Magniber Ransomware’s Relaunch Technique
Contents
ASEC (AhnLab Security Emergency Response Center) has been constantly monitoring the Magniber ransomware which has been displaying a high number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years, but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers.
There have been recent reports of systems being reinfected by Magniber. Analysis revealed that the ransomware was designed to download a new instance of Magniber whenever the system was rebooted, causing further damage.
The figure below shows the injector code that activates in msiexec.exe when the MSI file is executed. The Magniber payloads are injected in order through a do-while loop on the user process list.
The following figure is the Inject_Magniber function code. The ransomware is injected into a user’s process through the API shown …
There have been recent reports of systems being reinfected by Magniber. Analysis revealed that the ransomware was designed to download a new instance of Magniber whenever the system was rebooted, causing further damage.
The figure below shows the injector code that activates in msiexec.exe when the MSI file is executed. The Magniber payloads are injected in order through a do-while loop on the user process list.
The following figure is the Inject_Magniber function code. The ransomware is injected into a user’s process through the API shown …
IoC
0723b125887e632bd2203680b75efb57
1484d68f70fca635fa36bdf6d0493fbf
162d6827d206fbab285c09b518f30ec9
35c3743df22ea0de26aeac37a88da1c9
65ac438561b3a415876dff89d2804a13
aa4c28fb3cd600745aa0abd616b2b128
bd952ad584866bcd4454a3385b615c74
be1fbf7bf36efcf84a604da24b93d97f
c32d55881a9290267ddbe7005b12b6b8
fad8957047b31c13ac7ae4f72c4775d4
1484d68f70fca635fa36bdf6d0493fbf
162d6827d206fbab285c09b518f30ec9
35c3743df22ea0de26aeac37a88da1c9
65ac438561b3a415876dff89d2804a13
aa4c28fb3cd600745aa0abd616b2b128
bd952ad584866bcd4454a3385b615c74
be1fbf7bf36efcf84a604da24b93d97f
c32d55881a9290267ddbe7005b12b6b8
fad8957047b31c13ac7ae4f72c4775d4