[MART] - Daily Diary #613 - Magniber Ransomware Targets Home Users

ctas-mat at appgate.com ctas-mat at appgate.com
Thu Oct 13 21:25:33 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

10/13/2022 - Diary entry #613:

In August last year, we covered in our Daily Diary #326 threat actors abusing PrintNightmare, an exploit that was publicly released for a zero-day vulnerability affecting multiple versions of Windows. While Microsoft was releasing security patches for the vulnerabilities, some Ransomware operators were observed exploiting them to compromise their targets and move laterally to deploy malicious payloads. One of those operators was from the Magniber ransomware group.

The Magniber group is known for its use of vulnerabilities to breach systems and deploy ransomware. Their recent campaigns show that they are focused on infecting home users with fake security update software. In January this year, they used fake browser updates to push malicious Windows application package files. In April, they distributed ransomware as a Windows 10 update via a network of malicious websites.

Most recently, Magniber started to distribute its loaders via malicious JScript files, instead of MSI and EXE files like in previous campaigns. Using JS files to infect victims is a well-known vector detected by many security solutions. Because of that, the JS code uses a technique to load a .NET executable in memory, not writing the ransomware on the disk. Then, the .NET decodes a shellcode and injects it into another process. Before encrypting the victim’s files, it deletes all shadow copy files and disables Windows’ backup and recovery features.

Most ransomware groups nowadays focus on mid-size or big companies so they can maximize their profits. Magniber curiously uses a different strategy demanding a cheaper ransom payment. Because of that, they rely on infecting as many users as possible and triggering vulnerabilities with a large attack surface.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20221013/12a2829a/attachment.htm>

More information about the MART mailing list