Ransomware Spotlight: Magniber




Magniber

By Trend Micro Research

The Magniber ransomware initially targeted only Asian countries when it was first detected in 2017. However, it resurfaced in 2021 and continues to operate today with expanded targets around the globe. Magniber remains a significant player in the threat landscape, with malicious attackers likely to continue using the ransomware in future.

View infographic of View infographic of "Ransomware Spotlight: Magniber"

Despite first being detected six years ago, malicious attackers continue to use the Magniber ransomware to compromise organizations. In October 2022, phishing attacks were reported to distribute the Magniber ransomware using standalone JavaScript files digitally signed with a malformed key, exploiting the zero-day vulnerability CVE-2022-44698 to bypass Mark-of-the-Web (MOTW) security warnings, and allowing malicious files to be executed without raising alerts. Microsoft later patched this vulnerability in December 2022.

Formerly known as a successor of Cerber, the Magniber ransomware was primarily distributed via the Magnitude exploit kit and exclusively targeted South Korea in 2017. In 2018, it expanded its targets across Asia using CVE-2018-8174 for initial access.

What organizations need to know about the Magniber ransomware


After its initial discovery in 2017, Magniber resurfaced in 2021. Although it still targeted Asian countries, we found it exploiting new vulnerabilities for initial access, including CVE-2021-26411, CVE-2021-40444, and most notably the PrintNightmare vulnerability, CVE-2021-34527.

As of writing, there are no known leak sites related to Magniber, which follows the ransomware-as-aservice (RaaS) business model but is not involved in the more talked-about and recent double-extortion ransomware campaigns.

Magniber was also previously known to use typosquatting, a technique that involves using domains similar to legitimate websites to lure users into downloading a ransomware payload. We also observed Magniber distributing itself through fake installers with APPX and MSI formats in the first quarter of 2022.

Attackers use the MSI CustomAction table to execute the Magniber ransomware by calling the export of the malicious DLL in the MSI package. The installer additionally drops the malicious binary file we detected as Fodscript, a piece of malware used for privileged escalation. Fodscript drops two script files: The first modifies the registry entries checked in by fodhelper.exe to manipulate it into executing the second script with high privilege. Afterward, it bypasses User Account Control (UAC) to delete volume shadow copies in the compromised machine.

We also observed Magniber posing as fake installers and Windows updates to lure users into selecting the malicious payload. Additionally, we observed that Magniber recently incorporated malformed digital signatures to bypass execution blocks by MOTW, thus allowing easy installation of the ransomware payload.

Though we have yet to encounter this tactic in cases we detected, the group behind Magniber was observed as using the COVID-19 surge in the last months of 2022 to distribute its payloads through COVID-19 file lures, alongside its aforementioned tactics. Magniber was also recently found bypassing MOTW and exploiting CVE-2022-44698 using a fake digital signature.

Top affected countries and industries
according to Trend Micro data

In this section, we examine the Magniber ransomware’s attempts to compromise organizations in 2022 based on Trend Micro™ Smart Protection Network™ country and regional data. It’s important to note that this data covers only Trend Micro customers and does not contain all victims of Magniber.

Malicious attackers behind Magniber started slow in 2022, with less than 20 attacks per month in the first quarter of the year. The attack attempts steadily increased as the year progressed, with attackers making the most of September 2022, which recorded the largest number of attack attempts at 1,482 detections. Attack attempts diminished during the last quarter of the year but remained high with 508 detections in December. The following figure details the total number of attempted attacks by Magniber in 2022.

A monthly breakdown of Magniber attack attempts in terms of infected machines in 2022

Figure 1. A monthly breakdown of Magniber attack attempts in terms of infected machines in 2022
Source: Trend Micro™ Smart Protection Network™


The highest number of Magniber attacks was detected in Taiwan with a total of 204 attack attempts, which makes up most of the attack attempt detections at approximately 76.1% of the total. South Korea, initially targeted by Magniber when it was first detected, has the second most attack attempts with a large margin at 15, followed by Australia with nine. Turkey and Japan follow with six detections each. Our data shows that Magniber has expanded its targets beyond Asian countries. Note that the data in Figure 2 is limited to feedback provided by customers, majority of whom preferred not to disclose their locations.

