Magniber ransomware improves, expands within Asia
Contents
This blog post was authored by @hasherezade and Jérôme Segura.
The Magnitude exploit kit is one of the longest-serving browser exploitation toolkits among those still in use. After its inception in 2013, it enjoyed worldwide distribution with a liking for ransomware. Eventually, it became a private operation that had a narrow geographic focus.
During 2017, Magnitude delivered Cerber ransomware via a filtering gate known as Magnigate, only to a select few Asian countries. In October 2017, the exploit kit operator began to distribute its own breed of ransomware, Magniber. That change came with an interesting twist—the malware authors went to great lengths to limit infections to South Korea. In addition to traffic filtering via country-specific malvertising chains, Magniber would only install if a specific country code was returned, otherwise it would delete itself.
In April 2018, Magnitude unexpectedly started pushing the ever-growing GandCrab ransomware, shortly after having adopted a fresh Flash zero-day (CVE-2018-4878). …
The Magnitude exploit kit is one of the longest-serving browser exploitation toolkits among those still in use. After its inception in 2013, it enjoyed worldwide distribution with a liking for ransomware. Eventually, it became a private operation that had a narrow geographic focus.
During 2017, Magnitude delivered Cerber ransomware via a filtering gate known as Magnigate, only to a select few Asian countries. In October 2017, the exploit kit operator began to distribute its own breed of ransomware, Magniber. That change came with an interesting twist—the malware authors went to great lengths to limit infections to South Korea. In addition to traffic filtering via country-specific malvertising chains, Magniber would only install if a specific country code was returned, otherwise it would delete itself.
In April 2018, Magnitude unexpectedly started pushing the ever-growing GandCrab ransomware, shortly after having adopted a fresh Flash zero-day (CVE-2018-4878). …
IoC
149.202.112.72
178.32.62.130
19599cad1bbca18ac6473e64710443b7
60af42293d2dbd0cc8bf1a008e06f394
6e57159209611f2531104449f4bb86a7621fb9fbc2e90add2ecdfbe293aa9dfc
72fce87a976667a8c09ed844564adc75
7fb69fbd045315b42d7f962a83fdc300
8a0244eedee8a26139bea287a7e419d9
92.222.121.30
94.23.165.192
fb6c80ae783c1881487f2376f5cace7532c5eadfc170b39e06e17492652581c2
http://149.202.112.72
http://178.32.62.130
http://92.222.121.30.08
http://94.23.165.192.69
178.32.62.130
19599cad1bbca18ac6473e64710443b7
60af42293d2dbd0cc8bf1a008e06f394
6e57159209611f2531104449f4bb86a7621fb9fbc2e90add2ecdfbe293aa9dfc
72fce87a976667a8c09ed844564adc75
7fb69fbd045315b42d7f962a83fdc300
8a0244eedee8a26139bea287a7e419d9
92.222.121.30
94.23.165.192
fb6c80ae783c1881487f2376f5cace7532c5eadfc170b39e06e17492652581c2
http://149.202.112.72
http://178.32.62.130
http://92.222.121.30.08
http://94.23.165.192.69