Ransomware Spotlight: Magniber – Security News

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Has been observed to be exploiting the following vulnerabilities for initial access: Magnitude exploit kit, CVE-2016-0189, CVE-2018-8174, CVE-2019-1367, Scripting Engine Memory Corruption Vulnerability (Internet Explorer) CVE-2020-0968, Internet Explorer Memory Corruption Vulnerability CVE-2021-26411, Remote code execution vulnerability in MSHTML (Internet Explorer) CVE-2021-40444, PrintNightmare CVE-2021-34527. ‘Has been observed to be exploiting the following vulnerabilities for initial access: …’
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Magniber uses cmd.exe to execute commands for execution. ‘Magniber uses cmd.exe to execute commands for execution.’
• [T1047] Windows Management Instrumentation – Magniber uses WMIC to delete shadow copies. ‘Magniber uses WMIC to delete shadow copies.’
• [T1059.007] Command and Scripting Interpreter: JavaScript – The new Magniber version is written in JSE/JS format and still tricks the user by masquerading as a legitimate installer/Windows update. ‘The new Magniber version is written in JSE/JS format and still tricks the user by masquerading as a legitimate installer/Windows update.’
• [T1204] User Execution – New Magniber versions use ZIP attachments containing the malicious payload. ‘New Magniber versions use ZIP attachments containing the malicious payload.’
• [T1203] Exploitation for Client Execution – Magniber bypasses MOTW exploiting the following vulnerability using fake digital signatures: CVE-2022-44698
• [T1218.010] Signed Binary Proxy Execution: Regsvr32 – Magniber uses regsvr32.exe and scrobj.dll commands to execute its dropped TXT file. ‘Magniber uses regsvr32.exe and scrobj.dll commands to execute its dropped TXT file.’
• [T1055.003] Process Injection: Thread Execution Hijacking – Magniber injects into each process if the following criteria is met: the process is not iexplore.exe, process integrity is less than SYSTEM, and 32-bit vs 64-bit constraints. ‘Magniber injects into each process …’
• [T1140] Deobfuscate/Decode Files or Information – The main payload and related strings are decrypted before execution. ‘The main payload and related strings are decrypted before execution.’
• [T1112] Modify Registry – Magniber modifies specific registries to execute shadow copy deletion. ‘Magniber modifies specific registries to execute shadow copy deletion.’
• [T1218.007] System Binary Proxy Execution: Msiexec – Recent Magniber infections leverage fake installers (.msi) by calling the encrypted ransomware DLL through the CustomAction table. ‘…encrypted ransomware DLL through the CustomAction table.’
• [T1218.002] System Binary Proxy Execution: Control Panel – New Magniber variants use CPL file format to execute their malicious payload. ‘New Magniber variants use CPL file format to execute their malicious payload.’
• [T1036.005] Masquerading: Match Legitimate Name or Location – Magniber masquerades as an update for Windows or MS upgrades to trick the user into executing the file. ‘Magniber masquerades as an update for Windows or MS upgrades to trick the user into executing the file.’
• [T1620] Reflective Code Loading – Magniber script variants are reflectively loaded in order to proceed with execution. ‘Magniber script variants are reflectively loaded in order to proceed with execution.’
• [T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass – Magniber uses a malformed digital signature block to bypass execution blocks by MOTW. ‘Magniber uses a malformed digital signature block to bypass execution blocks by MOTW.’
• [T1083] File and Directory Discovery – Magniber searches for files and directories for encryption. ‘Magniber searches for files and directories for encryption.’
• [T1135] Network Share Discovery – Magniber encrypts files in network/remote drives. ‘Magniber encrypts files in network/remote drives.’
• [T1057] Process Discovery – Magniber uses NtQuerySystemInformation API to obtain running processes in the machine. ‘Magniber uses NtQuerySystemInformation API to obtain running processes in the machine.’
• [T1082] System Information Discover – Magniber gathers the computer name and OS build via a fixed offset. ‘Magniber gathers the computer name of the affected machine, as well as the build number of the compromised windows operating system via the fixed offset [DS]:7FFE026C’
• [T1071.001] Application Layer Protocol: Web Protocols – Magniber appends the data gathered from the machine when connecting to the URL of the payment page. ‘Magniber appends the data gathered form the machine when connecting to the URL of the payment page.’
• [T1490] Inhibit System Recovery – Magniber deletes volume shadow copies via WMIC and by modifying specific registry entries. ‘Magniber deletes volume shadow copies …’
• [T1486] Data Encrypted for Impact – It encrypts files with AES and RSA, avoids specific folders/attributes, and appends a mutex name as extension. ‘Magniber encrypts equal-size data blocks… appends the mutex name as its appended extension.’
• [T1608.005] Stage Capabilities: Link Target – Magniber uses typosquatting to trick users into accessing the malicious payload. ‘Magniber uses typosquatting to trick users into accessing the malicious payload.’