Ransomware Spotlight: Magniber
The Magniber ransomware initially targeted only Asian countries when it was first detected in 2017. However, it resurfaced in 2021 and continues to operate today with expanded targets around the globe. Magniber remains a significant player in the threat landscape, with malicious attackers likely to continue using the ransomware in future.
View infographic of "Ransomware Spotlight: Magniber"
Despite first being detected six years ago, malicious attackers continue to use the Magniber ransomware to compromise organizations. In October 2022, phishing attacks were reported to distribute the Magniber ransomware using standalone JavaScript files digitally signed with a malformed key, exploiting the zero-day vulnerability CVE-2022-44698 to bypass Mark-of-the-Web (MOTW) security warnings, and allowing malicious files to be executed without raising alerts. Microsoft later patched this vulnerability in December 2022.
Formerly known as a successor of Cerber, the Magniber ransomware was primarily distributed via the Magnitude exploit kit and exclusively targeted South Korea in 2017. In 2018, it expanded its targets across Asia using CVE-2018-8174 for initial access.
What organizations need to know about the Magniber ransomware
After its initial discovery in 2017, Magniber resurfaced in 2021. Although it still targeted Asian countries, we found it exploiting new vulnerabilities for initial access, including CVE-2021-26411, CVE-2021-40444, and most notably the PrintNightmare vulnerability, CVE-2021-34527.
As of writing, there are no known leak sites related to Magniber, which follows the ransomware-as-aservice (RaaS) business model but is not involved in the more talked-about and recent double-extortion ransomware campaigns.
Magniber was also previously known to use typosquatting, a technique that involves using domains similar to legitimate websites to lure users into downloading a ransomware payload. We also observed Magniber distributing itself through fake installers with APPX and MSI formats in the first quarter of 2022.
Attackers use the MSI CustomAction table to execute the Magniber ransomware by calling the export of the malicious DLL in the MSI package. The installer additionally drops the malicious binary file we detected as Fodscript, a piece of malware used for privileged escalation. Fodscript drops two script files: The first modifies the registry entries checked in by fodhelper.exe to manipulate it into executing the second script with high privilege. Afterward, it bypasses User Account Control (UAC) to delete volume shadow copies in the compromised machine.
We also observed Magniber posing as fake installers and Windows updates to lure users into selecting the malicious payload. Additionally, we observed that Magniber recently incorporated malformed digital signatures to bypass execution blocks by MOTW, thus allowing easy installation of the ransomware payload.
Though we have yet to encounter this tactic in cases we detected, the group behind Magniber was observed as using the COVID-19 surge in the last months of 2022 to distribute its payloads through COVID-19 file lures, alongside its aforementioned tactics. Magniber was also recently found bypassing MOTW and exploiting CVE-2022-44698 using a fake digital signature.
Top affected countries and industries
according to Trend Micro data
In this section, we examine the Magniber ransomware’s attempts to compromise organizations in 2022 based on Trend Micro™ Smart Protection Network™ country and regional data. It’s important to note that this data covers only Trend Micro customers and does not contain all victims of Magniber.
Malicious attackers behind Magniber started slow in 2022, with less than 20 attacks per month in the first quarter of the year. The attack attempts steadily increased as the year progressed, with attackers making the most of September 2022, which recorded the largest number of attack attempts at 1,482 detections. Attack attempts diminished during the last quarter of the year but remained high with 508 detections in December. The following figure details the total number of attempted attacks by Magniber in 2022.
Figure 1. A monthly breakdown of Magniber attack attempts in terms of infected machines in 2022
Source: Trend Micro™ Smart Protection Network™
The highest number of Magniber attacks was detected in Taiwan with a total of 204 attack attempts, which makes up most of the attack attempt detections at approximately 76.1% of the total. South Korea, initially targeted by Magniber when it was first detected, has the second most attack attempts with a large margin at 15, followed by Australia with nine. Turkey and Japan follow with six detections each. Our data shows that Magniber has expanded its targets beyond Asian countries. Note that the data in Figure 2 is limited to feedback provided by customers, majority of whom preferred not to disclose their locations.
