SYMBOLCOMMON_NAMEaka. SYNONYMS
win.magniber (Back to overview)

Magniber

URLhaus    

According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new obfuscation techniques and methods of evasion. In April 2022, Magniber gained notoriety for disguising itself as a Windows update file to lure victims into installing it. It then began spreading via JavaScript in September 2022.

References
2023-03-30hasherezade's 1001 nightshasherezade
@online{hasherezade:20230330:magniber:1005a71, author = {hasherezade}, title = {{Magniber ransomware analysis: Tiny Tracer in action}}, date = {2023-03-30}, organization = {hasherezade's 1001 nights}, url = {https://hshrzd.wordpress.com/2023/03/30/magniber-ransomware-analysis/}, language = {English}, urldate = {2023-04-28} } Magniber ransomware analysis: Tiny Tracer in action
Magniber
2023-03-14GoogleBenoit Sevens
@online{sevens:20230314:magniber:5f03fd7, author = {Benoit Sevens}, title = {{Magniber ransomware actors used a variant of Microsoft SmartScreen bypass}}, date = {2023-03-14}, organization = {Google}, url = {https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/}, language = {English}, urldate = {2023-03-20} } Magniber ransomware actors used a variant of Microsoft SmartScreen bypass
Magniber
2022-12-05CybereasonKotaro Ogino, Ralph Villanueva, Robin Plumer
@online{ogino:20221205:threat:b2ffad4, author = {Kotaro Ogino and Ralph Villanueva and Robin Plumer}, title = {{Threat Analysis: MSI - Masquerading as a Software Installer}}, date = {2022-12-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer}, language = {English}, urldate = {2022-12-05} } Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot
2022-11-11AhnLabASEC
@online{asec:20221111:magniber:7426c1e, author = {ASEC}, title = {{Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)}}, date = {2022-11-11}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/41889/}, language = {English}, urldate = {2022-11-15} } Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)
Magniber
2022-10-13HPPatrick Schläpfer
@online{schlpfer:20221013:magniber:8c9b6f4, author = {Patrick Schläpfer}, title = {{Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates}}, date = {2022-10-13}, organization = {HP}, url = {https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/}, language = {English}, urldate = {2022-10-24} } Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates
Magniber
2022-04-30Bleeping ComputerLawrence Abrams
@online{abrams:20220430:fake:a553f90, author = {Lawrence Abrams}, title = {{Fake Windows 10 updates infect you with Magniber ransomware}}, date = {2022-04-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/}, language = {English}, urldate = {2022-05-03} } Fake Windows 10 updates infect you with Magniber ransomware
Magniber
2022-01-12AhnLabASEC Analysis Team
@online{team:20220112:magniber:29a6c92, author = {ASEC Analysis Team}, title = {{Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome}}, date = {2022-01-12}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30645/}, language = {English}, urldate = {2022-01-25} } Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome
Magniber
2022-01-12AvastJan Vojtěšek
@online{vojtek:20220112:exploit:479fe11, author = {Jan Vojtěšek}, title = {{Exploit Kits vs. Google Chrome}}, date = {2022-01-12}, organization = {Avast}, url = {https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/}, language = {English}, urldate = {2022-07-01} } Exploit Kits vs. Google Chrome
Magniber UnderminerEK
2022-01-02forensicitguyTony Lambert
@online{lambert:20220102:analyzing:7f13565, author = {Tony Lambert}, title = {{Analyzing a Magnitude EK Appx Package Dropping Magniber}}, date = {2022-01-02}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/}, language = {English}, urldate = {2022-01-25} } Analyzing a Magnitude EK Appx Package Dropping Magniber
Magniber
2021-11-11Bleeping ComputerBill Toulas
@online{toulas:20211111:magniber:f765b7f, author = {Bill Toulas}, title = {{Magniber ransomware gang now exploits Internet Explorer flaws in attacks}}, date = {2021-11-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/}, language = {English}, urldate = {2021-11-17} } Magniber ransomware gang now exploits Internet Explorer flaws in attacks
Magniber
2021-09-22CybereasonAleksandar Milenkoski, Eli Salem
@online{milenkoski:20210922:threat:cba08ae, author = {Aleksandar Milenkoski and Eli Salem}, title = {{Threat Analysis Report: PrintNightmare and Magniber Ransomware}}, date = {2021-09-22}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware}, language = {English}, urldate = {2021-09-28} } Threat Analysis Report: PrintNightmare and Magniber Ransomware
