Threat Research

V3 Detects and Blocks Magniber Ransomware Injection (Direct Syscall Detection) – ASEC BLOG

Securonix

Magniber continues to spread at high volumes by masquerading as Windows security updates and injecting into running processes to encrypt files. It then establishes persistence via the Task Scheduler and deletes volume shadow copies to hinder recovery, while leveraging Direct Syscall and obfuscated commands that are detectable by V3’s Direct Syscall Detection. #Magniber #DirectSyscallDetection #AhnLab #VolShadowCopy #ControlledFolderAccess #Typosquatting #Msiexec

Keypoints

  • Magniber is distributed via disguised Windows update files (e.g., ERROR.Center.Security.msi) in Edge/Chrome, replacing older IE vulnerabilities.
  • It injects the ransomware into a running process using NtCreateThreadEx, NtGetContextThread, NtSetContextThread, and NtResumeThread.
  • Persistence is achieved by adding a command to the Task Scheduler; it also deletes volume shadow copies to disable recovery.
  • The malware bypasses user-mode hooking by performing a Direct Syscall outside ntdll.dll as part of injection.
  • Obfuscated PowerShell commands delete shadow copies and turn off Windows Defender’s Controlled Folder Access to lower defenses.
  • Ransom notes instruct users to use the Tor browser to access a URL for file recovery, with a hard C2 URL involved in download of the MSI.
  • Magniber uses typosquatting to target Chrome/Edge users on the latest Windows version, highlighting caution for typosquatted domains.

MITRE Techniques

  • [T1036] Masquerading – Magniber is distributed disguised as a Windows security update package (e.g., “ERROR.Center.Security.msi”). ‘disguised as a Windows security update package, having a file name such as “ERROR.Center.Security.msi”’
  • [T1055] Process Injection – Ransomware injects into a running process; ‘The API used for injection runs NtCreateThreadEx, NtGetContextThread, NtSetContextThread, and NtResumeThread in order and injects the ransomware into a process running in the user environment.’
  • [T1053] Scheduled Task – Persistence by registering a command to the Task Scheduler; ‘persistence routine of Magniber (registering a command to the task scheduler)’
  • [T1490] Inhibit System Recovery – Deleting volume shadow copies to hinder recovery; ‘deletes volume shadow copies to disable recovery’
  • [T1562.001] Impair Defenses – Disabling security features; ‘turn off the controlled folder access feature of Windows Defender (decrypted)’
  • [T1071.001] Web Protocols – C2 via web URL; ‘C2 URL hxxp://146[.]19[.]106[.]31/ceggfnhm.msi’
  • [T1486] Data Encrypted for Impact – Encrypting user files during the attack lifecycle; ‘encrypts the user’s files’

Indicators of Compromise

  • [File Name] ERROR.Center.Security.msi – disguise used as a Windows security update package (distribution lure)
  • [File Name] readme.htm – ransom note created in encrypted directories
  • [File Name] ceggfnhm.msi – MSI file name referenced in the C2/download payload flow
  • [MD5] f5dd30f503577071499a241532479279 – Magniber MSI MD5 hash
  • [URL] hxxp://146[.]19[.]106[.]31/ceggfnhm.msi – C2/download URL for payload
  • [IP Address] 146.19.106.31 – C2 host associated with the download URL

Read more: https://asec.ahnlab.com/en/55961/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint