Magniber ransomware: exclusively for South Koreans
Contents
The Magnitude exploit kit has been pretty consistent over the last few months, dropping the same payload—namely, the Cerber ransomware—and targeting a few select countries in Asia. Strangely, Magnitude EK disappeared in late September, and for a while we wondered whether this was yet another casualty in the already deflated exploit kit scene.
However, a few days ago Magnitude EK resurfaced, this time with a new payload. The delivered malware is also a ransomware, but of a family that was not known before. It has been named Magniber.
This Magniber ransomware is highly targeted, as it checks at several levels (external IP, the language installed, etc.) to ensure that the attacked system is only South Korean. Targeting a single country is unusual on its own, but performing multiple checks to be sure of the country and language of origin makes this a first for ransomware.
Analyzed samples
- 9bb96afdce48fcf9ba9d6dda2e23c936c661212e8a74114e7813082841667508 – dropped by Magnitude EK
- …
However, a few days ago Magnitude EK resurfaced, this time with a new payload. The delivered malware is also a ransomware, but of a family that was not known before. It has been named Magniber.
This Magniber ransomware is highly targeted, as it checks at several levels (external IP, the language installed, etc.) to ensure that the attacked system is only South Korean. Targeting a single country is unusual on its own, but performing multiple checks to be sure of the country and language of origin makes this a first for ransomware.
Analyzed samples
- 9bb96afdce48fcf9ba9d6dda2e23c936c661212e8a74114e7813082841667508 – dropped by Magnitude EK
- …
IoC
8968c1b7a7aa95931fcd9b72cdde8416063da27565d5308c818fdaafddfa3b51
9bb96afdce48fcf9ba9d6dda2e23c936c661212e8a74114e7813082841667508
aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30
b89df665e6d52446e3e353fc1cc44711
ef70f414106ab23358c6734c434cb7dd
https://gist.github.com/evilsocket/b89df665e6d52446e3e353fc1cc44711
9bb96afdce48fcf9ba9d6dda2e23c936c661212e8a74114e7813082841667508
aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30
b89df665e6d52446e3e353fc1cc44711
ef70f414106ab23358c6734c434cb7dd
https://gist.github.com/evilsocket/b89df665e6d52446e3e353fc1cc44711