Magniber (Malware Family)

Magniber

VTCollection URLhaus

According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new obfuscation techniques and methods of evasion. In April 2022, Magniber gained notoriety for disguising itself as a Windows update file to lure victims into installing it. It then began spreading via JavaScript in September 2022.

References

2023-03-30 ⋅ hasherezade's 1001 nights ⋅ hasherezade
Magniber ransomware analysis: Tiny Tracer in action
Magniber

2023-03-14 ⋅ Google ⋅ Benoit Sevens
Magniber ransomware actors used a variant of Microsoft SmartScreen bypass
Magniber

2022-12-05 ⋅ Cybereason ⋅ Kotaro Ogino, Ralph Villanueva, Robin Plumer
Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot

2022-11-11 ⋅ AhnLab ⋅ ASEC
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)
Magniber

2022-10-13 ⋅ HP ⋅ Patrick Schläpfer
Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates
Magniber

2022-04-30 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Fake Windows 10 updates infect you with Magniber ransomware
Magniber

2022-01-12 ⋅ Avast ⋅ Jan Vojtěšek
Exploit Kits vs. Google Chrome
Magniber UnderminerEK

2022-01-12 ⋅ AhnLab ⋅ ASEC Analysis Team
Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome
Magniber

2022-01-02 ⋅ forensicitguy ⋅ Tony Lambert
Analyzing a Magnitude EK Appx Package Dropping Magniber
Magniber

2021-11-11 ⋅ Bleeping Computer ⋅ Bill Toulas
Magniber ransomware gang now exploits Internet Explorer flaws in attacks
Magniber

2021-09-22 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem
Threat Analysis Report: PrintNightmare and Magniber Ransomware
Magniber

2021-08-12 ⋅ The Record ⋅ Catalin Cimpanu
PrintNightmare vulnerability weaponized by Magniber ransomware gang
Magniber

2021-08-11 ⋅ CrowdStrike ⋅ Liviu Arsene
Teaching an Old Dog New Tricks: 2017 Magniber Ransomware Uses PrintNightmare Vulnerability to Infect Victims in South Korea
Magniber

2021-07-29 ⋅ Avast ⋅ Jan Vojtěšek
Magnitude Exploit Kit: Still Alive and Kicking
Magniber

2021-07-21 ⋅ ⋅ TEAMT5 ⋅ Jason3e7, Peter, Tom
"Le" is not tired of this, IE is really naughty
Magniber

2021-01-13 ⋅ Medium Coinmonks ⋅ Coinmonks, Rakesh Krishnan
Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier Scam
Magniber

2020-12-22 ⋅ AhnLab ⋅ ASEC Analysis Team
Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -> CVE-2020-0968) and Attempted to Bypass Behavior Detection
Magniber

2018-07-16 ⋅ Malwarebytes Labs ⋅ hasherezade, Jérôme Segura
Magniber ransomware improves, expands within Asia
Magniber

2018-03-30 ⋅ AhnLab ⋅ AhnLab
Magniber
Magniber

2017-12-15 ⋅ hasherezade
Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')
Magniber

2017-10-19 ⋅ Mandiant ⋅ Muhammad Umair
Magniber Ransomware Wants to Infect Only the Right People
Magniber

2017-10-18 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Magniber ransomware: exclusively for South Koreans
Magniber

Yara Rules

[TLP:WHITE] win_magniber_auto (20230808 | Detects win.magniber.)

rule win_magniber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.magniber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 83c408 837dfc00 7502 eb31 6a00 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   7502                 | jne                 4
            //   eb31                 | jmp                 0x33
            //   6a00                 | push                0

        $sequence_1 = { 8b45e8 50 ff15???????? 8b4df4 51 }
            // n = 5, score = 400
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   51                   | push                ecx

        $sequence_2 = { c785a0fafffff0934000 c785a4fafffff8934000 c785a8faffff00944000 c785acfaffff08944000 }
            // n = 4, score = 400
            //   c785a0fafffff0934000     | mov    dword ptr [ebp - 0x560], 0x4093f0
            //   c785a4fafffff8934000     | mov    dword ptr [ebp - 0x55c], 0x4093f8
            //   c785a8faffff00944000     | mov    dword ptr [ebp - 0x558], 0x409400
            //   c785acfaffff08944000     | mov    dword ptr [ebp - 0x554], 0x409408

        $sequence_3 = { 50 8b4df4 51 ff15???????? 8b45f8 99 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   99                   | cdq                 

        $sequence_4 = { 83c408 8b4dfc 8b55f8 6689044a }
            // n = 4, score = 400
            //   83c408               | add                 esp, 8
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   6689044a             | mov                 word ptr [edx + ecx*2], ax

