Magniber (Malware Family)

Magniber

VTCollection URLhaus

According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new obfuscation techniques and methods of evasion. In April 2022, Magniber gained notoriety for disguising itself as a Windows update file to lure victims into installing it. It then began spreading via JavaScript in September 2022.

References

2023-03-30 ⋅ hasherezade's 1001 nights ⋅ hasherezade
Magniber ransomware analysis: Tiny Tracer in action
Magniber

2023-03-14 ⋅ Google ⋅ Benoit Sevens
Magniber ransomware actors used a variant of Microsoft SmartScreen bypass
Magniber

2022-12-05 ⋅ Cybereason ⋅ Kotaro Ogino, Ralph Villanueva, Robin Plumer
Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot

2022-11-11 ⋅ AhnLab ⋅ ASEC
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)
Magniber

2022-10-13 ⋅ HP ⋅ Patrick Schläpfer
Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates
Magniber

2022-04-30 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Fake Windows 10 updates infect you with Magniber ransomware
Magniber

2022-01-12 ⋅ Avast ⋅ Jan Vojtěšek
Exploit Kits vs. Google Chrome
Magniber UnderminerEK

2022-01-12 ⋅ AhnLab ⋅ ASEC Analysis Team
Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome
Magniber

2022-01-02 ⋅ forensicitguy ⋅ Tony Lambert
Analyzing a Magnitude EK Appx Package Dropping Magniber
Magniber

2021-11-11 ⋅ Bleeping Computer ⋅ Bill Toulas
Magniber ransomware gang now exploits Internet Explorer flaws in attacks
Magniber

2021-09-22 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem
Threat Analysis Report: PrintNightmare and Magniber Ransomware
Magniber

2021-08-12 ⋅ The Record ⋅ Catalin Cimpanu
PrintNightmare vulnerability weaponized by Magniber ransomware gang
Magniber

2021-08-11 ⋅ CrowdStrike ⋅ Liviu Arsene
Teaching an Old Dog New Tricks: 2017 Magniber Ransomware Uses PrintNightmare Vulnerability to Infect Victims in South Korea
Magniber

2021-07-29 ⋅ Avast ⋅ Jan Vojtěšek
Magnitude Exploit Kit: Still Alive and Kicking
Magniber

2021-07-21 ⋅ ⋅ TEAMT5 ⋅ Jason3e7, Peter, Tom
"Le" is not tired of this, IE is really naughty
Magniber

2021-01-13 ⋅ Medium Coinmonks ⋅ Coinmonks, Rakesh Krishnan
Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier Scam
Magniber

2020-12-22 ⋅ AhnLab ⋅ ASEC Analysis Team
Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -> CVE-2020-0968) and Attempted to Bypass Behavior Detection
Magniber

2018-07-16 ⋅ Malwarebytes Labs ⋅ hasherezade, Jérôme Segura
Magniber ransomware improves, expands within Asia
Magniber

2018-03-30 ⋅ AhnLab ⋅ AhnLab
Magniber
Magniber

2017-12-15 ⋅ hasherezade
Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')
Magniber

2017-10-19 ⋅ Mandiant ⋅ Muhammad Umair
Magniber Ransomware Wants to Infect Only the Right People
Magniber

2017-10-18 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Magniber ransomware: exclusively for South Koreans
Magniber

Yara Rules

[TLP:WHITE] win_magniber_auto (20260504 | Detects win.magniber.)

rule win_magniber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.magniber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8270040000 3b45f8 733c b902000000 6bc9ff 8b55f8 }
            // n = 6, score = 400
            //   8b8270040000         | mov                 eax, dword ptr [edx + 0x470]
            //   3b45f8               | cmp                 eax, dword ptr [ebp - 8]
            //   733c                 | jae                 0x3e
            //   b902000000           | mov                 ecx, 2
            //   6bc9ff               | imul                ecx, ecx, -1
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]

        $sequence_1 = { b820000000 668945ba b92f000000 66894dbc ba4d000000 668955be }
            // n = 6, score = 400
            //   b820000000           | mov                 eax, 0x20
            //   668945ba             | mov                 word ptr [ebp - 0x46], ax
            //   b92f000000           | mov                 ecx, 0x2f
            //   66894dbc             | mov                 word ptr [ebp - 0x44], cx
            //   ba4d000000           | mov                 edx, 0x4d
            //   668955be             | mov                 word ptr [ebp - 0x42], dx

        $sequence_2 = { 50 ff15???????? 8d4dd4 51 8d9564f7ffff }
            // n = 5, score = 400
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   51                   | push                ecx
            //   8d9564f7ffff         | lea                 edx, [ebp - 0x89c]

        $sequence_3 = { c74580e89e4000 c74584f89e4000 c74588009f4000 c7458c089f4000 c74590109f4000 c74594189f4000 }
            // n = 6, score = 400
            //   c74580e89e4000       | mov                 dword ptr [ebp - 0x80], 0x409ee8
            //   c74584f89e4000       | mov                 dword ptr [ebp - 0x7c], 0x409ef8
            //   c74588009f4000       | mov                 dword ptr [ebp - 0x78], 0x409f00
            //   c7458c089f4000       | mov                 dword ptr [ebp - 0x74], 0x409f08
            //   c74590109f4000       | mov                 dword ptr [ebp - 0x70], 0x409f10
            //   c74594189f4000       | mov                 dword ptr [ebp - 0x6c], 0x409f18

