SYMBOLCOMMON_NAMEaka. SYNONYMS
win.magniber (Back to overview)

Magniber

URLhaus    

According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new obfuscation techniques and methods of evasion. In April 2022, Magniber gained notoriety for disguising itself as a Windows update file to lure victims into installing it. It then began spreading via JavaScript in September 2022.

References
2023-03-30hasherezade's 1001 nightshasherezade
@online{hasherezade:20230330:magniber:1005a71, author = {hasherezade}, title = {{Magniber ransomware analysis: Tiny Tracer in action}}, date = {2023-03-30}, organization = {hasherezade's 1001 nights}, url = {https://hshrzd.wordpress.com/2023/03/30/magniber-ransomware-analysis/}, language = {English}, urldate = {2023-04-28} } Magniber ransomware analysis: Tiny Tracer in action
Magniber
2023-03-14GoogleBenoit Sevens
@online{sevens:20230314:magniber:5f03fd7, author = {Benoit Sevens}, title = {{Magniber ransomware actors used a variant of Microsoft SmartScreen bypass}}, date = {2023-03-14}, organization = {Google}, url = {https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/}, language = {English}, urldate = {2023-03-20} } Magniber ransomware actors used a variant of Microsoft SmartScreen bypass
Magniber
2022-12-05CybereasonKotaro Ogino, Ralph Villanueva, Robin Plumer
@online{ogino:20221205:threat:b2ffad4, author = {Kotaro Ogino and Ralph Villanueva and Robin Plumer}, title = {{Threat Analysis: MSI - Masquerading as a Software Installer}}, date = {2022-12-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer}, language = {English}, urldate = {2022-12-05} } Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot
2022-11-11AhnLabASEC
@online{asec:20221111:magniber:7426c1e, author = {ASEC}, title = {{Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)}}, date = {2022-11-11}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/41889/}, language = {English}, urldate = {2022-11-15} } Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)
Magniber
2022-10-13HPPatrick Schläpfer
@online{schlpfer:20221013:magniber:8c9b6f4, author = {Patrick Schläpfer}, title = {{Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates}}, date = {2022-10-13}, organization = {HP}, url = {https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/}, language = {English}, urldate = {2022-10-24} } Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates
Magniber
2022-04-30Bleeping ComputerLawrence Abrams
@online{abrams:20220430:fake:a553f90, author = {Lawrence Abrams}, title = {{Fake Windows 10 updates infect you with Magniber ransomware}}, date = {2022-04-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/}, language = {English}, urldate = {2022-05-03} } Fake Windows 10 updates infect you with Magniber ransomware
Magniber
2022-01-12AhnLabASEC Analysis Team
@online{team:20220112:magniber:29a6c92, author = {ASEC Analysis Team}, title = {{Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome}}, date = {2022-01-12}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30645/}, language = {English}, urldate = {2022-01-25} } Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome
Magniber
2022-01-12AvastJan Vojtěšek
@online{vojtek:20220112:exploit:479fe11, author = {Jan Vojtěšek}, title = {{Exploit Kits vs. Google Chrome}}, date = {2022-01-12}, organization = {Avast}, url = {https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/}, language = {English}, urldate = {2022-07-01} } Exploit Kits vs. Google Chrome
Magniber UnderminerEK
2022-01-02forensicitguyTony Lambert
@online{lambert:20220102:analyzing:7f13565, author = {Tony Lambert}, title = {{Analyzing a Magnitude EK Appx Package Dropping Magniber}}, date = {2022-01-02}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/}, language = {English}, urldate = {2022-01-25} } Analyzing a Magnitude EK Appx Package Dropping Magniber
Magniber
2021-11-11Bleeping ComputerBill Toulas
@online{toulas:20211111:magniber:f765b7f, author = {Bill Toulas}, title = {{Magniber ransomware gang now exploits Internet Explorer flaws in attacks}}, date = {2021-11-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/}, language = {English}, urldate = {2021-11-17} } Magniber ransomware gang now exploits Internet Explorer flaws in attacks
Magniber
2021-09-22CybereasonAleksandar Milenkoski, Eli Salem
@online{milenkoski:20210922:threat:cba08ae, author = {Aleksandar Milenkoski and Eli Salem}, title = {{Threat Analysis Report: PrintNightmare and Magniber Ransomware}}, date = {2021-09-22}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware}, language = {English}, urldate = {2021-09-28} } Threat Analysis Report: PrintNightmare and Magniber Ransomware
Magniber
2021-08-12The RecordCatalin Cimpanu
@online{cimpanu:20210812:printnightmare:026bc57, author = {Catalin Cimpanu}, title = {{PrintNightmare vulnerability weaponized by Magniber ransomware gang}}, date = {2021-08-12}, organization = {The Record}, url = {https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/}, language = {English}, urldate = {2021-08-16} } PrintNightmare vulnerability weaponized by Magniber ransomware gang
Magniber
2021-08-11CrowdStrikeLiviu Arsene
@online{arsene:20210811:teaching:aeec28a, author = {Liviu Arsene}, title = {{Teaching an Old Dog New Tricks: 2017 Magniber Ransomware Uses PrintNightmare Vulnerability to Infect Victims in South Korea}}, date = {2021-08-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/}, language = {English}, urldate = {2021-09-02} } Teaching an Old Dog New Tricks: 2017 Magniber Ransomware Uses PrintNightmare Vulnerability to Infect Victims in South Korea
Magniber
2021-07-29AvastJan Vojtěšek
@online{vojtek:20210729:magnitude:3c9e478, author = {Jan Vojtěšek}, title = {{Magnitude Exploit Kit: Still Alive and Kicking}}, date = {2021-07-29}, organization = {Avast}, url = {https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/}, language = {English}, urldate = {2021-08-03} } Magnitude Exploit Kit: Still Alive and Kicking
Magniber
2021-07-21TEAMT5Tom, Peter, Jason3e7
@online{tom:20210721:le:ce23918, author = {Tom and Peter and Jason3e7}, title = {{"Le" is not tired of this, IE is really naughty}}, date = {2021-07-21}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/}, language = {Chinese}, urldate = {2021-08-30} } "Le" is not tired of this, IE is really naughty
Magniber
2021-01-13Medium CoinmonksRakesh Krishnan, Coinmonks
@online{krishnan:20210113:passive:8e5ce1b, author = {Rakesh Krishnan and Coinmonks}, title = {{Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier Scam}}, date = {2021-01-13}, organization = {Medium Coinmonks}, url = {https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372}, language = {English}, urldate = {2021-01-21} } Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier Scam
Magniber
2020-12-22AhnLabASEC Analysis Team
@online{team:20201222:magniber:cb6369b, author = {ASEC Analysis Team}, title = {{Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -> CVE-2020-0968) and Attempted to Bypass Behavior Detection}}, date = {2020-12-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/19273/}, language = {English}, urldate = {2020-12-23} } Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -> CVE-2020-0968) and Attempted to Bypass Behavior Detection
Magniber
2018-03-30AhnLabAhnLab
@online{ahnlab:20180330:magniber:5d13799, author = {AhnLab}, title = {{Magniber}}, date = {2018-03-30}, organization = {AhnLab}, url = {http://asec.ahnlab.com/1124}, language = {English}, urldate = {2019-07-09} } Magniber
Magniber
2017-12-15hasherezade
@online{hasherezade:20171215:unpacking:8c8d58c, author = {hasherezade}, title = {{Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')}}, date = {2017-12-15}, url = {https://www.youtube.com/watch?v=lqWJaaofNf4}, language = {English}, urldate = {2019-10-23} } Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')
Magniber
2017-10-18MalwarebytesMalwarebytes Labs
@online{labs:20171018:magniber:2ae5250, author = {Malwarebytes Labs}, title = {{Magniber ransomware: exclusively for South Koreans}}, date = {2017-10-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/}, language = {English}, urldate = {2019-12-20} } Magniber ransomware: exclusively for South Koreans
Magniber
Yara Rules
[TLP:WHITE] win_magniber_auto (20230407 | Detects win.magniber.)
rule win_magniber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.magniber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c78510feffff709b4000 c78514feffff789b4000 c78518feffff809b4000 c7851cfeffff8c9b4000 }
            // n = 4, score = 400
            //   c78510feffff709b4000     | mov    dword ptr [ebp - 0x1f0], 0x409b70
            //   c78514feffff789b4000     | mov    dword ptr [ebp - 0x1ec], 0x409b78
            //   c78518feffff809b4000     | mov    dword ptr [ebp - 0x1e8], 0x409b80
            //   c7851cfeffff8c9b4000     | mov    dword ptr [ebp - 0x1e4], 0x409b8c