Figure 2. The top 10 countries with the highest number of attack attempts in terms of infected machines for the Magniber ransomware (Jan. 1, 2022 to Dec. 31, 2022) Source: Trend Micro Smart Protection Network
Industry data, on the other hand, showed that educational organizations, the government, and manufacturing industries experienced the largest number of Magniber ransomware attack attempts, followed by the healthcare and technology industries. Other industries that experienced less attempted attacks were the energy, transportation, and real estate industries.
In total, there were 987 total detections of Magniber attack attempts across industries in 2022 from customer feedback detailing the industries in which they belong.
Figure 3. An industry breakdown of Magniber ransomware attack attempts in terms of infected machines (Jan. 1, 2022 to Dec. 31, 2022)
Source: Trend Micro Smart Protection Network
Infection chain and techniques
We found that the Magniber ransomware exploits different vulnerabilities, but while it uses a more straightforward kill chain compared to the newer double-extortion ransomware campaigns, its simplicity does not make it any less effective. The following figure details various vulnerabilities exploited to deliver its payload:
Figure 4. Vulnerabilities exploited to deliver Magniber ransomware
Initial Access
- Magniber threat actors leverage different vulnerabilities for initial access such as the aforementioned Magnitude exploit kit (CVE-2016-0189, CVE-2018-8174, and CVE-2019-1367), the Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0968), the Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411), the Internet Explorer remote code execution (RCE) vulnerability in MSHTML (CVE-2021-40444), and PrintNightmare (CVE-2021-34527).
Command and Control
- Magniber has the capability to send collected information to its command and control (C&C) and the payment browser.
Defense Evasion
- Magniber injects itself to all processes except iexplore.exe and excluding system and processes not running in a WoW64 environment. The ransomware uses NtQuerySystemInformation API to obtain running processes in the machine.
- Recent Magniber infections leverage fake installers (.msi) by calling the encrypted ransomware DLL through the CustomAction table, as well as the CPL file format to execute its payload.
- Magniber uses a malformed digital signature block to bypass execution blocks by MOTW. Recently, it was found exploiting CVE-2022-44698 to bypass MOTW with a fake digital signature.
- It uses a file detected as Fodscript that drops a script file to delete shadow copies from the target machine.
Discovery
- Magniber uses NtQuerySystemInformation API to obtain running processes in the machine.
- It searches for specific files, folders, and attributes and encrypts them if they match its specified criteria.
Privilege Escalation
- Magniber uses a file detected as Fodscript that drops two script files: One of the script files modifies the registry entries that fodhelper.exe checks in order to manipulate fodhelper.exe into executing the second script with high privilege and bypassing UAC.
Collection, Exfiltration
- As of now, there are no data exfiltration and leaks being done by Magniber.
Impact
- The final ransomware binary would then be deployed, thereby ensuring that files are encrypted in the machine. It also ensures that shadow copies are deleted to inhibit system recovery.
- It initially encrypts target files via symmetric AES, then encrypts the AES symmetric key and IV via RSA using CryptoAPIs. It encrypts equal-size data blocks (1,048,576 bytes) per iteration until the final block is encrypted.
- It appends the mutex name as its appended extension.
- It can also delete shadow copies in the infected machine.
