In the morning of February 22nd, the ASEC analysis team has discovered the redistribution of Magniber that disguised itself as normal Windows Installers (MSI) instead of the previous Windows app (APPX) The distributed Magniber files have MSI as their extension, disguised as Windows update files.
MSI package files are install frameworks that are also used for normal Windows updates. The malware was distributed by including the Magniber ransomware DLL within the MSI package file.
By default, MSI provides a feature of DLL’s export function calling through the Custom Action table. The attacker exploited this feature to have the export function of Magniber executed when MSI is run.
When file encryption ends due to executed DLL, it drops executable (PE file) that performs privilege escalation and volume shadow deletion to”C:\Users\Public” and runs it.
One thing to note is that the malware has the same MSI file certificate used in the previous Windows app (APPX) file.
Magniber is currently being distributed in a typosquating method that exploits typos made when entering domains, and it is targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domain, extra caution is required. The attacker is also distributing Magniber to users with older Internet Explorer versions by reusing the CVE-2021-40444 vulnerability that was explained in previous blog posts, therefore, users should refrain from visiting websites of unknown sources.
AhnLab is currently responding to Magniber as shown in the following:
[Magniber dll Creation Path]
– C:\Windows\Installer\MSI[Random 4 digits].tmp
[Magniber exe Creation Path]
– C:\Users\Public\[Random File Name].exe
[Magniber dll File Detection]
– Ransomware/Win.Generic.C4978350 (2022.02.22.03)
[Magniber msi File Detection]
– Ransomware/MSI.Magniber (2022.02.24.01)
[Magniber exe File Detection]
– Ransomware/Win.Magniber.C4979399 (2022.02.25.00)
[Magniber Privilege Escalation Behavior Detection]
– Escalation/MDP.Magniber.M4217 (2022.02.25.03)
[Magniber dll MD5]
[Magniber msi MD5]
[Magniber Privilege Escalation and Volume Shadow executable File MD5]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd) appeared first on ASEC BLOG.
Article Link: Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd) - ASEC BLOG