The top 10 countries with the highest number of attack attempts in terms of infected machines for the Magniber ransomware (Jan. 1, 2022 to Dec. 31, 2022)

Figure 2. The top 10 countries with the highest number of attack attempts in terms of infected machines for the Magniber ransomware (Jan. 1, 2022 to Dec. 31, 2022) Source: Trend Micro Smart Protection Network


Industry data, on the other hand, showed that educational organizations, the government, and manufacturing industries experienced the largest number of Magniber ransomware attack attempts, followed by the healthcare and technology industries. Other industries that experienced less attempted attacks were the energy, transportation, and real estate industries.

In total, there were 987 total detections of Magniber attack attempts across industries in 2022 from customer feedback detailing the industries in which they belong.

An industry breakdown of Magniber ransomware attack attempts in terms of infected machines (Jan. 1, 2022 to Dec. 31, 2022)

Figure 3. An industry breakdown of Magniber ransomware attack attempts in terms of infected machines (Jan. 1, 2022 to Dec. 31, 2022)
Source: Trend Micro Smart Protection Network

Infection chain and techniques

We found that the Magniber ransomware exploits different vulnerabilities, but while it uses a more straightforward kill chain compared to the newer double-extortion ransomware campaigns, its simplicity does not make it any less effective. The following figure details various vulnerabilities exploited to deliver its payload:

Vulnerabilities exploited to deliver Magniber ransomware

Figure 4. Vulnerabilities exploited to deliver Magniber ransomware


Initial Access


Command and Control

  • Magniber has the capability to send collected information to its command and control (C&C) and the payment browser.

Defense Evasion

  • Magniber injects itself to all processes except iexplore.exe and excluding system and processes not running in a WoW64 environment. The ransomware uses NtQuerySystemInformation API to obtain running processes in the machine.
  • Recent Magniber infections leverage fake installers (.msi) by calling the encrypted ransomware DLL through the CustomAction table, as well as the CPL file format to execute its payload.
  • Magniber uses a malformed digital signature block to bypass execution blocks by MOTW. Recently, it was found exploiting CVE-2022-44698 to bypass MOTW with a fake digital signature.
  • It uses a file detected as Fodscript that drops a script file to delete shadow copies from the target machine. 

Discovery

  • Magniber uses NtQuerySystemInformation API to obtain running processes in the machine.
  • It searches for specific files, folders, and attributes and encrypts them if they match its specified criteria.

Privilege Escalation

  • Magniber uses a file detected as Fodscript that drops two script files: One of the script files modifies the registry entries that fodhelper.exe checks in order to manipulate fodhelper.exe into executing the second script with high privilege and bypassing UAC.

Collection, Exfiltration

  • As of now, there are no data exfiltration and leaks being done by Magniber.

Impact

  • The final ransomware binary would then be deployed, thereby ensuring that files are encrypted in the machine. It also ensures that shadow copies are deleted to inhibit system recovery.
  • It initially encrypts target files via symmetric AES, then encrypts the AES symmetric key and IV via RSA using CryptoAPIs. It encrypts equal-size data blocks (1,048,576 bytes) per iteration until the final block is encrypted.
  • It appends the mutex name as its appended extension.
  • It can also delete shadow copies in the infected machine.


