Threat Research

Rapidly Evolving Magniber Ransomware – ASEC BLOG

Securonix

Two-sentence summary: The Magniber ransomware has evolved rapidly in 2022, shifting file extensions, injection techniques, and UAC bypass methods to dodge anti-malware detection. The analysis highlights frequent format changes and registry-focused tactics, along with typosquatting campaigns targeting Chrome and Edge users. #Magniber #ASEC #AhnLab #ProgID #fodhelper #UACBypass #Typosquatting

Keypoints

  • The Magniber ransomware has rapidly evolved, altering its distribution file extensions and injection methods to evade detection.
  • A timeline shows extensions changing across MSI, CPL, JSE, JS, and WSF, with four changes in September 2022 alone.
  • Earlier versions used UAC bypass techniques to deactivate the Windows 10 recovery environment via registry modifications and fodhelper.exe.
  • Injection into normal/running processes became a key tactic to broaden encryption targets and avoid straightforward detection.
  • Registry modifications and ProgID-based registry changes were used to support UAC bypass and command execution.
  • The campaign leverages typosquatting to lure Chrome/Edge users, emphasizing the need for cautious domain entry and updated defenses like AMSI and memory scanning.

MITRE Techniques

  • [T1036] Masquerading – Changing file extension to evade detection – ‘changing four times (cpl -> jse -> js -> wsf -> msi)’.
  • [T1055] Process Injection – The ransomware payload was injected into running processes, enabling encryption – ‘the ransomware payload was injected into normal processes’.
  • [T1548.002] Bypass User Account Control – UAC bypass via ProgID and fodhelper.exe – ‘ProgID to change the variable registry value (HKCU:SoftwareClasses(custom progID)shellopencommand) to be referenced from fodhelper.exe, attempting UAC bypassing.’
  • [T1112] Modify Registry – Registry modification to support execution – ‘Modifies reference registry upon execution of fodhelper.exe (HKCU:SoftwareClasses(custom progID)shellopencommand)’.
  • [T1218] Signed Binary Proxy Execution – Use of regsvr32.exe, rundll32.exe, and wscript.exe to run payload – ‘Execution Process: regsvr32.exe’, ‘rundll32.exe’, ‘wscript.exe’.
  • [T1490] Inhibit System Recovery – Deactivation of Windows 10 recovery environment – ‘deactivation of the Windows 10 recovery environment’.

Indicators of Compromise

  • [Hash] MD5 Hashes – 250a23219a576180547734430d71b0e6, d675958d39e44b310e4e57f4e4f9bc12, and 4 more hashes

Read more: https://asec.ahnlab.com/en/40422/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint