Threat Research

Magniber Ransomware’s Relaunch Technique – ASEC BLOG

Securonix

Magniber has relaunched its campaign by delivering MSI installers through Edge and Chrome, after shifting away from the old IE vulnerability. It uses a loader that injects Magniber into user processes, persists via Run registry keys, and downloads a new instance on reboot, enabling reinfection and encryption cycles. #Magniber #AhnLab #typosquatting

Keypoints

  • Magniber’s distribution moved from exploiting an Internet Explorer vulnerability to delivering Windows installer packages (.msi) via modern browsers (Edge and Chrome).
  • The ransomware is designed to download a fresh Magniber payload on system reboot, enabling reinfection.
  • Injector code activates in msiexec.exe and injects Magniber payloads into a victim’s processes through a do-while loop on the process list.
  • The malware uses a persistence routine (Persistence_RegistryEdit) that registers to Run and implements multiple registry steps to survive reboots.
  • The Run-key persistence involves creating a meaningless .3fr file and a dummy file, then registering a related command to run alongside the file.
  • Relaunch and encryption are coordinated so that even if one registry entry is blocked, other processes can still trigger encryption on reboot.
  • AhnLab notes Magniber is spread via typosquatting—exploiting domain typos—via Chrome/Edge on Windows and warns about potential resumption.

MITRE Techniques

  • [T1218.011] Windows Installer – The ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers. “the ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers.”
  • [T1055] Process Injection – Magniber payloads are injected into a user’s process via the injector code and API (e.g., CreateThreadEx). “The Magniber payloads are injected in order through a do-while loop on the user process list.”
  • [T1105] Ingress Tool Transfer – A command is saved to download Magniber as part of the registered registry, enabling payload delivery. “Saves a command that downloads Magniber in the registered registry.”
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence is achieved by manipulating Run keys with a meaningless file and associated registry actions. “A meaningless .3fr file is registered to the HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun key, and a dummy file is created in the same path”
  • [T7486] Data Encrypted for Impact – The system is configured to download a new Magniber and encrypt files upon reboot as part of the relaunch mechanism. “When the system is rebooted, the .3fr file extension registered to the Run key is executed along with the registry that was designated to also activate at the same time, causing a new Magniber to be downloaded and encrypted every time the system is rebooted.”
  • [T1583] Acquire Infrastructure – Domains (typosquatting) used to distribute Magniber via Chrome/Edge on Windows. “Magniber is being distributed to users using the Chrome and Edge browsers on the latest version of Windows through typosquatting, a method that exploits domain typos.”

Indicators of Compromise

  • [File Path] Magniber dll Creation Path – C:Users[UserName]AppDataLocalTempMSI[Random 4 digits].tmp
  • [File Name] Magniber dll detection – Ransomware/Win.Magniber.R554966
  • [File Name] Magniber MSI detection – Ransomware/Win.Magniber (2023.01.30.01)
  • [MD5] Magniber dll MD5 – 35c3743df22ea0de26aeac37a88da1c9, 0723b125887e632bd2203680b75efb57
  • [MD5] Magniber msi MD5 – 65ac438561b3a415876dff89d2804a13, 35c3743df22ea0de26aeac37a88da1c9

Read more: https://asec.ahnlab.com/en/48312/