Ransomware Spotlight: Magniber – Security News

T1190 – Exploit Public-Facing Application
Has been observed to be exploiting the following vulnerabilities for initial access:
• Magnitude exploit kit
 • CVE-2016-0189
 • CVE-2018-8174
 • CVE-2019-1367
• Scripting Engine Memory Corruption Vulnerability (Internet Explorer)
 • CVE-2020-0968
• Internet Explorer Memory Corruption Vulnerability
 • CVE-2021-26411
• Remote code execution vulnerability in MSHTML (Internet Explorer)
 • CVE-2021-40444
• PrintNightmare
 • CVE-2021-34527

T1059.003 – Command and Scripting Interpreter: Windows Command Shell
Magniber uses cmd.exe to execute commands for execution.

T1047 – Windows Management Instrumentation
Magniber uses WMIC to delete shadow copies.

T1059.007 – Command and Scripting Interpreter: JavaScript
The new Magniber version is written in JSE/JS format and still tricks the user by masquerading as a legitimate installer/Windows update.

T1204 – User Execution
New Magniber versions use ZIP attachments containing the malicious payload.

T1203 – Exploitation for Client Execution
Magniber bypasses MOTW exploiting the following vulnerability using fake digital signatures:
 • CVE-2022-44698

T1218.010 – Signed Binary Proxy Execution: Regsvr32
Magniber uses regsvr32.exe and scrobj.dll commands to execute its dropped TXT file.

T1055.003 – Process Injection: Thread Execution Hijacking
Magniber injects into each process if the following criteria is met:
 • The process is not 
       iexplore.exe
 • Process integrity is less
      than SYSTEM
 • Process is not running in WoW64 environment (32-bit running in 64-bit OS)

T1140 – Deobfuscate/Decode Files or Information
The main payload and related strings are decrypted before execution.

T1112 – Modify Registry
Magniber modifies specific registries to execute shadow copy deletion.

T1218.007 – System Binary Proxy Execution: Msiexec
Recent Magniber infections leverage fake installers (.msi) by calling the encrypted ransomware DLL through the CustomAction table.

T1218.002 – System Binary Proxy Execution: Control Panel
New Magniber variants use CPL file format to execute their malicious payload.

T1036.005 – Masquerading: Match Legitimate Name or Location
Magniber masquerades as an update for Windows or MS upgrades to trick the user into executing the file.

T1620 – Reflective Code Loading
Magniber script variants are reflectively loaded in order to proceed with execution.

T1553.005 – Subvert Trust Controls: Mark-of-the-Web Bypass
Magniber uses a malformed digital signature block to bypass execution blocks by MOTW.

T1083 – File and Directory Discovery
Magniber searches for files and directories for encryption.

T1135 – Network Share Discovery
Magniber encrypts files in network/remote drives.

T1057 – Process Discovery
Magniber uses NtQuerySystemInformation API to obtain running processes in the machine.

T1082 – System Information Discover
Magniber gathers the computer name of the affected machine, as well as the build number of the compromised windows operating system via the fixed offset [DS]:7FFE026C

T1071.001 – Application Layer Protocol: Web Protocols
Magniber appends the data gathered form the machine when connecting to the URL of the payment page.

T1490 – Inhibit System Recovery
Magniber then deletes volume shadow copies via WMIC and by modifying specific registry entries.

T1486 – Data Encrypted for Impact
It avoids encrypting files with the following folders:
 • documents and
      settings
 • appdata
 • local settings
 • sample music
 • sample pictures
 • sample videos
 • tor browser
 • recycle
 • windows
 • boot
 • intel
 • msocache
 • perflogs
 • program files
 • programdata
 • recovery
 • system volume
      information
 • winnt
Magniber also avoids encrypting the following files with file attributes:
• FILE_ATTRIBUTE_SYSTEM
• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_
READYONLY
• FILE_ATTRIBUTE_
TEMPORARY
• FILE_ATTRIBUTE_
VIRTUAL
It avoids encrypting the following folders with file attributes:
• FILE_ATTRIBUTE_
SYSTEM
• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_
ENCRYPTED
Magniber also avoids encrypting files with the following attributes:  
• FILE_ATTRIBUTE_SYSTEM
• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_
READYONLY
• FILE_ATTRIBUTE_
TEMPORARY
• FILE_ATTRIBUTE_
VIRTUAL
Magniber initially encrypts target files via symmetric AES, then encrypts the AES symmetric key and IV via RSA using CryptoAPIs. It encrypts equal-size data blocks (1,048,576 bytes) per iteration until the final block is encrypted.
It appends the mutex name as its appended extension.

T1608.005 – Stage Capabilities: Link Target
Magniber uses typosquatting to trick users into accessing the malicious payload.

Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-magniber