Other technical details

  • Magniber encrypts files with the following extensions:
    • .abm
    • .abs
    • .abw
    • .accdb
    • .act
    • .adn
    • .adp
    • .aes
    • .aft
    • .afx
    • .agif
    • .agp
    • .ahd
    • .ai
    • .aic
    • .aim
    • .albm
    • .alf
    • .ans
    • .apd
    • .apm
    • .apng
    • .aps
    • .apt
    • .apx
    • .arc
    • .art
    • .arw
    • .asc
    • .ase
    • .asf
    • .ask
    • .asm
    • .asp
    • .asw
    • .asy
    • .aty
    • .avi
    • .awdb
    • .awp
    • .awt
    • .aww
    • .azz
    • .bad
    • .bak
    • .bay
    • .bbs
    • .bdb
    • .bdp
    • .bdr
    • .bean
    • .bib
    • .bmp
    • .bmx
    • .bna
    • .bnd
    • .boc
    • .bok
    • .brd
    • .brk
    • .brn
    • .brt
    • .bss
    • .btd
    • .bti
    • .btr
    • .c
    • .ca
    • .cals
    • .can
    • .cd
    • .cdb
    • .cdc
    • .cdg
    • .cdmm
    • .cdmt
    • .cdmz
    • .cdr
    • .cdt
    • .cf
    • .cfu
    • .cgm
    • .cimg
    • .cin
    • .cit
    • .ckp
    • .class
    • .clkw
    • .cma
    • .cmx
    • .cnm
    • .cnv
    • .colz
    • .cpc
    • .cpd
    • .cpg
    • .cpp
    • .cps
    • .cpx
    • .crd
    • .crt
    • .crw
    • .cs
    • .csr
    • .csv
    • .csy
    • .ct
    • .cvg
    • .cvi
    • .cvs
    • .cvx
    • .cwt
    • .cxf
    • .cyi
    • .dad
    • .daf
    • .db
    • .dbc
    • .dbf
    • .dbk
    • .dbs
    • .dbt
    • .dbv
    • .dbx
    • .dca
    • .dcb
    • .dch
    • .dcr
    • .dcs
    • .dct
    • .dcx
    • .dd
    • .dds
    • .ded
    • .der
    • .dgn
    • .dgs
    • .dgt
    • .dhs
    • .dib
    • .dif
    • .dip
    • .diz
    • .djv
    • .djvu
    • .dmi
    • .dmo
    • .dnc
    • .dne
    • .doc
    • .docb
    • .docm
    • .docx
    • .docz
    • .dot
    • .dotm
    • .dotx
    • .dpp
    • .dpx
    • .dqy
    • .drw
    • .drz
    • .dsk
    • .dsn
    • .dsv
    • .dt
    • .dta
    • .dtsx
    • .dtw
    • .dv
    • .dvi
    • .dwg
    • .dx
    • .dxb
    • .dxf
    • .eco
    • .ecw
    • .ecx
    • .edb
    • .efd
    • .egc
    • .eio
    • .eip
    • .eit
    • .em
    • .emd
    • .emf
    • .emlx
    • .ep
    • .epf
    • .epp
    • .eps
    • .epsf
    • .eq
    • .erf
    • .err
    • .etf
    • .etx
    • .euc
    • .exr
    • .fa
    • .faq
    • .fax
    • .fb
    • .fbx
    • .fcd
    • .fcf
    • .fdf
    • .fdr
    • .fds
    • .fdt
    • .fdx
    • .fdxt
    • .fes
    • .fft
    • .fi
    • .fic
    • .fid
    • .fif
    • .fig
    • .fla
    • .flr
    • .flv
    • .fmv
    • .fo
    • .fodt
    • .fpos
    • .fpt
    • .fpx
    • .frm
    • .frt
    • .frx
    • .ftn
    • .fwdn
    • .fxc
    • .fxg
    • .fzb
    • .fzv
    • .gcdp
    • .gdb
    • .gdoc
    • .gem
    • .geo
