On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution of Magniber.
With the typosquatting method—which exploits typos—when the user accesses the wrongly entered domain, the msi file (Magniber) is downloaded after redirecting to an advertisement page. Examination of Zone.Identifier created at this stage reveals the URL from where the file was downloaded from, as shown below.
Figure 1. Zone.Identifier identified when Magniber was collected
Upon investigating the domains and IPs based on this, we identified that about 215 IP addresses and 511 domains were used during October and November.
Figure 2. IPs and domains used in the distribution of Magniber
As a wide variety of domains is used in the ransomware’s distribution, they are registered and used through multiple domain registration companies.
Currently, AhnLab blocks the identified IP addresses and URLs, and when the user activates the Block Harmful Websites option in V3 products, any access to Magniber distribution sites is blocked.
Figure 3. Blocking Magniber distribution sites
The nature of IP addresses and domains leaves the possibility of other normal users being allocated these resources and using them, in which case they can file a report through the AhnLab customer center for appropriate measures to be taken.
IP / Domain
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.