Magniber Ransomware Targets Windows Users with Fake Software Updates

HP Wolf Security researchers have detected that the operators of Magniber Ransomware are running a new malware distribution campaign targeting Windows home users with advanced features.
Figure 1: Details of the File Containing the Magniber Pest
Figure 1: Details of the File Containing the Magniber Pest
The chain of infection begins when users download a ZIP file that allegedly contains anti-virus software or a Windows 10 update from a threat actor-controlled website. However, contrary to what was promised, the ZIP archive contains compressed Javascript files containing malware. JavaScript files use a variation of the DotNetToJScript technique to load a .NET executable into memory, so the ransomware does not need to be saved to disk. Using this technique, detection and prevention mechanisms that monitor files written to disk are bypassed, and traces left on the vulnerable system are minimized. The .NET code decodes the shell code and injects it into another process.
Figure 2: Chain of Attack
Figure 2: Chain of Attack
On the other hand, the ransomware code disables Windows’s backup and recovery features by deleting the copy files before encrypting the user files. However, Magniber requires administrator privileges to disable its data recovery capability, so the malware bypasses User Account Control (UAC) control to execute commands without the user’s knowledge. However, the logged-in user must be part of the Administrators group for this process to work. Magniber enumerates the files and checks the file extension against a list during the encryption process. If the file extension is in the list, the file is encrypted. In the final stage, Magniber places a ransom note in each directory and displays the message to the user by opening it in a web browser. While it was observed that the malware spread through MSI and EXE files in the past attacks using Magniber, it was observed that it started to be distributed via JavaScript files in the said attacks carried out in September 2022.
Figure 3: Ransom Note Added by Magniber Operators
Figure 3: Ransom Note Added by Magniber Operators
The threat actors behind the Magniber malware are known to demand a $2500 ransom payment from infected users. In this context, it is recommended to consider the following security steps in order not to be the target of this and similar ransomware campaigns.

Share This: