ASEC (AhnLab Security Emergency Response Center) has been constantly monitoring the Magniber ransomware which has been displaying a high number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years, but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers.
There have been recent reports of systems being reinfected by Magniber. Analysis revealed that the ransomware was designed to download a new instance of Magniber whenever the system was rebooted, causing further damage.
The figure below shows the injector code that activates in msiexec.exe when the MSI file is executed. The Magniber payloads are injected in order through a do-while loop on the user process list.
The following figure is the Inject_Magniber function code. The ransomware is injected into a user’s process through the API shown in the figure.
The below figure is the Magniber code that has been injected into a normal process where a random function (Func_Random) is used to generate a random value. If the value is odd, the persistence code (Persistence_RegistryEdit) is executed. If the value is even, an encryption attempt is made instead of registering it to be relaunched. Registering to be relaunched is a preliminary phase of encryption. If the ransomware is blocked at the registry stage, the remaining half of the processes where the relaunch registration code has not been executed are used to successfully encrypt the files.
The following is the Persistence_RegistryEdit function’s persistence routine.
In order to prevent Magniber from being blocked after simply being registered to the Run registry key, the registry registration takes the following steps.
- A meaningless .3fr file is registered to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key, and a dummy file is created in the same path
- Registers a registry to be executed simultaneously with the .3fr file
- Saves a command that downloads Magniber in the registered registry
When the system is rebooted, the .3fr file extension registered to the Run key is executed along with the registry that was designated to also activate at the same time, causing a new Magniber to be downloaded and encrypted every time the system is rebooted.
After checking the result of the automatic Magniber collection system, the team confirmed that the distribution of Magniber has ceased since the afternoon of February 20th, but it may resume again one day. Magniber is being distributed to users using the Chrome and Edge browsers on the latest version of Windows through typosquatting, a method that exploits domain typos. Ransomware infection through a user mistyping a domain address was a case covered previously, so particular caution is advised.
AhnLab is currently responding to Magniber as shown in the following:
[IOC] [Magniber dll Creation Path] – C:\Users\[UserName]\AppData\Local\Temp\MSI[Random 4 digits].tmp
[Magniber dll File Detection] – Ransomware/Win.Magniber.R554966 (2023.01.30.01)
[Magniber msi File Detection] – Ransomware/Win.Magniber (2023.01.30.01)
[Magniber dll MD5]
[Magniber msi MD5]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.