Distribution of Magniber Ransomware Stops (Since August 25th)
Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. After the blocking rules of the injection technique used by Magniber were distributed, ASEC published a
V3 Detects and Blocks Magniber Ransomware Injection (Direct Syscall Detection)
The Magniber ransomware is consistently being distributed at high volumes. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed with filenames disguised as a Windows security update
Magniber Ransomware’s Relaunch Technique
ASEC (AhnLab Security Emergency Response Center) has been constantly monitoring the Magniber ransomware which has been displaying a high number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years, but stopped exploiting the vulnerability after the support for the browser ended.
Tracking Distribution Site of Magniber Ransomware Using EDR
AhnLab ASEC has been blocking the Magniber ransomware through various means since its distribution has continued even after, “Redistribution of Magniber Ransomware in Korea (January 28th),” was posted back in January. Redistribution of Magniber Ransomware in Korea (January 28th) A particular finding at the time was that the ransomware used
Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames
On December 9th, 2022, the ASEC analysis team discovered that Magniber Ransomware is being distributed again. During the peak of the COVID-19 outbreak, Magniber was found being distributed with COVID-19 related filenames alongside the previous security update related filenames. C:\Users\$USERS\Downloads\COVID.Warning.Readme.2f4a204180a70de60e674426ee79673f.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.502ef18830aa097b6dd414d3c3edd5fb.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.a179a9245f8e13f41d799e775b71fdff.msi Table 1. COVID-19 related filenames in circulation In the past,
Distribution of Magniber Ransomware Stops (Since November 29th)
Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber
Change in Magniber Ransomware (*.js → *.wsf) – September 28th
The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. Change in Magniber Ransomware (*.cpl → *.jse) – September 8th The attacker made another change after September 8th, changing the file extension
Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan)
The ASEC analysis team introduced the Magniber variants in the blog posted on September 15th. From September 16th, the Magniber ransomware script, whilst still a javascript, has its file extension changed from *.jse to *.js. As Magniber changed to javascript starting September 8th, its operational method has also changed from
Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd)
In the morning of February 22nd, the ASEC analysis team has discovered the redistribution of Magniber that disguised itself as normal Windows Installers (MSI) instead of the previous Windows app (APPX) The distributed Magniber files have MSI as their extension, disguised as Windows update files. Critical.Update.Win10.0-kb4215776.msi Critical.Update.Win10.0-kb6253668.msi Critical.Update.Win10.0-kb5946410.msi MSI package
Change in Magniber Ransomware Vulnerability (CVE-2021-40444)
Magniber is a fileless ransomware using an IE vulnerability and it is one of the ransomware that causes damage to numerous Korean users. It is difficult to prevent infection if not detected and blocked in advance during the vulnerability occurrence phase, which makes it difficult for anti-malware programs to detect