        $sequence_1 = { 8b4df4 83c102 894df4 8b55f4 69d27c030000 52 }
            // n = 6, score = 400
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   83c102               | add                 ecx, 2
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   69d27c030000         | imul                edx, edx, 0x37c
            //   52                   | push                edx

        $sequence_2 = { e8???????? 83c404 8945f4 837df400 0f84b2000000 8b4d08 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   0f84b2000000         | je                  0xb8
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_3 = { ff15???????? 8945f0 837df0ff 0f84d6030000 6818060000 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   837df0ff             | cmp                 dword ptr [ebp - 0x10], -1
            //   0f84d6030000         | je                  0x3dc
            //   6818060000           | push                0x618

        $sequence_4 = { c78550f9ffff30914000 c78554f9ffff38914000 c78558f9ffff40914000 c7855cf9ffff48914000 }
            // n = 4, score = 400
            //   c78550f9ffff30914000     | mov    dword ptr [ebp - 0x6b0], 0x409130
            //   c78554f9ffff38914000     | mov    dword ptr [ebp - 0x6ac], 0x409138
            //   c78558f9ffff40914000     | mov    dword ptr [ebp - 0x6a8], 0x409140
            //   c7855cf9ffff48914000     | mov    dword ptr [ebp - 0x6a4], 0x409148

