- Новости о безопасности
- Ransomware Spotlight
- Ransomware Spotlight: Magniber
In this section, we examine the Magniber ransomware’s attempts to compromise organizations in 2022 based on Trend Micro™ Smart Protection Network™ country and regional data. It’s important to note that this data covers only Trend Micro customers and does not contain all victims of Magniber.
Malicious attackers behind Magniber started slow in 2022, with less than 20 attacks per month in the first quarter of the year. The attack attempts steadily increased as the year progressed, with attackers making the most of September 2022, which recorded the largest number of attack attempts at 1,482 detections. Attack attempts diminished during the last quarter of the year but remained high with 508 detections in December. The following figure details the total number of attempted attacks by Magniber in 2022.
The highest number of Magniber attacks was detected in Taiwan with a total of 204 attack attempts, which makes up most of the attack attempt detections at approximately 76.1% of the total. South Korea, initially targeted by Magniber when it was first detected, has the second most attack attempts with a large margin at 15, followed by Australia with nine. Turkey and Japan follow with six detections each. Our data shows that Magniber has expanded its targets beyond Asian countries. Note that the data in Figure 2 is limited to feedback provided by customers, majority of whom preferred not to disclose their locations.
Industry data, on the other hand, showed that educational organizations, the government, and manufacturing industries experienced the largest number of Magniber ransomware attack attempts, followed by the healthcare and technology industries. Other industries that experienced less attempted attacks were the energy, transportation, and real estate industries.
In total, there were 987 total detections of Magniber attack attempts across industries in 2022 from customer feedback detailing the industries in which they belong.
We found that the Magniber ransomware exploits different vulnerabilities, but while it uses a more straightforward kill chain compared to the newer double-extortion ransomware campaigns, its simplicity does not make it any less effective. The following figure details various vulnerabilities exploited to deliver its payload:
Figure 4. Vulnerabilities exploited to deliver Magniber ransomware
The following diagrams detail the Magniber ransomware infection chains we observed when malicious attackers exploit Internet Explorer, MSI installer, and JS, JSE, and WSF installer vulnerabilities.
Figure 5. Magniber ransomware infection chain involving the Internet Explorer Memory Corruption Vulnerability
Initial Access | Execution | Defense Evasion | Discovery | Command and Control | Impact | Resource Development |
---|---|---|---|---|---|---|
T1190 - Exploit Public-Facing Application | T1059.003 - Command and Scripting Interpreter: Windows Command Shell T1047 - Windows Management Instrumentation T1059.007 - Command and Scripting Interpreter: JavaScript T1204 - User Execution T1203 - Exploitation for Client Execution | T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1055.003 - Process Injection: Thread Execution Hijacking T1140 - Deobfuscate/Decode Files or Information T1112 - Modify Registry T1218.007 - System Binary Proxy Execution: Msiexec T1218.002 - System Binary Proxy Execution: Control Panel T1036.005 - Masquerading: Match Legitimate Name or Location T1620 - Reflective Code Loading T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass | T1083 - File and Directory Discovery T1135 - Network Share Discovery T1057 - Process Discovery T1082 - System Information Discover | T1071.001 - Application Layer Protocol: Web Protocols | T1490 - Inhibit System Recovery T1486 - Data Encrypted for Impact | T1608.005 - Stage Capabilities: Link Target |
Security teams must take not of and be on the lookout for the following tools and exploits typically used in Magniber ransomware attacks:
Exploits
Tools
Malware
Initial Access | Execution | Defense Evasion | Privilege Escalation | Impact |
---|---|---|---|---|
|
|
|
|
|
|
| |||
| ||||
| ||||
| ||||
| ||||
|
Given its continued activity in 2022, we can expect to see more of the Magniber ransomware in the future. As attackers continue to find ways to distribute its payloads and circumvent security warnings, organizations and their members must remain vigilant to prevent being compromised. We encourage organizations to remain on the lookout for the Magniber ransomware and continue monitoring its evolution to minimize the possibility of a successful attack.
To protect systems against the Magniber ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.
Here are some best practices that organizations can consider to help protect themselves from the Magniber ransomware infection:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
The IOCs for this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.