Other technical details
- Magniber encrypts files with the following extensions:
- .abm
- .abs
- .abw
- .accdb
- .act
- .adn
- .adp
- .aes
- .aft
- .afx
- .agif
- .agp
- .ahd
- .ai
- .aic
- .aim
- .albm
- .alf
- .ans
- .apd
- .apm
- .apng
- .aps
- .apt
- .apx
- .arc
- .art
- .arw
- .asc
- .ase
- .asf
- .ask
- .asm
- .asp
- .asw
- .asy
- .aty
- .avi
- .awdb
- .awp
- .awt
- .aww
- .azz
- .bad
- .bak
- .bay
- .bbs
- .bdb
- .bdp
- .bdr
- .bean
- .bib
- .bmp
- .bmx
- .bna
- .bnd
- .boc
- .bok
- .brd
- .brk
- .brn
- .brt
- .bss
- .btd
- .bti
- .btr
- .c
- .ca
- .cals
- .can
- .cd
- .cdb
- .cdc
- .cdg
- .cdmm
- .cdmt
- .cdmz
- .cdr
- .cdt
- .cf
- .cfu
- .cgm
- .cimg
- .cin
- .cit
- .ckp
- .class
- .clkw
- .cma
- .cmx
- .cnm
- .cnv
- .colz
- .cpc
- .cpd
- .cpg
- .cpp
- .cps
- .cpx
- .crd
- .crt
- .crw
- .cs
- .csr
- .csv
- .csy
- .ct
- .cvg
- .cvi
- .cvs
- .cvx
- .cwt
- .cxf
- .cyi
- .dad
- .daf
- .db
- .dbc
- .dbf
- .dbk
- .dbs
- .dbt
- .dbv
- .dbx
- .dca
- .dcb
- .dch
- .dcr
- .dcs
- .dct
- .dcx
- .dd
- .dds
- .ded
- .der
- .dgn
- .dgs
- .dgt
- .dhs
- .dib
- .dif
- .dip
- .diz
- .djv
- .djvu
- .dmi
- .dmo
- .dnc
- .dne
- .doc
- .docb
- .docm
- .docx
- .docz
- .dot
- .dotm
- .dotx
- .dpp
- .dpx
- .dqy
- .drw
- .drz
- .dsk
- .dsn
- .dsv
- .dt
- .dta
- .dtsx
- .dtw
- .dv
- .dvi
- .dwg
- .dx
- .dxb
- .dxf
- .eco
- .ecw
- .ecx
- .edb
- .efd
- .egc
- .eio
- .eip
- .eit
- .em
- .emd
- .emf
- .emlx
- .ep
- .epf
- .epp
- .eps
- .epsf
- .eq
- .erf
- .err
- .etf
- .etx
- .euc
- .exr
- .fa
- .faq
- .fax
- .fb
- .fbx
- .fcd
- .fcf
- .fdf
- .fdr
- .fds
- .fdt
- .fdx
- .fdxt
- .fes
- .fft
- .fi
- .fic
- .fid
- .fif
- .fig
- .fla
- .flr
- .flv
- .fmv
- .fo
- .fodt
- .fpos
- .fpt
- .fpx
- .frm
- .frt
- .frx
- .ftn
- .fwdn
- .fxc
- .fxg
- .fzb
- .fzv
- .gcdp
- .gdb
- .gdoc
- .gem
- .geo
- .gfb
- .gfie
- .ggr
- .gif
- .gih
- .gim
- .gio
- .glox
- .gpd
- .gpg
- .gpn
- .gro
- .grob
- .grs
- .gsd
- .gthr
- .gtp
- .gv
- .gwi
- .gz
- .h
- .hbk
- .hdb
- .hdp
- .hdr
- .hht
- .his
- .hp
- .hpg
- .hpi
- .hs
- .htc
- .hwp
- .hz
- .ib
- .ibd
- .icn
- .icon
- .icpr
- .idc
- .idea
- .idx
- .igt
- .igx
- .ihx
- .ii
- .iiq
- .imd
- .info
- .ink
- .ipf
- .ipx
- .iso
- .itdb
- .itw
- .iwi
- .j
- .jar
- .jas
- .java
- .jbig
- .jbmp
- .jbr
- .jfif
- .jia
- .jis
- .jng
- .joe
- .jpe
- .jpeg
- .jpg
- .jps
- .jpx
- .jrtf
- .js
- .jsp
- .jtf
- .jtx
- .jw
- .jxr
- .kdb
- .kdbx
- .kdc
- .kdi
- .kdk
- .kes
- .ke
- .kic
- .klg
- .knt
- .kon
- .kpg
- .kwd
- .lay
- .lbm
- .lbt
- .ldf
- .lgc
- .lis
- .lit
- .ljp
- .lmk
- .lnt
- .lrc
- .lst
- .ltr
- .ltx
- .lue
- .luf
- .lwo
- .lwp
- .lws
- .lyt
- .lyx
- .ma
- .mac
- .man
- .map
- .maq
- .mat
- .max
- .mb
- .mbm
- .mbox
- .mdb
- .mdf
- .mdn
- .mdt
- .me
- .mef
- .mel
- .mft
- .mgcb
- .mgmf
- .mgmt
- .mgmx
- .mgtx
