Threat Research

Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web) – ASEC BLOG

Securonix

Magniber has evolved to bypass Mark of the Web (MOTW) protections by using script-based delivery and a digital signature, while continuing to adapt delivery methods such as typosquatting. The analysis highlights how MOTW, UAC bypass via fodhelper, and registry modifications enable Magniber to execute and persist on compromised systems. #Magniber #MarkoftheWeb #typosquatting #fodhelper #AhnLab

Keypoints

  • Magniber shifted to script-based distribution between 2022-09-08 and 2022-09-29, using various script formats (wsf, js, jse, etc.).
  • Delivery occurred via typosquatting, exploiting user typos when accessing domains to download the malware.
  • Downloaded files were identified by MOTW, which records the URL in an NTFS stream (Zone.Identifier) and flags external sources.
  • To bypass MOTW execution blocks, Magniber appended a digital signature to the end of the script to prove authenticity.
  • Multiple execution techniques were observed (msiexec for MSI, rundll32, wscript, regsvr32) with registry modifications to facilitate execution.
  • UAC bypass was achieved through fodhelper.exe, accompanied by registry modifications under HKCU:SoftwareClasses to enable shellopencommand execution.
  • AhnLab recommends enabling Process Memory Scan and AMSI detection (e.g., AMSI Detection) to improve defenses against Magniber.

MITRE Techniques

  • [T1189] Drive-by Compromise – Magniber was downloaded through the typosquatting method, which exploits typos made by the user when accessing domains. ‘Magniber was downloaded through the typosquatting method, which exploits typos made by the user when accessing domains.’
  • [T1059.007] Windows Script – Execution through Windows Script Host using wscript.exe and script files (wsf/js/jse). ‘Magniber distribution script (wsf, js, jse)’.
  • [T1112] Modify Registry – Modifies reference registry upon execution of fodhelper.exe (HKCU:SoftwareClasses (custom progID) shellopencommand). ‘Modifies reference registry upon execution of fodhelper.exe (HKCU:SoftwareClasses (custom progID) shellopencommand)’.
  • [T1548.002] Bypass User Account Control – UAC bypassing via fodhelper.exe. ‘UAC Bypassing’.
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – regsvr32.exe used in the workflow to load components. ‘regsvr32.exe’.
  • [T1218] Signed Binary Proxy Execution: Rundll32 – rundll32.exe used to execute payloads. ‘rundll32.exe’.
  • [T1059.007] Windows Script – Additional context on script-based execution with WSH hosts. ‘wscript.exe’ is used to run script code. ‘Modifies reference registry upon execution of fodhelper.exe’ (context supports script-driven execution).’

Indicators of Compromise

  • [Hash] File Hashes – b8e94ffbfc560d56e28c10073b911d50, ba7a32f15227c5d30b648ba407e73c80, and 2 more hashes
  • [Script File Detection] context – Ransomware/JS Magniber (2022.09.08.02), Ransomware/WSF.Magniber (2022.09.28.02)
  • [Process Memory Detection] context – Ransomware/Win.Magniber.XM153 (2022.09.15.03)
  • [AMSI Detection] context – Ransomware/Win.Magniber.R519329 (2022.09.15.02)

Read more: https://asec.ahnlab.com/en/41889/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint