR tracking, we can see an ad page connected to the Magniber distribution site was accessed while searching for material through a search engine.

Figure 4. Confirmation of Magniber being distributed directly through a search engine

As shown above, simply connecting to the result displayed on the search engine can lead to the distribution of Magniber, in addition to the typosquatting method that distributes it by exploiting domain typos. Therefore, users must also be cautious when seeing abnormal domains in their search results and never execute downloaded files (.msi or .zip).

AhnLab is currently responding to Magniber in the following way.

[IOC]

[Magniber dll Creation Path] – C:\Users\[UserName]\AppData\Local\Temp\MSI[random 4-digit].tmp

[Magniber dll File Detection] – Ransomware/Win.Magniber.R557708 (2023.02.10.03)

[Magniber msi File Detection] – Ransomware/Win.Magniber (2023.02.10.03)

[Domain and IP Block]

217.182.162.62 datebar.space
51.68.238.215 doeor.email
45.32.170.38 flatthe.uno
51.254.147.171 viabugs.space

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:AhnLab Detection

Tagged as:Magniber,Ransomware