Threat Research

Magniber Ransomware Wants to Infect Only the Right People | Mandiant

GoogleCloudIntel

Magnitude Exploit Kit (Magnitude EK) returned in 2017 distributing the Magniber ransomware via malvertising redirects and a CVE-2016-0189 landing page, delivering a plain EXE that only executes on Korean-language systems. The payload unpacks an RC4-reversed binary, performs VM detection, generates a pseudorandom callback identifier, encrypts files with AES128, schedules persistence tasks, and self-deletes after execution. #Magniber #MagnitudeEK

Keypoints

  • Infection began with malvertising redirection from fastprofit[.]loan to the Magnitude EK landing page.
  • Magnitude EK used CVE-2016-0189 to deliver a plain EXE payload hosted on an Apache/CentOS server.
  • Ransomware (Magniber) checks GetSystemDefaultUILanguage and exits if the OS language is not Korean.
  • The malware unpacks a reverse-RC4-encrypted resource, creates a mutex “ihsdj”, and writes an IV and a copy of itself to %TEMP% using a 19-character pseudorandom string.
  • It performs CPUID/RDTSC timing checks to detect VMs and appends the VM result to HTTP callback URLs built from the pseudorandom ID and domains like bankme.date.
  • Magniber encrypts files using AES128 (sample IV: EP866p5M93wDS513; key: S25943n9Gt099y4K), drops a ransom note, creates scheduled tasks for persistence, and deletes its original binary with a ping-based delay.

MITRE Techniques

  • [T1189] Drive-by Compromise – Delivered via malvertising redirect to the exploit kit landing page (‘The first reappearance of Magnitude EK on Oct. 15 came as a malvertising redirection from the domain: fastprofit[.]loan.’)
  • [T1190] Exploit Public-Facing Application – Exploited CVE-2016-0189 on the landing page to run the payload (‘The Magnitude EK landing page consisted of CVE-2016-0189…’)
  • [T1027] Obfuscated Files or Information – Payload contained a resource encrypted using reverse RC4, unpacked in memory (‘The malware contains a binary payload in its resource section encrypted in reverse using RC4.’)
  • [T1497.001] Virtualization/Sandbox Evasion – Detects VM presence via CPUID sandwiched between RDTSC calls and uses timing to decide VM status (‘the malware checks to see if it’s running inside a VM … sandwiching and executing CPUID instructions … between RDTSC calls’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTP callback URLs built from a pseudorandom ID and domains to communicate with C2 (‘http://[19 character pseudorandom string].[callback domain]/new[0 or 1]’)
  • [T1053.005] Scheduled Task/Job – Creates scheduled tasks to run its copy from %TEMP% and to display the ransom note (‘schtasks /create /SC MINUTE /MO 15 /tn ihsdj /TR “pcalua.exe -a %TEMP%ihsdj.exe”‘)
  • [T1486] Data Encrypted for Impact – Encrypts user files with AES128 and appends a .ihsdj extension (‘Magniber encrypts user data using the AES128.’)
  • [T1070.004] File Deletion – Attempts self-deletion using a local ping delay before deleting its binary (‘cmd /c ping localhost -n 3 > nul & del C:PATHMALWARE.EXE)’)

Indicators of Compromise

  • [File hash] Malware sample – dc2a2b84da359881b9df1ec31d03c715 (sample analyzed)
  • [Malvertising domains] Initial redirect sources – fastprofit[.]loan, fastprofit[.]me
  • [Exploit kit domains] EK landing/callback examples – 3e37i982wb90j.fileice[.]services, a3co5a8iab2x24g90.helpraw[.]schule, and 1 more
  • [Command-and-control domains] Callback/C2 hosts – bankme.date, jobsnot.services, carefit.agency, hotdisk.world (used with 19-char subdomains)
  • [File names / Persistence] Temp files and scheduled tasks – %TEMP%.ihsdj (contains IV and ihsdj.exe), READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt, scheduled task name ‘ihsdj’

Magnitude EK infections began with malvertising redirects (fastprofit[.]loan) to a landing page that exploited CVE-2016-0189 and served a plain MZ EXE hosted on an Apache/CentOS server. The delivered Magniber sample stores a reverse-RC4-encrypted binary in its resource section, which the loader decrypts from the end of the buffer to the start, then unpacks and executes in memory. The sample analyzed (dc2a2b84da359881b9df1ec31d03c715) performs an early GetSystemDefaultUILanguage check and exits unless the system language is Korean.

At runtime the malware creates a mutex named “ihsdj”, generates a 19-character pseudorandom identifier from repeated GetTickCount calls, and writes a %TEMP% file (e.g., xxxxxxxxxxxxxxxxxxx.ihsdj) containing the AES IV and a copy named ihsdj.exe. It constructs HTTP callback URLs using that identifier and one of several domains (bankme.date, jobsnot.services, carefit.agency, hotdisk.world), performing repeated CPUID/RDTSC timing checks to detect virtualized/sandbox environments and appending ‘0’ or ‘1’ to indicate the result (e.g., /new0 or /new1). If re-executed after encryption the callback uses /end0 or /end1.

Once validated, Magniber encrypts user files with AES128 (sample IV: EP866p5M93wDS513; AES key: S25943n9Gt099y4K shown for the analyzed sample), renames files with a .ihsdj extension, drops a READ_ME_FOR_DECRYPT_*.txt ransom note in %TEMP%, and creates scheduled tasks to persist execution through pcalua.exe calling %TEMP%ihsdj.exe and to display the ransom note. Finally, it attempts to remove its original executable using a local ping-based delay before deletion.

Read more: https://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint