Change in Magniber Ransomware (*.msi → *.cpl) – July 20th

Malware Analysis
1

Since February 2022, Magniber has been using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution.

Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd)

The ransomware includes a valid certificate and was distributed as DLL form inside the MSI file. However, starting from July 20th (Wednesday), it is now being distributed as a CPL file extension instead of MSI.

Figure 1. Previous distribution cases of the MSI file

As the cases of using an MSI file for distribution are decreasing, the attacker of Magniber likely has changed the method of distribution.

(July 19th, 2022) MS.Upgrade.Database.Cloud.msi
(July 20th, 2022) MS.Upgrade.Database.Cloud.cpl (Chrome)
(July 20th, 2022) MS.Upgrade.Database.Cloud.zip (Edge)

Figure 2. A webpage that distributes ransomware, redirected from websites for advertising or faking domains (Chrome)

The CPL file is directly downloaded in Chrome. For Edge, it is distributed as a compressed zip file since downloading CPL files are blocked in the browser.

Figure 3. Downloading .cpl file is blocked in Edge

Figure 4. A webpage that distributes ransomware, redirected from websites for advertising or faking domains (Edge)

The attacker originally distributed the ransomware through .cpl files in Edge. Once the download was blocked, the file was quickly changed to .zip file for distribution.

Figure 5. Windows Control Panel file (.cpl) downloaded from a webpage that distributes Magniber

Figure 6. Process tree of Magniber being downloaded through Chrome

When users open the downloaded [Magniber].cpl file, a Windows normal process named control.exe runs the cpl file using rundll32.exe.

Figure 7. Ransom note of Magniber

Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.

AhnLab is currently responding to Magniber as shown in the following:

[IOC]
[File Detection]
Ransomware/Win.Magniber.C5211694 (2022.07.20.02)

[.cpl MD5]
C49DD67AFB59A85FBCBC77C412338255

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Change in Magniber Ransomware (*.msi → *.cpl) – July 20th appeared first on ASEC BLOG.

Article Link: Change in Magniber Ransomware (*.msi → *.cpl) - July 20th - ASEC BLOG