On the morning of January 28th, the ASEC analysis team discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files. According to AhnLab’s log system as seen in Figure 1, it can be noted that the distribution increased starting from January 27th.
Figure 1. Increase in Magniber distribution confirmed by AhnLab’s log system
The site that is currently distributing Magniber is using the bypass method that the team has covered here in the past where domain blocks that use MOTW (Mark of the Web) are bypassed by adding the download data within an <a> tag.
When a Magniber file (zip or msi), which has the href of its <a> tag encoded in base64, is added as a script and downloaded, it remains on the HostUrl as about:internet. This has been confirmed as being for the purpose of evading domain blocks.
Figure 2. MOTW evasion using the <a> tag
As shown above, Magniber tries to delete everything that could interfere with file encryption.
Needless to say, Magniber’s file-based detection evasion of signature-based anti-malware products is actively being altered and distributed.
Figure 3. Magniber not found by VirusTotal
The MDS product, which is a APT detection solution, first run suspected files in a sandbox environment through the MDS Agent to determine if they are malware.
Figure 4. AhnLab MDS detecting Magniber
Figure 5. AhnLab MDS detecting MDS decoy modification
MDS checks suspiciously injected MSI files for file encryptions in a sandbox environment. When confirmed as ransomware, MDS lets the user know that the file in question is a piece of malware.
EDR, which records and detects suspicious behaviors at endpoints, detects the Magniber distribution file (.zip) as ransomware when it is downloaded and executed, as shown in Figure 6.
Figure 6. AhnLab EDR detecting suspicious behaviors
Figure 7. AhnLab EDR displaying the record of zip files downloaded via browser
Figure 8. AhnLab EDR displaying inflow path of suspicious file
Figure 9. AhnLab EDR displaying decoy detection diagram
Figure 10. AhnLab EDR detecting the deletion of volume shadow copy
The downloaded MSI package file has a type of installation framework that is also used in normal Windows updates. The malware was distributed by including the Magniber ransomware DLL within the MSI package file.
Figure 11. Package including the dkbqlodrizgs binary (DLL)
By default, MSI provides a feature of DLL’s export function calling through the Custom Action table. The attacker exploited this feature to have the export function of Magniber executed when MSI is run.
The executed DLL encodes files, deletes volume shadow copies, and infects the user PC with the ransomware.
Figure 12. Calling the rsmvmdibw export function of dkbqlodrizgs written within CustomAction
Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.
AhnLab is currently responding to Magniber as shown in the following:
[IOC] [Magniber dll Creation Path] – C:Users[UserName]AppDataLocalTempMSI[Random 4 digits].tmp
[Magniber dll File Detection] – Ransomware/Win.Magniber.C554966 (2022.01.30.01)
[Magniber msi File Detection] – Ransomware/Win.Magniber (2022.01.30.01)
[Magniber dll MD5]
[Magniber msi MD5]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Redistribution of Magniber Ransomware in Korea (January 28th) appeared first on ASEC BLOG.
1 post – 1 participant