On the morning of January 28th, the ASEC analysis team discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files. According to AhnLab’s log system as seen in Figure 1, it can be noted that the distribution increased starting from January 27th.

• MS.Update.Center.Security.KB17347418.msi
• MS.Update.Center.Security.KB2562020.msi
• MS.Update.Center.Security.KB44945726.msi

The site that is currently distributing Magniber is using the bypass method that the team has covered here in the past where domain blocks that use MOTW (Mark of the Web) are bypassed by adding the download data within an <a> tag.

Domains Used for Magniber Distribution in Korea

When a Magniber file (zip or msi), which has the href of its <a> tag encoded in base64, is added as a script and downloaded, it remains on the HostUrl as about:internet. This has been confirmed as being for the purpose of evading domain blocks.

As shown above, Magniber tries to delete everything that could interfere with file encryption.
Needless to say, Magniber’s file-based detection evasion of signature-based anti-malware products is actively being altered and distributed.

The MDS product, which is a APT detection solution, first run suspected files in a sandbox environment through the MDS Agent to determine if they are malware.

MDS checks suspiciously injected MSI files for file encryptions in a sandbox environment. When confirmed as ransomware, MDS lets the user know that the file in question is a piece of malware.

EDR, which records and detects suspicious behaviors at endpoints, detects the Magniber distribution file (.zip) as ransomware when it is downloaded and executed, as shown in Figure 6.

The downloaded MSI package file has a type of installation framework that is also used in normal Windows updates. The malware was distributed by including the Magniber ransomware DLL within the MSI package file.

By default, MSI provides a feature of DLL’s export function calling through the Custom Action table. The attacker exploited this feature to have the export function of Magniber executed when MSI is run.

https://docs.microsoft.com/en-us/windows/win32/msi/custom-actions

The executed DLL encodes files, deletes volume shadow copies, and infects the user PC with the ransomware.

Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.

AhnLab is currently responding to Magniber as shown in the following:

[IOC] [Magniber dll Creation Path] – C:Users[UserName]AppDataLocalTempMSI[Random 4 digits].tmp

[Magniber dll File Detection] – Ransomware/Win.Magniber.C554966 (2022.01.30.01)

[Magniber msi File Detection] – Ransomware/Win.Magniber (2022.01.30.01)

[Magniber dll MD5]

35c3743df22ea0de26aeac37a88da1c9
0723b125887e632bd2203680b75efb57
1484d68f70fca635fa36bdf6d0493fbf
fad8957047b31c13ac7ae4f72c4775d4
aa4c28fb3cd600745aa0abd616b2b128
c32d55881a9290267ddbe7005b12b6b8
bd952ad584866bcd4454a3385b615c74
be1fbf7bf36efcf84a604da24b93d97f
162d6827d206fbab285c09b518f30ec9

[Magniber msi MD5]

65ac438561b3a415876dff89d2804a13
35c3743df22ea0de26aeac37a88da1c9
0723b125887e632bd2203680b75efb57
1484d68f70fca635fa36bdf6d0493fbf
fad8957047b31c13ac7ae4f72c4775d4
aa4c28fb3cd600745aa0abd616b2b128
c32d55881a9290267ddbe7005b12b6b8
bd952ad584866bcd4454a3385b615c74
be1fbf7bf36efcf84a604da24b93d97f
162d6827d206fbab285c09b518f30ec9

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/47287/