        $sequence_4 = { 83ea01 69d27c030000 0355e4 52 e8???????? 83c40c }
            // n = 6, score = 400
            //   83ea01               | sub                 edx, 1
            //   69d27c030000         | imul                edx, edx, 0x37c
            //   0355e4               | add                 edx, dword ptr [ebp - 0x1c]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_5 = { c785e0feffff949d4000 c785e4feffff9c9d4000 c785e8feffffa49d4000 c785ecfeffffac9d4000 c785f0feffffb49d4000 c785f4feffffbc9d4000 }
            // n = 6, score = 400
            //   c785e0feffff949d4000     | mov    dword ptr [ebp - 0x120], 0x409d94
            //   c785e4feffff9c9d4000     | mov    dword ptr [ebp - 0x11c], 0x409d9c
            //   c785e8feffffa49d4000     | mov    dword ptr [ebp - 0x118], 0x409da4
            //   c785ecfeffffac9d4000     | mov    dword ptr [ebp - 0x114], 0x409dac
            //   c785f0feffffb49d4000     | mov    dword ptr [ebp - 0x110], 0x409db4
            //   c785f4feffffbc9d4000     | mov    dword ptr [ebp - 0x10c], 0x409dbc

        $sequence_6 = { 6a02 6800000040 8b55f4 52 }
            // n = 4, score = 400
            //   6a02                 | push                2
            //   6800000040           | push                0x40000000
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   52                   | push                edx

        $sequence_7 = { 66894dec ba65000000 668955ee b878000000 668945f0 b965000000 66894df2 }
            // n = 7, score = 400
            //   66894dec             | mov                 word ptr [ebp - 0x14], cx
            //   ba65000000           | mov                 edx, 0x65
            //   668955ee             | mov                 word ptr [ebp - 0x12], dx
            //   b878000000           | mov                 eax, 0x78
            //   668945f0             | mov                 word ptr [ebp - 0x10], ax
            //   b965000000           | mov                 ecx, 0x65
            //   66894df2             | mov                 word ptr [ebp - 0xe], cx

        $sequence_8 = { 2c07 15ce8930e7 9b 283d98b7a0e5 }
            // n = 4, score = 100
            //   2c07                 | mov                 ebx, 0x73d481dd
            //   15ce8930e7           | mov                 edx, 0x5dc2623
            //   9b                   | sub                 al, 7
            //   283d98b7a0e5         | adc                 eax, 0xe73089ce

        $sequence_9 = { 4834b0 184026 e221 a1????????05eef081 e0f8 }
            // n = 5, score = 100
            //   4834b0               | jg                  0xffffff9d
            //   184026               | or                  esi, dword ptr [ebx + 0x3e]
            //   e221                 | std                 
            //   a1????????05eef081     |     
            //   e0f8                 | dec                 eax

        $sequence_10 = { 097934 50 5e 5a }
            // n = 4, score = 100
            //   097934               | jl                  0xffffff97
            //   50                   | sal                 dword ptr [esi + 0x2a], cl
            //   5e                   | or                  dword ptr [ecx + 0x34], edi
            //   5a                   | push                eax

        $sequence_11 = { 32cb 5a b3b1 3e6c 21746c2e 4834b0 }
            // n = 6, score = 100
            //   32cb                 | xor                 cl, bl
            //   5a                   | pop                 edx
            //   b3b1                 | mov                 bl, 0xb1
            //   3e6c                 | insb                byte ptr es:[edi], dx
            //   21746c2e             | and                 dword ptr [esp + ebp*2 + 0x2e], esi
            //   4834b0               | dec                 eax

        $sequence_12 = { a1????????ba30f7a3 873428 de9d164df944 ee aa }
            // n = 5, score = 100
            //   a1????????ba30f7a3     |     
            //   873428               | xor                 al, 0xb0
            //   de9d164df944         | xchg                dword ptr [eax + ebp], esi
            //   ee                   | ficomp              word ptr [ebp + 0x44f94d16]
            //   aa                   | out                 dx, al

        $sequence_13 = { 87f2 4baa 055457541d e9???????? bc12819787 bbdd81d473 ba2326dc05 }
            // n = 7, score = 100
            //   87f2                 | stosb               byte ptr es:[edi], al
            //   4baa                 | xchg                edx, esi
            //   055457541d           | dec                 ebx
            //   e9????????           |                     
            //   bc12819787           | stosb               byte ptr es:[edi], al
            //   bbdd81d473           | add                 eax, 0x1d545754
            //   ba2326dc05           | mov                 esp, 0x87978112

        $sequence_14 = { 199335632362 7c8f d3762a 258bdb888d }
            // n = 4, score = 100
            //   199335632362         | sbb                 dword ptr [ebx + 0x62236335], edx
            //   7c8f                 | jl                  0xffffff91
            //   d3762a               | sal                 dword ptr [esi + 0x2a], cl
            //   258bdb888d           | and                 eax, 0x8d88db8b

        $sequence_15 = { d2e2 5a 0bb96e327b31 d8df }
            // n = 4, score = 100
            //   d2e2                 | shl                 dl, cl
            //   5a                   | pop                 edx
            //   0bb96e327b31         | or                  edi, dword ptr [ecx + 0x317b326e]
            //   d8df                 | fcomp               st(7)

    condition:
        7 of them and filesize < 117760
}

Download all Yara Rules

Magniber Propose Change

References

Yara Rules

Magniber