    • .gfb
    • .gfie
    • .ggr
    • .gif
    • .gih
    • .gim
    • .gio
    • .glox
    • .gpd
    • .gpg
    • .gpn
    • .gro
    • .grob
    • .grs
    • .gsd
    • .gthr
    • .gtp
    • .gv
    • .gwi
    • .gz
    • .h
    • .hbk
    • .hdb
    • .hdp
    • .hdr
    • .hht
    • .his
    • .hp
    • .hpg
    • .hpi
    • .hs
    • .htc
    • .hwp
    • .hz
    • .ib
    • .ibd
    • .icn
    • .icon
    • .icpr
    • .idc
    • .idea
    • .idx
    • .igt
    • .igx
    • .ihx
    • .ii
    • .iiq
    • .imd
    • .info
    • .ink
    • .ipf
    • .ipx
    • .iso
    • .itdb
    • .itw
    • .iwi
    • .j
    • .jar
    • .jas
    • .java
    • .jbig
    • .jbmp
    • .jbr
    • .jfif
    • .jia
    • .jis
    • .jng
    • .joe
    • .jpe
    • .jpeg
    • .jpg
    • .jps
    • .jpx
    • .jrtf
    • .js
    • .jsp
    • .jtf
    • .jtx
    • .jw
    • .jxr
    • .kdb
    • .kdbx
    • .kdc
    • .kdi
    • .kdk
    • .kes
    • .ke
    • .kic
    • .klg
    • .knt
    • .kon
    • .kpg
    • .kwd
    • .lay
    • .lbm
    • .lbt
    • .ldf
    • .lgc
    • .lis
    • .lit
    • .ljp
    • .lmk
    • .lnt
    • .lrc
    • .lst
    • .ltr
    • .ltx
    • .lue
    • .luf
    • .lwo
    • .lwp
    • .lws
    • .lyt
    • .lyx
    • .ma
    • .mac
    • .man
    • .map
    • .maq
    • .mat
    • .max
    • .mb
    • .mbm
    • .mbox
    • .mdb
    • .mdf
    • .mdn
    • .mdt
    • .me
    • .mef
    • .mel
    • .mft
    • .mgcb
    • .mgmf
    • .mgmt
    • .mgmx
    • .mgtx
    • .mid
    • .min
    • .mkv
    • .mm
    • .mmat
    • .mnr
    • .mnt
    • .mos
    • .mov
    • .mpeg
    • .mpf
    • .mpg
    • .mpo
    • .mrg
    • .mrxs
    • .msg
    • .mud
    • .mwb
    • .mwp
    • .mx
    • .my
    • .myd
    • .myi
    • .ncr
    • .nct
    • .ndf
    • .nef
    • .nfo
    • .njx
    • .nlm
    • .now
    • .nrw
    • .nsf
    • .nyf
    • .nzb
    • .obj
    • .oce
    • .oci
    • .ocr
    • .odb
    • .odg
    • .odm
    • .odo
    • .odp
    • .ods
    • .odt
    • .of
    • .oft
    • .omf
    • .oplc
    • .oqy
    • .ora
    • .orf
    • .ort
    • .orx
    • .ost
    • .ota
    • .otg
    • .oti
    • .otp
    • .ots
    • .ott
    • .ovp
    • .ovr
    • .owc
    • .owg
    • .oyx
    • .ozb
    • .ozj
    • .ozt
    • .p
    • .pa
    • .pan
    • .pano
    • .pap
    • .paq
    • .pas
    • .pbm
    • .pcd
    • .pcs
    • .pdb
    • .pdd
    • .pdf
    • .pdm
    • .pds
    • .pdt
    • .pef
    • .pem
    • .pff
    • .pfi
    • .pfs
    • .pfv
    • .pfx
    • .pgf
    • .pgm
    • .phm
    • .php
    • .pic
    • .pict
    • .pix
    • .pjpg
    • .pjt
    • .plt
    • .pm
    • .pmg
    • .png
    • .pni
    • .pnm
    • .pntg
    • .pnz
    • .pobj
    • .pop
    • .pot
    • .potm