Magniber
2021-08-12The RecordCatalin Cimpanu
@online{cimpanu:20210812:printnightmare:026bc57, author = {Catalin Cimpanu}, title = {{PrintNightmare vulnerability weaponized by Magniber ransomware gang}}, date = {2021-08-12}, organization = {The Record}, url = {https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/}, language = {English}, urldate = {2021-08-16} } PrintNightmare vulnerability weaponized by Magniber ransomware gang
Magniber
2021-08-11CrowdStrikeLiviu Arsene
@online{arsene:20210811:teaching:aeec28a, author = {Liviu Arsene}, title = {{Teaching an Old Dog New Tricks: 2017 Magniber Ransomware Uses PrintNightmare Vulnerability to Infect Victims in South Korea}}, date = {2021-08-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/}, language = {English}, urldate = {2021-09-02} } Teaching an Old Dog New Tricks: 2017 Magniber Ransomware Uses PrintNightmare Vulnerability to Infect Victims in South Korea
Magniber
2021-07-29AvastJan Vojtěšek
@online{vojtek:20210729:magnitude:3c9e478, author = {Jan Vojtěšek}, title = {{Magnitude Exploit Kit: Still Alive and Kicking}}, date = {2021-07-29}, organization = {Avast}, url = {https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/}, language = {English}, urldate = {2021-08-03} } Magnitude Exploit Kit: Still Alive and Kicking
Magniber
2021-07-21TEAMT5Tom, Peter, Jason3e7
@online{tom:20210721:le:ce23918, author = {Tom and Peter and Jason3e7}, title = {{"Le" is not tired of this, IE is really naughty}}, date = {2021-07-21}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/}, language = {Chinese}, urldate = {2021-08-30} } "Le" is not tired of this, IE is really naughty
Magniber
2021-01-13Medium CoinmonksRakesh Krishnan, Coinmonks
@online{krishnan:20210113:passive:8e5ce1b, author = {Rakesh Krishnan and Coinmonks}, title = {{Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier Scam}}, date = {2021-01-13}, organization = {Medium Coinmonks}, url = {https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372}, language = {English}, urldate = {2021-01-21} } Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier Scam
Magniber
2020-12-22AhnLabASEC Analysis Team
@online{team:20201222:magniber:cb6369b, author = {ASEC Analysis Team}, title = {{Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -> CVE-2020-0968) and Attempted to Bypass Behavior Detection}}, date = {2020-12-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/19273/}, language = {English}, urldate = {2020-12-23} } Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -> CVE-2020-0968) and Attempted to Bypass Behavior Detection
Magniber
2018-07-16Malwarebytes Labshasherezade, Jérôme Segura
@online{hasherezade:20180716:magniber:60ffbb3, author = {hasherezade and Jérôme Segura}, title = {{Magniber ransomware improves, expands within Asia}}, date = {2018-07-16}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia}, language = {English}, urldate = {2023-09-12} } Magniber ransomware improves, expands within Asia
Magniber
2018-03-30AhnLabAhnLab
@online{ahnlab:20180330:magniber:5d13799, author = {AhnLab}, title = {{Magniber}}, date = {2018-03-30}, organization = {AhnLab}, url = {http://asec.ahnlab.com/1124}, language = {English}, urldate = {2019-07-09} } Magniber
Magniber
2017-12-15hasherezade
@online{hasherezade:20171215:unpacking:8c8d58c, author = {hasherezade}, title = {{Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')}}, date = {2017-12-15}, url = {https://www.youtube.com/watch?v=lqWJaaofNf4}, language = {English}, urldate = {2019-10-23} } Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')
Magniber
2017-10-18MalwarebytesMalwarebytes Labs
@online{labs:20171018:magniber:2ae5250, author = {Malwarebytes Labs}, title = {{Magniber ransomware: exclusively for South Koreans}}, date = {2017-10-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/}, language = {English}, urldate = {2019-12-20} } Magniber ransomware: exclusively for South Koreans
Magniber
Yara Rules
[TLP:WHITE] win_magniber_auto (20230808 | Detects win.magniber.)
rule win_magniber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.magniber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 83c408 837dfc00 7502 eb31 6a00 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   7502                 | jne                 4
            //   eb31                 | jmp                 0x33
            //   6a00                 | push                0

