Since February 2022, Magniber has been using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution.
The ransomware includes a valid certificate and was distributed as DLL form inside the MSI file. However, starting from July 20th (Wednesday), it is now being distributed as a CPL file extension instead of MSI.
As the cases of using an MSI file for distribution are decreasing, the attacker of Magniber likely has changed the method of distribution.
(July 19th, 2022) MS.Upgrade.Database.Cloud.msi
(July 20th, 2022) MS.Upgrade.Database.Cloud.cpl (Chrome)
(July 20th, 2022) MS.Upgrade.Database.Cloud.zip (Edge)
The CPL file is directly downloaded in Chrome. For Edge, it is distributed as a compressed zip file since downloading CPL files are blocked in the browser.
The attacker originally distributed the ransomware through .cpl files in Edge. Once the download was blocked, the file was quickly changed to .zip file for distribution.
When users open the downloaded [Magniber].cpl file, a Windows normal process named control.exe runs the cpl file using rundll32.exe.
Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.
AhnLab is currently responding to Magniber as shown in the following:
[IOC]
[File Detection]
Ransomware/Win.Magniber.C5211694 (2022.07.20.02)
[.cpl MD5]
C49DD67AFB59A85FBCBC77C412338255
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Change in Magniber Ransomware (*.msi → *.cpl) – July 20th appeared first on ASEC BLOG.
Article Link: Change in Magniber Ransomware (*.msi → *.cpl) - July 20th - ASEC BLOG