    • .potx
    • .ppam
    • .ppm
    • .pps
    • .ppsm
    • .ppsx
    • .ppt
    • .pptm
    • .pptx
    • .prt
    • .prw
    • .psd
    • .psdx
    • .pse
    • .psid
    • .psp
    • .pst
    • .psw
    • .ptg
    • .pth
    • .ptx
    • .pu
    • .pvj
    • .pvm
    • .pvr
    • .pwa
    • .pwi
    • .pwr
    • .px
    • .pxr
    • .pza
    • .pzp
    • .pzs
    • .qd
    • .qmg
    • .qpx
    • .qry
    • .qvd
    • .rad
    • .rar
    • .ras
    • .raw
    • .rb
    • .rctd
    • .rcu
    • .rd
    • .rdb
    • .rft
    • .rgb
    • .rgf
    • .rib
    • .ric
    • .riff
    • .ris
    • .rix
    • .rle
    • .rli
    • .rng
    • .rpd
    • .rpf
    • .rpt
    • .rri
    • .rs
    • .rsb
    • .rsd
    • .rsr
    • .rst
    • .rt
    • .rtd
    • .rtf
    • .rtx
    • .run
    • .rw
    • .rzk
    • .rzn
    • .saf
    • .sam
    • .sbf
    • .scad
    • .scc
    • .sch
    • .sci
    • .scm
    • .sct
    • .scv
    • .scw
    • .sdb
    • .sdf
    • .sdm
    • .sdoc
    • .sdw
    • .sep
    • .sfc
    • .sfw
    • .sgm
    • .sh
    • .sig
    • .skm
    • .sla
    • .sld
    • .sldm
    • .sldx
    • .slk
    • .sln
    • .sls
    • .smf
    • .sms
    • .snt
    • .sob
    • .spa
    • .spe
    • .sph
    • .spj
    • .spp
    • .spq
    • .spr
    • .sq
    • .sqb
    • .srw
    • .ssa
    • .ssk
    • .st
    • .stc
    • .std
    • .sti
    • .stm
    • .stn
    • .stp
    • .str
    • .stw
    • .sty
    • .sub
    • .suo
    • .svf
    • .svg
    • .svgz
    • .swf
    • .sxc
    • .sxd
    • .sxg
    • .sxi
    • .sxm
    • .sxw
    • .tab
    • .tar
    • .tbk
    • .tcx
    • .tdf
    • .tdt
    • .te
    • .tex
    • .text
    • .tgz
    • .thp
    • .tif
    • .tiff
    • .tlb
    • .tlc
    • .tm
    • .tmd
    • .tmv
    • .tmx
    • .tne
    • .tpc
    • .trm
    • .tvj
    • .udb
    • .ufr
    • .unx
    • .uof
    • .uop
    • .uot
    • .upd
    • .usr
    • .utxt
    • .vb
    • .vbr
    • .vbs
    • .vcd
    • .vct
    • .vdb
    • .vdi
    • .vec
    • .vm
    • .vmdk
    • .vmx
    • .vnt
    • .vob
    • .vpd
    • .vrm
    • .vrp
    • .vsd
    • .vsdm
    • .vsdx
    • .vsm
    • .vstm
    • .vstx
    • .vue
    • .vw
    • .wav
    • .wbk
    • .wcf
    • .wdb
    • .wgz
    • .wire
    • .wks
    • .wma
    • .wmdb
    • .wmv
    • .wn
    • .wp
    • .wpa
    • .wpd
    • .wpg
    • .wps
    • .wpt
    • .wpw
    • .wri
    • .wsc
    • .wsd
    • .wsh
    • .wtx
    • .x
    • .xar
    • .xd
    • .xdb
    • .xlc
    • .xld
    • .xlf
    • .xlgc
    • .xlm
    • .xls
    • .xlsb
    • .xlsm
    • .xlsx
    • .xlt
    • .xltm
    • .xltx
    • .xlw
    • .xps
    • .xwp
    • .xyp
    • .xyw
    • .ya
    • .ybk
    • .ym
    • .zabw
    • .zdb
    • .zdc
    • .zip
    • .zw


