ASEC reports Magniber distribution in Korea disguised as MSI Windows installers, using MOTW bypass and base64-encoded links to evade blocking. The campaign leverages MSI Custom Actions to execute a Magniber DLL, deletes volume shadow copies to hinder recovery, and is observed by AhnLab MDS and EDR with typosquatting domain tactics. #Magniber #AhnLab #MOTW #MSI #WindowsInstaller #VolumeShadowCopy #typosquatting
Keypoints
- Magniber is redistributed in Korea via MSI installers masquerading as Windows update files (example names include MS.Update.Center.Security.KB17347418.msi, KB2562020.msi, KB44945726.msi).
- The distribution uses MOTW bypass by embedding download data inside an tag and base64-encoding the href to evade domain blocks.
- Magniber files (zip or msi) are downloaded as a script and stay on HostUrl as about:internet, aiding evasion of domain filters.
- Magniber is delivered inside an MSI package, with the ransomware DLL included and executed via MSI’s Custom Action table.
- Security products observe multiple layers of defense interactions: MDS sandbox detects Magniber; EDR flags the downloaded .zip as ransomware; VirusTotal does not consistently detect it.
- The campaign uses typosquatting to target Chrome/Edge users with the latest Windows version, highlighting user caution as a defensive need.
- IOCs include Magniber DLL creation path and MD5 hashes, Magniber MSI MD5 hashes, and labeled detections (Ransomware/Win.Magniber…).
MITRE Techniques
- [T1036] Masquerading – The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files. Quote: ‘The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files.’
- [T1027] Obfuscated/Compressed Files and Information – The href of its tag encoded in base64, then added as a script to download. Quote: ‘the href of its tag encoded in base64.’
- [T1189] Drive-by Compromise – Typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version. Quote: ‘typosquatting method that exploits typos made when entering domains, targeting Chrome and Edge users with the latest Windows version.’
- [T1543.003] Windows Installer – The MSI package uses a Custom Action to execute the Magniber DLL during installation. Quote: ‘The attacker exploited this feature to have the export function of Magniber executed when MSI is run.’
- [T1490] Inhibit System Recovery – The executed DLL deletes volume shadow copies to hinder recovery from encryption. Quote: ‘deletes volume shadow copies.’
Indicators of Compromise
- [File Path] Magniber dll Creation Path – C:Users[UserName]AppDataLocalTempMSI[Random 4 digits].tmp
- [File] Magniber msi File Detection – Ransomware/Win.Magniber (2022.01.30.01), Ransomware/Win.Magniber.C554966 (2022.01.30.01)
- [MD5] Magniber dll MD5 – 35c3743df22ea0de26aeac37a88da1c9, 0723b125887e632bd2203680b75efb57, and 2 more hashes
- [MD5] Magniber msi MD5 – 65ac438561b3a415876dff89d2804a13, 35c3743df22ea0de26aeac37a88da1c9, and 2 more hashes
Read more: https://asec.ahnlab.com/en/47287/