        $sequence_1 = { 8b45e8 50 ff15???????? 8b4df4 51 }
            // n = 5, score = 400
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   51                   | push                ecx

        $sequence_2 = { c785a0fafffff0934000 c785a4fafffff8934000 c785a8faffff00944000 c785acfaffff08944000 }
            // n = 4, score = 400
            //   c785a0fafffff0934000     | mov    dword ptr [ebp - 0x560], 0x4093f0
            //   c785a4fafffff8934000     | mov    dword ptr [ebp - 0x55c], 0x4093f8
            //   c785a8faffff00944000     | mov    dword ptr [ebp - 0x558], 0x409400
            //   c785acfaffff08944000     | mov    dword ptr [ebp - 0x554], 0x409408

        $sequence_3 = { 50 8b4df4 51 ff15???????? 8b45f8 99 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   99                   | cdq                 

        $sequence_4 = { 83c408 8b4dfc 8b55f8 6689044a }
            // n = 4, score = 400
            //   83c408               | add                 esp, 8
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   6689044a             | mov                 word ptr [edx + ecx*2], ax

        $sequence_5 = { c7852cfbffff14954000 c78530fbffff1c954000 c78534fbffff24954000 c78538fbffff2c954000 c7853cfbffff34954000 c78540fbffff40954000 }
            // n = 6, score = 400
            //   c7852cfbffff14954000     | mov    dword ptr [ebp - 0x4d4], 0x409514
            //   c78530fbffff1c954000     | mov    dword ptr [ebp - 0x4d0], 0x40951c
            //   c78534fbffff24954000     | mov    dword ptr [ebp - 0x4cc], 0x409524
            //   c78538fbffff2c954000     | mov    dword ptr [ebp - 0x4c8], 0x40952c
            //   c7853cfbffff34954000     | mov    dword ptr [ebp - 0x4c4], 0x409534
            //   c78540fbffff40954000     | mov    dword ptr [ebp - 0x4c0], 0x409540

        $sequence_6 = { 66894da4 ba2f000000 668955a6 b853000000 668945a8 b943000000 }
            // n = 6, score = 400
            //   66894da4             | mov                 word ptr [ebp - 0x5c], cx
            //   ba2f000000           | mov                 edx, 0x2f
            //   668955a6             | mov                 word ptr [ebp - 0x5a], dx
            //   b853000000           | mov                 eax, 0x53
            //   668945a8             | mov                 word ptr [ebp - 0x58], ax
            //   b943000000           | mov                 ecx, 0x43

        $sequence_7 = { 0f842e010000 660f57c0 660f1345b0 6a00 8d4df8 51 6a10 }
            // n = 7, score = 400
            //   0f842e010000         | je                  0x134
            //   660f57c0             | xorpd               xmm0, xmm0
            //   660f1345b0           | movlpd              qword ptr [ebp - 0x50], xmm0
            //   6a00                 | push                0
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   51                   | push                ecx
            //   6a10                 | push                0x10

        $sequence_8 = { f76e9f 32d8 2d7a350e78 95 }
            // n = 4, score = 100
            //   f76e9f               | push                edx
            //   32d8                 | cld                 
            //   2d7a350e78           | sub                 byte ptr [edi + 0x44], bl
            //   95                   | rol                 edi, 0xd

        $sequence_9 = { 4834b0 184026 e221 a1????????05eef081 e0f8 29aed0515fa6 8d4f0e }
            // n = 7, score = 100
            //   4834b0               | sbb                 byte ptr [eax + 0x26], al
            //   184026               | dec                 eax
            //   e221                 | xor                 al, 0xb0
            //   a1????????05eef081     |     
            //   e0f8                 | sbb                 byte ptr [eax + 0x26], al
            //   29aed0515fa6         | loop                0x23
            //   8d4f0e               | loopne              0xfffffffa

        $sequence_10 = { 56 18cb 52 fc 285f44 c1c70d 11fb }
            // n = 7, score = 100
            //   56                   | dec                 eax
            //   18cb                 | xor                 al, 0xb0
            //   52                   | sbb                 byte ptr [eax + 0x26], al
            //   fc                   | loop                0x23
            //   285f44               | loopne              0xfffffffc
            //   c1c70d               | push                esi
            //   11fb                 | sbb                 bl, cl

        $sequence_11 = { e8???????? 32cb 5a b3b1 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   32cb                 | mov                 bl, 0xb1
            //   5a                   | insb                byte ptr es:[edi], dx
            //   b3b1                 | pop                 edx

        $sequence_12 = { 4e4e54 70ac 52 f8 a6 6e }
            // n = 6, score = 100
            //   4e4e54               | insb                byte ptr es:[edi], dx
            //   70ac                 | and                 dword ptr [esp + ebp*2 + 0x2e], esi
            //   52                   | dec                 eax
            //   f8                   | xor                 al, 0xb0
            //   a6                   | sbb                 byte ptr [eax + 0x26], al
            //   6e                   | loop                0x26

        $sequence_13 = { 29aed0515fa6 8d4f0e 7f4c c82cd1c6 1a32 b636 }
            // n = 6, score = 100
            //   29aed0515fa6         | loopne              0xffffffff
            //   8d4f0e               | dec                 esi
            //   7f4c                 | dec                 esi
            //   c82cd1c6             | push                esp
            //   1a32                 | jo                  0xffffffae
            //   b636                 | push                edx

        $sequence_14 = { 5a b3b1 3e6c 21746c2e 4834b0 184026 }
            // n = 6, score = 100
            //   5a                   | pop                 edx
            //   b3b1                 | mov                 bl, 0xb1
            //   3e6c                 | insb                byte ptr es:[edi], dx
            //   21746c2e             | and                 dword ptr [esp + ebp*2 + 0x2e], esi
            //   4834b0               | dec                 eax
            //   184026               | xor                 al, 0xb0

    condition:
        7 of them and filesize < 117760
}
Download all Yara Rules