Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd)

In the morning of February 22nd, the ASEC analysis team has discovered the redistribution of Magniber that disguised itself as normal Windows Installers (MSI) instead of the previous Windows app (APPX) The distributed Magniber files have MSI as their extension, disguised as Windows update files.

  • Critical.Update.Win10.0-kb4215776.msi
  • Critical.Update.Win10.0-kb6253668.msi
  • Critical.Update.Win10.0-kb5946410.msi

MSI package files are install frameworks that are also used for normal Windows updates. The malware was distributed by including the Magniber ransomware DLL within the MSI package file.

Figure 1. Package that has fup6xl85 binary (DLL)

By default, MSI provides a feature of DLL’s export function calling through the Custom Action table. The attacker exploited this feature to have the export function of Magniber executed when MSI is run.

https://docs.microsoft.com/en-us/windows/win32/msi/custom-actions
Figure 2. Calling k7167475hu export function of fup6xl85 that is stated within CustomAction

When file encryption ends due to executed DLL, it drops executable (PE file) that performs privilege escalation and volume shadow deletion to”C:\Users\Public” and runs it.

One thing to note is that the malware has the same MSI file certificate used in the previous Windows app (APPX) file.

Figure 3. Certificate information of Magniber

Magniber is currently being distributed in a typosquating method that exploits typos made when entering domains, and it is targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domain, extra caution is required. The attacker is also distributing Magniber to users with older Internet Explorer versions by reusing the CVE-2021-40444 vulnerability that was explained in previous blog posts, therefore, users should refrain from visiting websites of unknown sources.

AhnLab is currently responding to Magniber as shown in the following:

[IOC]
[Magniber dll Creation Path]
– C:\Windows\Installer\MSI[Random 4 digits].tmp

[Magniber exe Creation Path]
– C:\Users\Public\[Random File Name].exe

[Magniber dll File Detection]
– Ransomware/Win.Generic.C4978350 (2022.02.22.03)

[Magniber msi File Detection]
– Ransomware/MSI.Magniber (2022.02.24.01)

[Magniber exe File Detection]
– Ransomware/Win.Magniber.C4979399 (2022.02.25.00)

[Magniber Privilege Escalation Behavior Detection]
– Escalation/MDP.Magniber.M4217 (2022.02.25.03)

[Magniber dll MD5]
41f2bb0eb5c9731931748894c8bba581
5523c42788189336b50e00338676dc31
7822d28811afd739006b73db15d2b5a2
30665fb2dffafe5d7e3cfab4cf4d79dc
b6169c34b6eef8ebe21ae10904967385
0dfe349ff646b008b7ce6a8104f6e8c5
5efae9ad4bc66f7be01eca20277858aa
30a5ef2f39530eb3ffe61cb8153650e2
56cabf4dcdc963c8efd8dd4969825724
406e382d80ce29d0f0f02a9b1a258d40
166402b5dfa0717dfdc00702910ff354
fd4c042ef1e26410121b069744daf19d
1c09a97b26fff2465692df0a5cafc4e0
74d3f742a0110d11786e27ea3c6a4b59
78412c65ac9a1954f373961c0ddbc9ef
d9a63429fefa067c0ece510e6e22e1a4
dfdddf236603918bf4359716412c97fb

[Magniber msi MD5]
d417420973f452e41d9d5709fc76f8dd
f49194f0e8ced22850d91f231829d877
93425b7d09d179450b92f91b0942ef0b
37ebfc01406f7cde2741b3b73e77b991
b3ece680f2d56d0ce3d95f97dd36487b

[Magniber Privilege Escalation and Volume Shadow executable File MD5]
48c1b6749e85996dd8ce5f4fdd2409ee
07383337456b932e0a968d8c47372b8e
8e9928cd833340feda92d92155d2b0f3

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd) appeared first on ASEC BLOG.

Article Link: Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd) - ASEC BLOG