The following diagrams detail the Magniber ransomware infection chains we observed when malicious attackers exploit Internet Explorer, MSI installer, and JS, JSE, and WSF installer vulnerabilities.

Magniber ransomware infection chain involving the Internet Explorer memory corruption vulnerability

Figure 5. Magniber ransomware infection chain involving the Internet Explorer Memory Corruption Vulnerability

Magniber ransomware infection chain involving MSI installer

Figure 6. Magniber ransomware infection chain involving MSI installer

Magniber infection chain involving JS, JSE, and WSF installers

Figure 7. Magniber infection chain involving JS, JSE, and WSF installers

MITRE tactics and techniques

Initial AccessExecutionDefense EvasionDiscoveryCommand and ControlImpactResource Development

T1190 - Exploit Public-Facing Application
Has been observed to be exploiting the following vulnerabilities for initial access:
• Magnitude exploit kit
 • CVE-2016-0189
 • CVE-2018-8174
 • CVE-2019-1367
• Scripting Engine Memory Corruption Vulnerability (Internet Explorer)
 • CVE-2020-0968
• Internet Explorer Memory Corruption Vulnerability
 • CVE-2021-26411
• Remote code execution vulnerability in MSHTML (Internet Explorer)
 • CVE-2021-40444
• PrintNightmare
 • CVE-2021-34527

T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Magniber uses cmd.exe to execute commands for execution.

T1047 - Windows Management Instrumentation
Magniber uses WMIC to delete shadow copies.

T1059.007 - Command and Scripting Interpreter: JavaScript
The new Magniber version is written in JSE/JS format and still tricks the user by masquerading as a legitimate installer/Windows update.

T1204 - User Execution
New Magniber versions use ZIP attachments containing the malicious payload.

T1203 - Exploitation for Client Execution
Magniber bypasses MOTW exploiting the following vulnerability using fake digital signatures:
 • CVE-2022-44698

T1218.010 - Signed Binary Proxy Execution: Regsvr32
Magniber uses regsvr32.exe and scrobj.dll commands to execute its dropped TXT file.

T1055.003 - Process Injection: Thread Execution Hijacking
Magniber injects into each process if the following criteria is met:
 • The process is not 
       iexplore.exe
 • Process integrity is less
      than SYSTEM
 • Process is not running in WoW64 environment (32-bit running in 64-bit OS)

T1140 - Deobfuscate/Decode Files or Information
The main payload and related strings are decrypted before execution.

T1112 - Modify Registry
Magniber modifies specific registries to execute shadow copy deletion.

T1218.007 - System Binary Proxy Execution: Msiexec
Recent Magniber infections leverage fake installers (.msi) by calling the encrypted ransomware DLL through the CustomAction table.

T1218.002 - System Binary Proxy Execution: Control Panel
New Magniber variants use CPL file format to execute their malicious payload.

T1036.005 - Masquerading: Match Legitimate Name or Location
Magniber masquerades as an update for Windows or MS upgrades to trick the user into executing the file.

T1620 - Reflective Code Loading
Magniber script variants are reflectively loaded in order to proceed with execution.

T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass
Magniber uses a malformed digital signature block to bypass execution blocks by MOTW.

T1083 - File and Directory Discovery
Magniber searches for files and directories for encryption.

T1135 - Network Share Discovery
Magniber encrypts files in network/remote drives.

T1057 - Process Discovery
Magniber uses NtQuerySystemInformation API to obtain running processes in the machine.

T1082 - System Information Discover
Magniber gathers the computer name of the affected machine, as well as the build number of the compromised windows operating system via the fixed offset [DS]:7FFE026C

T1071.001 - Application Layer Protocol: Web Protocols
Magniber appends the data gathered form the machine when connecting to the URL of the payment page.

T1490 - Inhibit System Recovery
Magniber then deletes volume shadow copies via WMIC and by modifying specific registry entries.

