Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan)

The ASEC analysis team introduced the Magniber variants in the blog posted on September 15th. From September 16th, the Magniber ransomware script, whilst still a javascript, has its file extension changed from *.jse to *.js. As Magniber changed to javascript starting September 8th, its operational method has also changed from the previous method. The currently distributed javascript file contains a .NET DLL (see Figure 2), and injects the Magniber shell code into currently running processes. The overall operation flow of the latest Magniber is shown in Figure 1.

Change in Magniber Ransomware (*.cpl → *.jse) – September 8th
Figure 1. Change in Magniber ransomware (*.cpl → *.jse) as of September 8th

Figure 2. .NET DLL that has Magniber shellcode included

Magniber shellcode is embedded inside the .Net DLL and the purpose of the shellcode is to inject the Magniber shellcode into multiple currently running processes. Figure 3 shows the code routine through which the Magniber shellcode injects the shellcode into a normal running process. As a result of the code routine shown in Figure 3, a normal process that is running in the user system behaves as ransomware.

Figure 3. Injection code routine of Magniber ransomware

V3 products detect and block latest Magniber variants using Malicious Script Detection (AMSI) and Process Memory Scan.

Figure 4. V3 Settings (AMSI & Process Memory Scan)

Currently, AhnLab is responding to the Magniber ransomware with not only file detection but also using various detection methods. Thus, it is recommended that users should select Enable Process Memory Scan and Use Malicious Script Detection (AMSI) options in [V3 Settings] – [Scan Settings].

[IOC]
[MD5 (Detection Name)] – Javascript File Detection
– f75c520810b136867a66b1c24f610a5b (Ransomware/JS.Magniber.S1915 (2022.09.15.03))

[Process Memory Scan]
– Ransomware/Win.Magniber.XM153 (2022.09.15.03)

[MD5 (Detection Name)] – AMSI Detection (.NET DLL)
– e59d7d6db1fcc8dfa57c244ebffc6de7 (Ransomware/Win.Magniber.R519329 (2022.09.15.02))

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan) appeared first on ASEC BLOG.

Article Link: Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan) - ASEC BLOG