AhnLab ASEC has been blocking the Magniber ransomware through various means since its distribution has continued even after, “Redistribution of Magniber Ransomware in Korea (January 28th),” was posted back in January.
A particular finding at the time was that the ransomware used the <a> tag to bypass domain blocks. In order to detect this, we have researched response measures by tracking the distribution site URL through a different method. The team is working hard to prevent damages through means such as file diagnosis and blocking the distribution site based on the information collected from the improved and applied infrastructure.
Real-time response to Magniber is challenging as modified versions keep getting distributed to bypass the detection of anti-malware products. This makes tracking the ransomware during its inflow stage critical to prevent further damage.
AhnLab EDR is considerably helpful when it comes to detecting whether users are connected to the Magniber distribution site and tracking the inflow path to prevent additional harm from being done.
By checking the details of the host, it is possible to track what kind of method was used to connect to the Magniber distribution site.
By utilizing the EDR tracking, we can see an ad page connected to the Magniber distribution site was accessed while searching for material through a search engine.
As shown above, simply connecting to the result displayed on the search engine can lead to the distribution of Magniber, in addition to the typosquatting method that distributes it by exploiting domain typos. Therefore, users must also be cautious when seeing abnormal domains in their search results and never execute downloaded files (.msi or .zip).
AhnLab is currently responding to Magniber in the following way.
[Magniber dll Creation Path] – C:\Users\[UserName]\AppData\Local\Temp\MSI[random 4-digit].tmp
[Magniber dll File Detection] – Ransomware/Win.Magniber.R557708 (2023.02.10.03)
[Magniber msi File Detection] – Ransomware/Win.Magniber (2023.02.10.03)
[Domain and IP Block]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.