SOC Incident Toolkit
Back to Campaigns
Magniber Ransomware Used a Variant of Microsoft SmartScreen Bypass with Malformed Signature

Magniber Ransomware Used a Variant of Microsoft SmartScreen Bypass with Malformed Signature

MagniberSmartScreenRansomware

Magniber ransomware, which targeted Asian countries in 2017, continues to attack with expanded targets worldwide since 2021

Indicators of Compromise

Domains (68)

themomerator.compastor.cntcog.orgmayibeofservice.comsubscribe.3gbling.comsecure.azurexinhewood-cn.comtravel.dianatokaji.comac.net.peabuhureira.sc.kemawuqiis.xyzvividworld.netcoating.drrooter.comwhneat.comquangdecalshop.comorhung.spacelongate.monsterhalldie.fitdofight.monstergoogleanalyticstag.comactsred.site+48 more

Hashes (243)

e2af709d16f7045a3a52a80313fb52df1e87c164927a14f1451c90913c3e78bd6a10568f54ebe38f1739eff2e35e91ec21ff622bead0c67b0667f5699c29ee6ef032d55c448d0b517336bf2505f75523e2ec1a6de92dbe9e5f710da92e7aabffd68498168cd81a5b3145947015fd39e557545e328a9a76591be5f3924cf6527446ddd8224104fa712aa8c34f0761edd14cf57b883eba861c0a6c1f9d6e0b3bf685d897b9001d0189ecbdd71c2659d7f9fac32abcdb0b86b1454582b6ca010ee3d4cfc00996e592fcdde97aaa48f37454fc8d30be4dcbcc070e7e3d0696c777b63e185406e3042de835b734fe7bb33cc12e539bf65c1be821d8ae29d8569ddc1b76f79ff2ec7017ce018c6c585e949114f1d99d8a37b05248dbd96c8a94082471069f24a7b103631302c900f3af08c702d2c4e9b3852ba806a9845f5f6b18a287aa2c170605409a4675fd600d0597623d174445aaea5a2279bee0c14553d4427c67f391d6d2ba1c4aa511c11d590ba919440a690f30eafd0ef0849ee8ed20ae6f9a781efcbf81819f49f08d10f07bfdd8fb45e041f57b3097523fcf6e098da408fab4e732615902c7309df3c61061dba97b845e0161599a1028a20900b6fd16e55ddb75d0ba2fc6ad292193375bb65a6f56fb0d5e2e216f2b4d9846517d9ed23b69fba4f19f2bad71cdce47d9081642eb568e1e3d55a6146f0f899159c3a5183362b8b13304109b49f7394a9fe8c69ea7+223 more

IPv4 (135)

37.14.229.22050.68.204.7124.228.132.22476.80.180.15477.126.81.20891.68.227.21986.165.15.18098.142.251.29176.142.207.63192.161.184.11023.240.47.5871.183.236.13364.207.237.118138.128.163.24291.169.12.198192.185.171.113131.106.168.22387.202.101.16424.116.45.12186.130.9.167+115 more

CVEs (3)

CVE-2021-25369CVE-2021-25370CVE-2021-25337

Notes

<b>Conclusions</b><div>Magniber operators seem to be ramping up their attacks to target Windows-based systems. We recommend that home users take regular backups of their important files and, if possible, store critical data on isolated storage devices. In addition, it should be ensured that there is no virus infection during the backup process.<br></div><div><br></div>