        $sequence_5 = { c78584f9ffff9c914000 c78588f9ffffa4914000 c7858cf9ffffac914000 c78590f9ffffb4914000 c78594f9ffffbc914000 c78598f9ffffc4914000 }
            // n = 6, score = 400
            //   c78584f9ffff9c914000     | mov    dword ptr [ebp - 0x67c], 0x40919c
            //   c78588f9ffffa4914000     | mov    dword ptr [ebp - 0x678], 0x4091a4
            //   c7858cf9ffffac914000     | mov    dword ptr [ebp - 0x674], 0x4091ac
            //   c78590f9ffffb4914000     | mov    dword ptr [ebp - 0x670], 0x4091b4
            //   c78594f9ffffbc914000     | mov    dword ptr [ebp - 0x66c], 0x4091bc
            //   c78598f9ffffc4914000     | mov    dword ptr [ebp - 0x668], 0x4091c4

        $sequence_6 = { 8b45dc 50 ff15???????? 8945d8 837dd800 7448 }
            // n = 6, score = 400
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   837dd800             | cmp                 dword ptr [ebp - 0x28], 0
            //   7448                 | je                  0x4a

        $sequence_7 = { c78594fdffff609a4000 c78598fdffff689a4000 c7859cfdffff709a4000 c785a0fdffff7c9a4000 }
            // n = 4, score = 400
            //   c78594fdffff609a4000     | mov    dword ptr [ebp - 0x26c], 0x409a60
            //   c78598fdffff689a4000     | mov    dword ptr [ebp - 0x268], 0x409a68
            //   c7859cfdffff709a4000     | mov    dword ptr [ebp - 0x264], 0x409a70
            //   c785a0fdffff7c9a4000     | mov    dword ptr [ebp - 0x260], 0x409a7c

        $sequence_8 = { de9d164df944 ee aa 90 80715bda }
            // n = 5, score = 100
            //   de9d164df944         | jl                  0xffffff97
            //   ee                   | sal                 dword ptr [esi + 0x2a], cl
            //   aa                   | ficomp              word ptr [ebp + 0x44f94d16]
            //   90                   | out                 dx, al
            //   80715bda             | stosb               byte ptr es:[edi], al

        $sequence_9 = { fd 6acb 199335632362 7c8f d3762a }
            // n = 5, score = 100
            //   fd                   | inc                 ecx
            //   6acb                 | jns                 0xfffffff9
            //   199335632362         | std                 
            //   7c8f                 | push                -0x35
            //   d3762a               | sbb                 dword ptr [ebx + 0x62236335], edx

        $sequence_10 = { a7 639e8637a0bf 53 9f }
            // n = 4, score = 100
            //   a7                   | nop                 
            //   639e8637a0bf         | xor                 byte ptr [ecx + 0x5b], 0xda
            //   53                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   9f                   | arpl                word ptr [esi - 0x405fc87a], bx

        $sequence_11 = { e0f8 29aed0515fa6 8d4f0e 7f4c }
            // n = 4, score = 100
            //   e0f8                 | nop                 
            //   29aed0515fa6         | xor                 byte ptr [ecx + 0x5b], 0xda
            //   8d4f0e               | loopne              0xfffffffa
            //   7f4c                 | sub                 dword ptr [esi - 0x59a0ae30], ebp

        $sequence_12 = { 88475a 2c07 15ce8930e7 9b 283d98b7a0e5 }
            // n = 5, score = 100
            //   88475a               | lea                 ecx, [edi + 0xe]
            //   2c07                 | jg                  0x51
            //   15ce8930e7           | mov                 byte ptr [edi + 0x5a], al
            //   9b                   | sub                 al, 7
            //   283d98b7a0e5         | adc                 eax, 0xe73089ce

        $sequence_13 = { 7f4c c82cd1c6 1a32 b636 }
            // n = 4, score = 100
            //   7f4c                 | push                ebx
            //   c82cd1c6             | lahf                
            //   1a32                 | jg                  0x4e
            //   b636                 | enter               -0x2ed4, -0x3a

        $sequence_14 = { 5e 5a 3558e9e633 4179f1 }
            // n = 4, score = 100
            //   5e                   | loopne              0xfffffffa
            //   5a                   | pop                 esi
            //   3558e9e633           | pop                 edx
            //   4179f1               | xor                 eax, 0x33e6e958

        $sequence_15 = { 4834b0 184026 e221 a1????????05eef081 e0f8 }
            // n = 5, score = 100
            //   4834b0               | dec                 eax
            //   184026               | xor                 al, 0xb0
            //   e221                 | sbb                 byte ptr [eax + 0x26], al
            //   a1????????05eef081     |     
            //   e0f8                 | loop                0x23

    condition:
        7 of them and filesize < 117760
}
Download all Yara Rules