        $sequence_5 = { c7852cfbffff14954000 c78530fbffff1c954000 c78534fbffff24954000 c78538fbffff2c954000 c7853cfbffff34954000 c78540fbffff40954000 }
            // n = 6, score = 400
            //   c7852cfbffff14954000     | mov    dword ptr [ebp - 0x4d4], 0x409514
            //   c78530fbffff1c954000     | mov    dword ptr [ebp - 0x4d0], 0x40951c
            //   c78534fbffff24954000     | mov    dword ptr [ebp - 0x4cc], 0x409524
            //   c78538fbffff2c954000     | mov    dword ptr [ebp - 0x4c8], 0x40952c
            //   c7853cfbffff34954000     | mov    dword ptr [ebp - 0x4c4], 0x409534
            //   c78540fbffff40954000     | mov    dword ptr [ebp - 0x4c0], 0x409540

        $sequence_6 = { 66894da4 ba2f000000 668955a6 b853000000 668945a8 b943000000 }
            // n = 6, score = 400
            //   66894da4             | mov                 word ptr [ebp - 0x5c], cx
            //   ba2f000000           | mov                 edx, 0x2f
            //   668955a6             | mov                 word ptr [ebp - 0x5a], dx
            //   b853000000           | mov                 eax, 0x53
            //   668945a8             | mov                 word ptr [ebp - 0x58], ax
            //   b943000000           | mov                 ecx, 0x43

        $sequence_7 = { 0f842e010000 660f57c0 660f1345b0 6a00 8d4df8 51 6a10 }
            // n = 7, score = 400
            //   0f842e010000         | je                  0x134
            //   660f57c0             | xorpd               xmm0, xmm0
            //   660f1345b0           | movlpd              qword ptr [ebp - 0x50], xmm0
            //   6a00                 | push                0
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   51                   | push                ecx
            //   6a10                 | push                0x10

        $sequence_8 = { f76e9f 32d8 2d7a350e78 95 }
            // n = 4, score = 100
            //   f76e9f               | push                edx
            //   32d8                 | cld                 
            //   2d7a350e78           | sub                 byte ptr [edi + 0x44], bl
            //   95                   | rol                 edi, 0xd

        $sequence_9 = { 4834b0 184026 e221 a1????????05eef081 e0f8 29aed0515fa6 8d4f0e }
            // n = 7, score = 100
            //   4834b0               | sbb                 byte ptr [eax + 0x26], al
            //   184026               | dec                 eax
            //   e221                 | xor                 al, 0xb0
            //   a1????????05eef081     |     
            //   e0f8                 | sbb                 byte ptr [eax + 0x26], al
            //   29aed0515fa6         | loop                0x23
            //   8d4f0e               | loopne              0xfffffffa

        $sequence_10 = { 56 18cb 52 fc 285f44 c1c70d 11fb }
            // n = 7, score = 100
            //   56                   | dec                 eax
            //   18cb                 | xor                 al, 0xb0
            //   52                   | sbb                 byte ptr [eax + 0x26], al
            //   fc                   | loop                0x23
            //   285f44               | loopne              0xfffffffc
            //   c1c70d               | push                esi
            //   11fb                 | sbb                 bl, cl

        $sequence_11 = { e8???????? 32cb 5a b3b1 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   32cb                 | mov                 bl, 0xb1
            //   5a                   | insb                byte ptr es:[edi], dx
            //   b3b1                 | pop                 edx

        $sequence_12 = { 4e4e54 70ac 52 f8 a6 6e }
            // n = 6, score = 100
            //   4e4e54               | insb                byte ptr es:[edi], dx
            //   70ac                 | and                 dword ptr [esp + ebp*2 + 0x2e], esi
            //   52                   | dec                 eax
            //   f8                   | xor                 al, 0xb0
            //   a6                   | sbb                 byte ptr [eax + 0x26], al
            //   6e                   | loop                0x26

        $sequence_13 = { 29aed0515fa6 8d4f0e 7f4c c82cd1c6 1a32 b636 }
            // n = 6, score = 100
            //   29aed0515fa6         | loopne              0xffffffff
            //   8d4f0e               | dec                 esi
            //   7f4c                 | dec                 esi
            //   c82cd1c6             | push                esp
            //   1a32                 | jo                  0xffffffae
            //   b636                 | push                edx

        $sequence_14 = { 5a b3b1 3e6c 21746c2e 4834b0 184026 }
            // n = 6, score = 100
            //   5a                   | pop                 edx
            //   b3b1                 | mov                 bl, 0xb1
            //   3e6c                 | insb                byte ptr es:[edi], dx
            //   21746c2e             | and                 dword ptr [esp + ebp*2 + 0x2e], esi
            //   4834b0               | dec                 eax
            //   184026               | xor                 al, 0xb0

    condition:
        7 of them and filesize < 117760
}

Download all Yara Rules

Magniber Propose Change

References

Yara Rules

Magniber