The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed.
Table 1 shows the major characteristics of the distributed Magniber ransomware files by date. It had been distributed as five different file extensions (msi, cpl, jse, js, wsf) over the course of four months, and in September, it showed a frequent change in its file extension, changing four times (cpl -> jse -> js -> wsf -> msi).
| Date | Extension | Execution Process | Encryption Process | Recovery Environment Deactivation Process | Recovery Environment Deactivation (UAC Bypassing) |
| 2022-05-07 | msi | msiexec.exe | msiexec.exe | regsvr32.exe | Modifies reference registry upon execution of fodhelper.exe (HKCU:\Software\Classes\ms-settings\shell\open\command) |
| 2022-06-14 | msi | msiexec.exe | Running Process | regsvr32.exe | Modifies reference registry upon execution of fodhelper.exe (HKCU:\Software\Classes\(custom progID)\shell\open\command) |
| 2022-07-20 | cpl | rundll32.exe | rundll32.exe | X | X |
| 2022-08-08 | cpl | rundll32.exe | Running Process | wscript.exe | Modifies reference registry upon execution of fodhelper.exe (HKCU:\Software\Classes\(custom progID)\shell\open\command) |
| 2022-09-08 | jse | wscript.exe | Running Process | wscript.exe | Modifies reference registry upon execution of fodhelper.exe (HKCU:\Software\Classes\(custom progID)\shell\open\command) |
| 2022-09-16 | js | wscript.exe | Running Process | wscript.exe | Modifies reference registry upon execution of fodhelper.exe (HKCU:\Software\Classes\(custom progID)\shell\open\command) |
| 2022-09-28 | wsf | wscript.exe | Running Process | wscript.exe | Modifies reference registry upon execution of fodhelper.exe (HKCU:\Software\Classes\(custom progID)\shell\open\command) |
| 2022-09-30 | msi | msiexec.exe | Running Process | wscript.exe | Modifies reference registry upon execution of fodhelper.exe (HKCU:\Software\Classes\(custom progID)\shell\open\command) |
Figure 1 shows the Magniber ransomware file distributed on May 7th, 2022. It was distributed with the MSI file extension and was executed with msiexec.exe, which undertook file encryption itself. After encryption, it deactivates the Windows 10 recovery environment. The UAC bypassing technique is used to successfully execute the command to deactivate the recovery environment, and this technique changed the registry value (HKCU:\Software\Classes\ms-settings\shell\open\command) that is referenced as a command by fodhelper.exe, which is run at a high privilege level, to attempt UAC bypassing.
Figure 1. Magniber ransomware (distributed on May 7th, 2022)Afterwards, the sample from June 14th showed a change where the ransomware payload was injected into normal processes in order to variate the subject of file encryption, the main behavior of the ransomware (See Figure 2). Also, the UAC bypassing technique for disabling the Windows 10 recovery environment used ProgID to change the variable registry value (HKCU:\Software\Classes\(custom progID)\shell\open\command) to be referenced from fodhelper.exe, attempting UAC bypassing. This is more useful for bypassing detection in comparison to changing the fixed registry value (HKCU:\Software\Classes\ms-settings\shell\open\command).
Figure 2. Magniber ransomware (distributed on June 14th, 2022)Figure 3 shows the file distributed on July 20th. As shown in the picture, it has been identified that the file format changed from MSI (Windows installation package file) to CPL (Windows Control Panel Item). The subject of encryption for the file collected at the time was rundll32.exe, and the malware was not found to be deactivating the Windows 10 recovery environment.
Figure 3. Magniber ransomware (distributed on July 20th, 2022)In the file distributed on August 8th, an injection feature was added, and the scope of subjects of encryption was expanded to running processes. Also, a command that disables the Windows 10 recovery environment was added. For the UAC bypassing method, it had been identified that ProgID was used to change the variable registry key (HKCU:\Software\Classes\(custom progID)\shell\open\command). An additional characteristic of this version is that the registry value command was changed to a wscript execution syntax instead of the previous regsvr32 execution syntax. Accordingly, the execution subject of the Windows 10 recovery environment deactivation command was run with wscript.exe.
Figure 4. Magniber ransomware (distributed on August 8th, 2022)Figure 5 shows the file distributed on September 8th, showing another change in the format in just a month. It had been changed to JSE (script) format from the previous CPL format, where its initial execution process started with wscript.exe, after which the payload inside wscript.exe injected the ransomware into running processes, enabling file encryption from a random running process. As shown in Table 1, the attacker changed the file extension in short intervals, starting with September 8th (.jse) to September 16th (.js), and then to September 28th (.wsf).
Figure 5. Magniber ransomware (distributed on September 8th, 2022)The file distributed on September 30th was changed again to the MSI format that had been previously used. Although it may show resemblance to the file that had distributed on June 14th, it has been identified that the command to deactivate the Windows 10 recovery environment maintains wscript instead of the previous regsvr32.
Figure 6. Magniber ransomware (distributed on September 30th, 2022)The ASEC analysis team has examined the Magniber ransomware files distributed in each time period. In the month of September alone, there have been format changes up to four times (cpl -> jse -> js -> wsf -> msi). Frequent changes were also made to method of injection, UAC bypassing and deactivation of the Windows 10 recovery environment, for the purpose of bypassing detection.
Currently, AhnLab is responding to the Magniber ransomware with not only file detection but also with various detection methods. Thus, it is recommended that users activate the Process Memory Scan and the Malicious Script Detection (AMSI) options in [V3 Preferences] – [PC Scan Settings].
Such rapidly evolving versions of the Magniber ransomware are being distributed in a typosquatting method that exploits typos made when entering domains, targeting mainly Chrome and Edge users. As users may download ransomware by entering incorrect domains, extra caution is required.
[IOC]
250a23219a576180547734430d71b0e6
d675958d39e44b310e4e57f4e4f9bc12
0fa83ec90f3f0d0cbab106e69f6dce52
2c54fad7d4632a1a94608444cc2acf38
7b76b698e90df66d4f4bbecf24c95325
8594ed7991a1a041764344a5713ef7d4
Script File Detection
Ransomware/WSF.Magniber (2022.09.28.02)
Ransomware/VBA.Magniber.S1928 (2022.10.05.00)
Ransomware/VBA.Magniber.S1939 (2022.10.13.00)
Process Memory Detection
Ransomware/Win.Magniber.XM153 (2022.09.15.03)
AMSI Detection (.NET DLL)
Ransomware/Win.Magniber.R528971 (2022.10.14.00)
Reference
[1]Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post <strong>Rapidly Evolving Magniber Ransomware</strong> appeared first on ASEC BLOG.
Article Link: Rapidly Evolving Magniber Ransomware - ASEC BLOG