T1486 - Data Encrypted for Impact
It avoids encrypting files with the following folders:
 • documents and
      settings
 • appdata
 • local settings
 • sample music
 • sample pictures
 • sample videos
 • tor browser
 • recycle
 • windows
 • boot
 • intel
 • msocache
 • perflogs
 • program files
 • programdata
 • recovery
 • system volume
      information
 • winnt
Magniber also avoids encrypting the following files with file attributes:
• FILE_ATTRIBUTE_SYSTEM
• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_
READYONLY
• FILE_ATTRIBUTE_
TEMPORARY
• FILE_ATTRIBUTE_
VIRTUAL
It avoids encrypting the following folders with file attributes:
• FILE_ATTRIBUTE_
SYSTEM
• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_
ENCRYPTED
Magniber also avoids encrypting files with the following attributes:  
• FILE_ATTRIBUTE_SYSTEM
• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_
READYONLY
• FILE_ATTRIBUTE_
TEMPORARY
• FILE_ATTRIBUTE_
VIRTUAL
Magniber initially encrypts target files via symmetric AES, then encrypts the AES symmetric key and IV via RSA using CryptoAPIs. It encrypts equal-size data blocks (1,048,576 bytes) per iteration until the final block is encrypted.
It appends the mutex name as its appended extension.

T1608.005 - Stage Capabilities: Link Target
Magniber uses typosquatting to trick users into accessing the malicious payload.

Summary of malware, tools, and exploits used

Security teams must take not of and be on the lookout for the following tools and exploits typically used in Magniber ransomware attacks:

Exploits

  • CVE-2016-0189
  • CVE-2018-8174
  • CVE-2019-1367
  • CVE-2020-0968
  • CVE-2021-26411
  • CVE-2021-40444
  • CVE-2021-34527
  • CVE-2022-44698

Tools

  • WMI

Malware

  • Fodscript
Initial AccessExecutionDefense EvasionPrivilege EscalationImpact
  • CVE-2016-0189
  • WMI
  • Fodscript
  • Fodscript
  • Magniber ransomware
  • CVE-2018-8174
  • CVE-2022-44698
  • CVE-2019-1367
  • CVE-2020-0968
  • CVE-2021-26411
  • CVE-2021-40444
  • CVE-2021-34527

Recommendations

Given its continued activity in 2022, we can expect to see more of the Magniber ransomware in the future. As attackers continue to find ways to distribute its payloads and circumvent security warnings, organizations and their members must remain vigilant to prevent being compromised. We encourage organizations to remain on the lookout for the Magniber ransomware and continue monitoring its evolution to minimize the possibility of a successful attack.

To protect systems against the Magniber ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.

Here are some best practices that organizations can consider to help protect themselves from the Magniber ransomware infection:


Audit and inventory

  • Take an inventory of assets and data.
  • Identify authorized and unauthorized devices and software.
  • Audit event and incident logs.

Configure and monitor

  • Manage hardware and software configurations.
  • Grant admin privileges and access only when necessary to an employee’s role.
  • Monitor network ports, protocols, and services.
  • Activate security configurations on network infrastructure devices such as firewalls and routers.
  • Establish a software allowlist that only executes legitimate applications.

Patch and update

  • Conduct regular vulnerability assessments.
  • Perform patching or virtual patching for operating systems and applications.
  • Update software and applications to their latest versions.

Protect and recover

  • Implement data protection, back up, and recovery measures.
  • Enable multifactor authentication (MFA).

Secure and defend

  • Employ sandbox analysis to block malicious emails.
  • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
  • Discover early signs of an attack, such as the presence of suspicious tools in the system.
  • Use advanced detection technologies such as those powered by AI and machine learning.

Train and test

  • Regularly train and assess employees on security skills.
  • Conduct red-team exercises and penetration tests.

A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.

  • Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
  • Trend Micro Cloud One™ - Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
  • Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
  • Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

Indicators of Compromise (IOCs)

The IOCs for this article can be found here. Actual indicators might vary per attack.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.