Mitigation

<div id="subtechniques-card-body" class="card-body p-0 collapse show" style="box-sizing: border-box; flex: 1 1 auto; padding: 0px !important;"><b>Table 1. MITRE ATT&amp;CK Tactics and Techniques</b><br></div><div id="subtechniques-card-body" class="card-body p-0 collapse show" style="box-sizing: border-box; flex: 1 1 auto; padding: 0px !important;"><b><br></b></div><div id="subtechniques-card-body" class="card-body p-0 collapse show" style="box-sizing: border-box; flex: 1 1 auto; padding: 0px !important;"><table class="otherTable" cellspacing="0" cellpadding="4" style="border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; color: rgb(0, 0, 0); font-family: TXOneFont, sans-serif; font-size: 16px; font-variant-ligatures: none; width: 750px; height: 651px;"><tbody style="background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><tr style="border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><td rowspan="2" width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(204, 204, 204);"><span style="font-weight: 700;">MITRE Tactics</span></td><td colspan="2" width="36%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(204, 204, 204);"><span style="font-weight: 700;">MITRE Techniques</span></td><td rowspan="2" width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(204, 204, 204);"><span style="font-weight: 700;">Description</span></td></tr><tr style="border-width: 1px 1px 0px; border-top-style: solid; border-right-style: solid; border-bottom-style: initial; border-left-style: solid; border-top-color: rgb(238, 238, 238); border-right-color: rgb(238, 238, 238); border-bottom-color: initial; border-left-color: rgb(238, 238, 238); border-image: initial; background: rgb(238, 238, 238);"><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">ID</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Techniques</td></tr><tr style="border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><td rowspan="2" width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Execution</td><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">T1204.002</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">User Execution–Malicious File</td><td width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Magniber disguises itself as a .msi file software installer to lure users into opening it.</td></tr><tr style="border-width: 1px 1px 0px; border-top-style: solid; border-right-style: solid; border-bottom-style: initial; border-left-style: solid; border-top-color: rgb(238, 238, 238); border-right-color: rgb(238, 238, 238); border-bottom-color: initial; border-left-color: rgb(238, 238, 238); border-image: initial; background: rgb(238, 238, 238);"><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">T1106</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">Native API</td><td width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">Magniber uses native Windows syscalls to make analysis more difficult.</td></tr><tr style="border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><td rowspan="3" width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Privilege Escalation</td><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">T1055.009</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Thread Execution Hijacking</td><td width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Magniber enumerates processes and injects shellcode into them to execute encryption with higher privileges.</td></tr><tr style="border-width: 1px 1px 0px; border-top-style: solid; border-right-style: solid; border-bottom-style: initial; border-left-style: solid; border-top-color: rgb(238, 238, 238); border-right-color: rgb(238, 238, 238); border-bottom-color: initial; border-left-color: rgb(238, 238, 238); border-image: initial; background: rgb(238, 238, 238);"><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">T1574.011</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">Services Registry Permissions Weakness</td><td width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">Magniber overwrites the reference registry upon execution of fodhelper.exe.</td></tr><tr style="border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">T1548.002</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Bypass User Account Control</td><td width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Magniber overwrites the registry of fodhelper.exe to bypass UAC and execute the malicious VBScript with administrator privilege.</td></tr><tr style="border-width: 1px 1px 0px; border-top-style: solid; border-right-style: solid; border-bottom-style: initial; border-left-style: solid; border-top-color: rgb(238, 238, 238); border-right-color: rgb(238, 238, 238); border-bottom-color: initial; border-left-color: rgb(238, 238, 238); border-image: initial; background: rgb(238, 238, 238);"><td rowspan="2" width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">Defense Evasion</td><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">T1140</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">Files or Information</td><td width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">To evade detection, Magniber utilizes a technique of encoding VBScript and disguising it as a .jpg file. Once it has successfully evaded detection, Magniber then decodes the VBScript and executes it.</td></tr><tr style="border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">T1497.003</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Time Based Evasion</td><td width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Magniber sleeps for random intervals to evade sandbox or antivirus detection.</td></tr><tr style="border-width: 1px 1px 0px; border-top-style: solid; border-right-style: solid; border-bottom-style: initial; border-left-style: solid; border-top-color: rgb(238, 238, 238); border-right-color: rgb(238, 238, 238); border-bottom-color: initial; border-left-color: rgb(238, 238, 238); border-image: initial; background: rgb(238, 238, 238);"><td rowspan="2" width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">Impact</td><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">T1486</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">Data Encrypted for Impact</td><td width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background: rgb(255, 255, 255);">Magniber encrypts the files on the computer.</td></tr><tr style="border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><td width="13%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">T1490</td><td width="22%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Inhibit System Recovery</td><td width="50%" style="padding: 1rem; border: 1px solid rgb(238, 238, 238); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">Magniber modifies the boot options.<br><br></td></tr></tbody></table></div>