- .mid
- .min
- .mkv
- .mm
- .mmat
- .mnr
- .mnt
- .mos
- .mov
- .mpeg
- .mpf
- .mpg
- .mpo
- .mrg
- .mrxs
- .msg
- .mud
- .mwb
- .mwp
- .mx
- .my
- .myd
- .myi
- .ncr
- .nct
- .ndf
- .nef
- .nfo
- .njx
- .nlm
- .now
- .nrw
- .nsf
- .nyf
- .nzb
- .obj
- .oce
- .oci
- .ocr
- .odb
- .odg
- .odm
- .odo
- .odp
- .ods
- .odt
- .of
- .oft
- .omf
- .oplc
- .oqy
- .ora
- .orf
- .ort
- .orx
- .ost
- .ota
- .otg
- .oti
- .otp
- .ots
- .ott
- .ovp
- .ovr
- .owc
- .owg
- .oyx
- .ozb
- .ozj
- .ozt
- .p
- .pa
- .pan
- .pano
- .pap
- .paq
- .pas
- .pbm
- .pcd
- .pcs
- .pdb
- .pdd
- .pdm
- .pds
- .pdt
- .pef
- .pem
- .pff
- .pfi
- .pfs
- .pfv
- .pfx
- .pgf
- .pgm
- .phm
- .php
- .pic
- .pict
- .pix
- .pjpg
- .pjt
- .plt
- .pm
- .pmg
- .png
- .pni
- .pnm
- .pntg
- .pnz
- .pobj
- .pop
- .pot
- .potm
- .potx
- .ppam
- .ppm
- .pps
- .ppsm
- .ppsx
- .ppt
- .pptm
- .pptx
- .prt
- .prw
- .psd
- .psdx
- .pse
- .psid
- .psp
- .pst
- .psw
- .ptg
- .pth
- .ptx
- .pu
- .pvj
- .pvm
- .pvr
- .pwa
- .pwi
- .pwr
- .px
- .pxr
- .pza
- .pzp
- .pzs
- .qd
- .qmg
- .qpx
- .qry
- .qvd
- .rad
- .rar
- .ras
- .raw
- .rb
- .rctd
- .rcu
- .rd
- .rdb
- .rft
- .rgb
- .rgf
- .rib
- .ric
- .riff
- .ris
- .rix
- .rle
- .rli
- .rng
- .rpd
- .rpf
- .rpt
- .rri
- .rs
- .rsb
- .rsd
- .rsr
- .rst
- .rt
- .rtd
- .rtf
- .rtx
- .run
- .rw
- .rzk
- .rzn
- .saf
- .sam
- .sbf
- .scad
- .scc
- .sch
- .sci
- .scm
- .sct
- .scv
- .scw
- .sdb
- .sdf
- .sdm
- .sdoc
- .sdw
- .sep
- .sfc
- .sfw
- .sgm
- .sh
- .sig
- .skm
- .sla
- .sld
- .sldm
- .sldx
- .slk
- .sln
- .sls
- .smf
- .sms
- .snt
- .sob
- .spa
- .spe
- .sph
- .spj
- .spp
- .spq
- .spr
- .sq
- .sqb
- .srw
- .ssa
- .ssk
- .st
- .stc
- .std
- .sti
- .stm
- .stn
- .stp
- .str
- .stw
- .sty
- .sub
- .suo
- .svf
- .svg
- .svgz
- .swf
- .sxc
- .sxd
- .sxg
- .sxi
- .sxm
- .sxw
- .tab
- .tar
- .tbk
- .tcx
- .tdf
- .tdt
- .te
- .tex
- .text
- .tgz
- .thp
- .tif
- .tiff
- .tlb
- .tlc
- .tm
- .tmd
- .tmv
- .tmx
- .tne
- .tpc
- .trm
- .tvj
- .udb
- .ufr
- .unx
- .uof
- .uop
- .uot
- .upd
- .usr
- .utxt
- .vb
- .vbr
- .vbs
- .vcd
- .vct
- .vdb
- .vdi
- .vec
- .vm
- .vmdk
- .vmx
- .vnt
- .vob
- .vpd
- .vrm
- .vrp
- .vsd
- .vsdm
- .vsdx
- .vsm
- .vstm
- .vstx
- .vue
- .vw
- .wav
- .wbk
- .wcf
- .wdb
- .wgz
- .wire
- .wks
- .wma
- .wmdb
- .wmv
- .wn
- .wp
- .wpa
- .wpd
- .wpg
- .wps
- .wpt
- .wpw
- .wri
- .wsc
- .wsd
- .wsh
- .wtx
- .x
- .xar
- .xd
- .xdb
- .xlc
- .xld
- .xlf
- .xlgc
- .xlm
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xltx
- .xlw
- .xps
- .xwp
- .xyp
- .xyw
- .ya
- .ybk
- .ym
- .zabw
- .zdb
- .zdc
- .zip
- .zw
The following diagrams detail the Magniber ransomware infection chains we observed when malicious attackers exploit Internet Explorer, MSI installer, and JS, JSE, and WSF installer vulnerabilities.
