T1190 – Exploit Public-Facing Application
Has been observed to be exploiting the following vulnerabilities for initial access:
• Magnitude exploit kit
• CVE-2016-0189
• CVE-2018-8174
• CVE-2019-1367
• Scripting Engine Memory Corruption Vulnerability (Internet Explorer)
• CVE-2020-0968
• Internet Explorer Memory Corruption Vulnerability
• CVE-2021-26411
• Remote code execution vulnerability in MSHTML (Internet Explorer)
• CVE-2021-40444
• PrintNightmare
• CVE-2021-34527
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
Magniber uses cmd.exe to execute commands for execution.
T1047 – Windows Management Instrumentation
Magniber uses WMIC to delete shadow copies.
T1059.007 – Command and Scripting Interpreter: JavaScript
The new Magniber version is written in JSE/JS format and still tricks the user by masquerading as a legitimate installer/Windows update.
T1204 – User Execution
New Magniber versions use ZIP attachments containing the malicious payload.
T1203 – Exploitation for Client Execution
Magniber bypasses MOTW exploiting the following vulnerability using fake digital signatures:
• CVE-2022-44698
T1218.010 – Signed Binary Proxy Execution: Regsvr32
Magniber uses regsvr32.exe and scrobj.dll commands to execute its dropped TXT file.
T1055.003 – Process Injection: Thread Execution Hijacking
Magniber injects into each process if the following criteria is met:
• The process is not
iexplore.exe
• Process integrity is less
than SYSTEM
• Process is not running in WoW64 environment (32-bit running in 64-bit OS)
T1140 – Deobfuscate/Decode Files or Information
The main payload and related strings are decrypted before execution.
T1112 – Modify Registry
Magniber modifies specific registries to execute shadow copy deletion.
T1218.007 – System Binary Proxy Execution: Msiexec
Recent Magniber infections leverage fake installers (.msi) by calling the encrypted ransomware DLL through the CustomAction table.
T1218.002 – System Binary Proxy Execution: Control Panel
New Magniber variants use CPL file format to execute their malicious payload.
T1036.005 – Masquerading: Match Legitimate Name or Location
Magniber masquerades as an update for Windows or MS upgrades to trick the user into executing the file.
T1620 – Reflective Code Loading
Magniber script variants are reflectively loaded in order to proceed with execution.
T1553.005 – Subvert Trust Controls: Mark-of-the-Web Bypass
Magniber uses a malformed digital signature block to bypass execution blocks by MOTW.
T1083 – File and Directory Discovery
Magniber searches for files and directories for encryption.
T1135 – Network Share Discovery
Magniber encrypts files in network/remote drives.
T1057 – Process Discovery
Magniber uses NtQuerySystemInformation API to obtain running processes in the machine.
T1082 – System Information Discover
Magniber gathers the computer name of the affected machine, as well as the build number of the compromised windows operating system via the fixed offset [DS]:7FFE026C
T1071.001 – Application Layer Protocol: Web Protocols
Magniber appends the data gathered form the machine when connecting to the URL of the payment page.
T1490 – Inhibit System Recovery
Magniber then deletes volume shadow copies via WMIC and by modifying specific registry entries.
T1486 – Data Encrypted for Impact
It avoids encrypting files with the following folders:
• documents and
settings
• appdata
• local settings
• sample music
• sample pictures
• sample videos
• tor browser
• recycle
• windows
• boot
• intel
• msocache
• perflogs
• program files
• programdata
• recovery
• system volume
information
• winnt
Magniber also avoids encrypting the following files with file attributes:
• FILE_ATTRIBUTE_SYSTEM
• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_
READYONLY
• FILE_ATTRIBUTE_
TEMPORARY
• FILE_ATTRIBUTE_
VIRTUAL
It avoids encrypting the following folders with file attributes:
• FILE_ATTRIBUTE_
SYSTEM
• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_
ENCRYPTED
Magniber also avoids encrypting files with the following attributes:
• FILE_ATTRIBUTE_SYSTEM
• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_
READYONLY
• FILE_ATTRIBUTE_
TEMPORARY
• FILE_ATTRIBUTE_
VIRTUAL
Magniber initially encrypts target files via symmetric AES, then encrypts the AES symmetric key and IV via RSA using CryptoAPIs. It encrypts equal-size data blocks (1,048,576 bytes) per iteration until the final block is encrypted.
It appends the mutex name as its appended extension.
T1608.005 – Stage Capabilities: Link Target
Magniber uses typosquatting to trick users into accessing the malicious payload.
Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-magniber