Magniber Ransomware Targets Home Users

Category: Ransomware News | Industry: N/A | Level: Tactical | Source: HP

Tracking activity of Magniber ransomware, by HP's threat intelligence team, shows operators targeting home users by crafting a website masquerading as a critical update for anti-virus or Windows 10 to lure victims into downloading a malicious ZIP file containing a JavaScript file. Previous Magniber campaigns have utilized Microsoft software installer (MSI) or executable (EXE) files, however since September 2022, the threat actors have incorporated JavaScripts as well. The JavaScipt file loads a .NET executable into memory and avoids writing to disk avoiding detection from security solutions. The .NET binary will inject itself into another process prior to running the shellcode using syscalls. Following shellcode execution, a VBScript will execute in a public directory. "Magniber requires administrator privileges to disable the victim’s ability to recover their data, so the malware uses a User Account Control (UAC) bypass to run commands without alerting the user. For this to work, however, the logged-in user must be part of the Administrators group." UAC bypass is set up through registry modification from the “ms-settings” key and using fodhelper.exe. Prior to ransomware deployment, the VBScript inhibits system recovery and deletes shadow copies on the host. The ransomware actors have demanded at least $2,500 in ransom notes from affected victims. Whilst Magniber operators aren't involved in Big Game Hunting, their methodical techniques to avoid triggering detection from security solutions and novel UAC bypass techniques demonstrate a more than capable ransomware group.

Anvilogic Scenario:

• Zip/LNK Leads to LOLBin & Script/UAC Bypass/Data Exfil

Anvilogic Use Cases:

• Compressed File Execution
• Wscript/Cscript Execution
• Indirect Command Execution

‍