Magniber Ransomware’s Relaunch Technique – ASEC BLOG

ASEC (AhnLab Security Emergency Response Center) has been constantly monitoring the Magniber ransomware which has been displaying a high number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years, but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers.

There have been recent reports of systems being reinfected by Magniber. Analysis revealed that the ransomware was designed to download a new instance of Magniber whenever the system was rebooted, causing further damage.

The figure below shows the injector code that activates in msiexec.exe when the MSI file is executed. The Magniber payloads are injected in order through a do-while loop on the user process list.

Figure. Injector code that runs through msiexec.exe (injection of the ransomware into a normal process)

The following figure is the Inject_Magniber function code. The ransomware is injected into a user’s process through the API shown in the figure.

Figure. Inject_Magniber function (injection is performed through APIs such as CreateThreadEx)

The below figure is the Magniber code that has been injected into a normal process where a random function (Func_Random) is used to generate a random value. If the value is odd, the persistence code (Persistence_RegistryEdit) is executed. If the value is even, an encryption attempt is made instead of registering it to be relaunched. Registering to be relaunched is a preliminary phase of encryption. If the ransomware is blocked at the registry stage, the remaining half of the processes where the relaunch registration code has not been executed are used to successfully encrypt the files.

Figure. Magniber code injected into a normal process

The following is the Persistence_RegistryEdit function’s persistence routine.

Figure. Persistence routine (registry) of the Persistence_RegistryEdit function.

In order to prevent Magniber from being blocked after simply being registered to the Run registry key, the registry registration takes the following steps.

  1. A meaningless .3fr file is registered to the HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun key, and a dummy file is created in the same path

    Figure. Registry registered to the Run key

  2. Registers a registry to be executed simultaneously with the .3fr file

    Figure. Registering a registry to be run simultaneously

  3. Saves a command that downloads Magniber in the registered registry

    Figure. Registering a registry command to relaunch Magniber

When the system is rebooted, the .3fr file extension registered to the Run key is executed along with the registry that was designated to also activate at the same time, causing a new Magniber to be downloaded and encrypted every time the system is rebooted.

After checking the result of the automatic Magniber collection system, the team confirmed that the distribution of Magniber has ceased since the afternoon of February 20th, but it may resume again one day. Magniber is being distributed to users using the Chrome and Edge browsers on the latest version of Windows through typosquatting, a method that exploits domain typos. Ransomware infection through a user mistyping a domain address was a case covered previously, so particular caution is advised.

Figure. Magniber distribution status

AhnLab is currently responding to Magniber as shown in the following:

[IOC] [Magniber dll Creation Path] – C:Users[UserName]AppDataLocalTempMSI[Random 4 digits].tmp

[Magniber dll File Detection] – Ransomware/Win.Magniber.R554966 (2023.01.30.01)

[Magniber msi File Detection] – Ransomware/Win.Magniber (2023.01.30.01)

[Magniber dll MD5]

35c3743df22ea0de26aeac37a88da1c9
0723b125887e632bd2203680b75efb57
1484d68f70fca635fa36bdf6d0493fbf
fad8957047b31c13ac7ae4f72c4775d4
aa4c28fb3cd600745aa0abd616b2b128
c32d55881a9290267ddbe7005b12b6b8
bd952ad584866bcd4454a3385b615c74
be1fbf7bf36efcf84a604da24b93d97f
162d6827d206fbab285c09b518f30ec9

[Magniber msi MD5]

65ac438561b3a415876dff89d2804a13
35c3743df22ea0de26aeac37a88da1c9
0723b125887e632bd2203680b75efb57
1484d68f70fca635fa36bdf6d0493fbf
fad8957047b31c13ac7ae4f72c4775d4
aa4c28fb3cd600745aa0abd616b2b128
c32d55881a9290267ddbe7005b12b6b8
bd952ad584866bcd4454a3385b615c74
be1fbf7bf36efcf84a604da24b93d97f
162d6827d206fbab285c09b518f30ec9

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/48312/