Figure 5. Magniber ransomware infection chain involving the Internet Explorer Memory Corruption Vulnerability
Figure 6. Magniber ransomware infection chain involving MSI installer
Figure 7. Magniber infection chain involving JS, JSE, and WSF installers
MITRE tactics and techniques
| Initial Access | Execution | Defense Evasion | Discovery | Command and Control | Impact | Resource Development |
|---|---|---|---|---|---|---|
T1190 - Exploit Public-Facing Application | T1059.003 - Command and Scripting Interpreter: Windows Command Shell T1047 - Windows Management Instrumentation T1059.007 - Command and Scripting Interpreter: JavaScript T1204 - User Execution T1203 - Exploitation for Client Execution | T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1055.003 - Process Injection: Thread Execution Hijacking T1140 - Deobfuscate/Decode Files or Information T1112 - Modify Registry T1218.007 - System Binary Proxy Execution: Msiexec T1218.002 - System Binary Proxy Execution: Control Panel T1036.005 - Masquerading: Match Legitimate Name or Location T1620 - Reflective Code Loading T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass | T1083 - File and Directory Discovery T1135 - Network Share Discovery T1057 - Process Discovery T1082 - System Information Discover | T1071.001 - Application Layer Protocol: Web Protocols | T1490 - Inhibit System Recovery T1486 - Data Encrypted for Impact | T1608.005 - Stage Capabilities: Link Target |
Summary of malware, tools, and exploits used
Security teams must take not of and be on the lookout for the following tools and exploits typically used in Magniber ransomware attacks:
Exploits
- CVE-2016-0189
- CVE-2018-8174
- CVE-2019-1367
- CVE-2020-0968
- CVE-2021-26411
- CVE-2021-40444
- CVE-2021-34527
- CVE-2022-44698
Tools
- WMI
Malware
- Fodscript
| Initial Access | Execution | Defense Evasion | Privilege Escalation | Impact |
|---|---|---|---|---|
|
|
|
|
|
|
| |||
| ||||
| ||||
| ||||
| ||||
|
Recommendations
Given its continued activity in 2022, we can expect to see more of the Magniber ransomware in the future. As attackers continue to find ways to distribute its payloads and circumvent security warnings, organizations and their members must remain vigilant to prevent being compromised. We encourage organizations to remain on the lookout for the Magniber ransomware and continue monitoring its evolution to minimize the possibility of a successful attack.
To protect systems against the Magniber ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.
Here are some best practices that organizations can consider to help protect themselves from the Magniber ransomware infection:
Audit and inventory
- Take an inventory of assets and data.
- Identify authorized and unauthorized devices and software.
- Audit event and incident logs.
Configure and monitor
- Manage hardware and software configurations.
- Grant admin privileges and access only when necessary to an employee’s role.
- Monitor network ports, protocols, and services.
- Activate security configurations on network infrastructure devices such as firewalls and routers.
- Establish a software allowlist that only executes legitimate applications.
Patch and update
- Conduct regular vulnerability assessments.
- Perform patching or virtual patching for operating systems and applications.
- Update software and applications to their latest versions.
Protect and recover
- Implement data protection, back up, and recovery measures.
- Enable multifactor authentication (MFA).
Secure and defend
- Employ sandbox analysis to block malicious emails.
- Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
- Discover early signs of an attack, such as the presence of suspicious tools in the system.
- Use advanced detection technologies such as those powered by AI and machine learning.
Train and test
- Regularly train and assess employees on security skills.
- Conduct red-team exercises and penetration tests.
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
- Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
- Trend Micro Cloud One™ - Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
The IOCs for this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Addressing CAPTCHA-Evading Phishing Threats With Behavior-Based AI Protection
Analyzing the Risks of Using Environment Variables for Serverless Management
LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users, Research Finds