Distribution of Magniber Ransomware Stops (Since August 25th)

Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. After the blocking rules of the injection technique used by Magniber were distributed, ASEC published a post about the relevant information on August 10th.

V3 Detects and Blocks Magniber Ransomware Injection (Direct Syscall Detection)

Subsequently, the number of cases diminished as the creator of Magniber conducted various detection bypass tests, and as of August 25th, the distribution of the Magniber ransomware has halted. 

Since its initial appearance in 2016, Magniber has never taken a break from distribution for such a long period of time (usually resuming distribution with a new technique to bypass detection within 2 weeks to a month). The count graph for the detection rules is displayed below. Since August 25th, no further detections have been reported, and the distribution was found to be halted.

Magniber is a ransomware that is distributed with various anti-malware evasion techniques and also has a rapidly evolving method of distribution. As this halt in distribution could actually be an indication that a change may occur in the distribution method or that it may return with a new vulnerability or additional anti-malware evasion technique, continuous monitoring is necessary.

[Magniber Behavior Detection]
– Ransom/MDP.Magniber.M4687 (2022.08.03.03)
– Ransom/MDP.Magniber.M4683 (2022.07.19.00)

[Magniber File Detection]
-Ransomware/Win.Magniber.C5468545(2023.08.09.02)

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.