Rapidly Evolving Magniber Ransomware
Contents
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed.
Table 1 shows the major characteristics of the distributed Magniber ransomware files by date. It had been distributed as five different file extensions (msi, cpl, jse, js, wsf) over the course of four months, and in September, it showed a frequent change in its file extension, changing four times (cpl -> jse -> js -> wsf -> msi).
|Date||Extension||Execution|
Process
|Encryption|
Process
|Recovery Environment|
Deactivation
Process
|Recovery Environment Deactivation|
(UAC Bypassing)
|2022-05-07||msi||msiexec.exe||msiexec.exe||regsvr32.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\ms-settings\shell\open\command)
|2022-06-14||msi||msiexec.exe||Running|
Process
|regsvr32.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\(custom progID)\shell\open\command)
|2022-07-20||cpl||rundll32.exe||rundll32.exe||X||X|
|2022-08-08||cpl||rundll32.exe||Running|
Process
|wscript.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\(custom progID)\shell\open\command)
|2022-09-08||jse||wscript.exe||Running|
Process
|wscript.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\(custom progID)\shell\open\command)
|2022-09-16||js||wscript.exe||Running|
Process
|wscript.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\(custom …
Table 1 shows the major characteristics of the distributed Magniber ransomware files by date. It had been distributed as five different file extensions (msi, cpl, jse, js, wsf) over the course of four months, and in September, it showed a frequent change in its file extension, changing four times (cpl -> jse -> js -> wsf -> msi).
|Date||Extension||Execution|
Process
|Encryption|
Process
|Recovery Environment|
Deactivation
Process
|Recovery Environment Deactivation|
(UAC Bypassing)
|2022-05-07||msi||msiexec.exe||msiexec.exe||regsvr32.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\ms-settings\shell\open\command)
|2022-06-14||msi||msiexec.exe||Running|
Process
|regsvr32.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\(custom progID)\shell\open\command)
|2022-07-20||cpl||rundll32.exe||rundll32.exe||X||X|
|2022-08-08||cpl||rundll32.exe||Running|
Process
|wscript.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\(custom progID)\shell\open\command)
|2022-09-08||jse||wscript.exe||Running|
Process
|wscript.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\(custom progID)\shell\open\command)
|2022-09-16||js||wscript.exe||Running|
Process
|wscript.exe||Modifies reference registry upon execution of fodhelper.exe|
(HKCU:\Software\Classes\(custom …
IoC
0fa83ec90f3f0d0cbab106e69f6dce52
250a23219a576180547734430d71b0e6
2c54fad7d4632a1a94608444cc2acf38
7b76b698e90df66d4f4bbecf24c95325
8594ed7991a1a041764344a5713ef7d4
d675958d39e44b310e4e57f4e4f9bc12
250a23219a576180547734430d71b0e6
2c54fad7d4632a1a94608444cc2acf38
7b76b698e90df66d4f4bbecf24c95325
8594ed7991a1a041764344a5713ef7d4
d675958d39e44b310e4e57f4e4f9bc12