Magniber (Ransomware) – Malware

Overview

Magniber ransomware is a sophisticated and highly effective form of malware that has caused widespread damage to organizations and individuals worldwide. First identified in 2017, this ransomware variant is known for its ability to exploit multiple vulnerabilities within Microsoft systems, enabling it to infiltrate networks and compromise sensitive data. Magniber primarily targets Windows machines and employs various tactics to avoid detection, escalate privileges, and encrypt critical files. By leveraging an extensive range of exploits and tools, Magniber’s operators have been able to deploy the ransomware across networks quickly and with devastating efficiency, making it a significant threat in the cybercrime landscape.

The malware is often delivered via phishing campaigns, exploiting flaws in well-known software such as Internet Explorer and Microsoft Office, which allows it to bypass common security defenses. Once executed, Magniber encrypts user files using AES encryption and demands a ransom payment in exchange for the decryption key. The encryption process is designed to be highly efficient, allowing the malware to lock large volumes of data in a short amount of time. However, Magniber is also particularly adept at evading detection through advanced obfuscation techniques, process injection, and masquerading as legitimate system updates or software installers.

Targets

Information

Individuals

How they operate

The initial access phase of a Magniber attack typically begins with the exploitation of known vulnerabilities in public-facing applications. Magniber has been observed exploiting a range of vulnerabilities, including those in Internet Explorer and the MSHTML component (CVE-2016-0189, CVE-2018-8174, CVE-2020-0968), as well as critical vulnerabilities like PrintNightmare (CVE-2021-34527) and CVE-2022-44698. These exploits allow the malware to gain unauthorized access to the target machine by bypassing security measures. Magniber also utilizes social engineering techniques, particularly malicious email attachments, to infect systems. The malware often masquerades as a legitimate software update or installer, tricking users into executing the malicious payload via ZIP file attachments or fake Windows update prompts (T1204 – User Execution).

Once the malware gains execution privileges, it uses various techniques to establish persistence and avoid detection. Magniber can execute commands through Windows Management Instrumentation (WMI) to delete system shadow copies (T1047). This tactic prevents users from restoring their files via backup and inhibits system recovery. The malware also leverages scripting interpreters, such as cmd.exe and JavaScript (T1059.003, T1059.007), to execute its code. In more recent versions, Magniber has been rewritten in JSE/JS format, which makes it harder to detect. This version continues the tradition of masquerading as legitimate software, evading detection by security programs that scan for executables and scripts.

To further evade detection, Magniber uses a series of obfuscation and anti-analysis techniques. It employs decryption techniques to obfuscate payloads and related strings before execution (T1140 – Deobfuscate/Decode Files or Information), which ensures that the malicious code remains hidden during scans. Additionally, Magniber can inject malicious code into system processes that do not have high privileges (T1055.003 – Process Injection), further complicating detection efforts. The malware also exploits a vulnerability in Mark-of-the-Web (MOTW) to bypass security warnings that would normally prevent the execution of potentially harmful files (T1553.005).

After the malware executes, it moves on to discovering files and system information. Magniber performs file and directory discovery (T1083) to identify files that should be encrypted. It also scans for network shares (T1135) to spread its encryption to remote systems. It gathers system information, such as the computer name and operating system build number, which is then sent to a command and control (C2) server for further instructions (T1082 – System Information Discovery). This step is crucial as it helps the attackers customize the attack based on the system they have compromised.

One of the most damaging aspects of Magniber is its ability to encrypt files. It employs a combination of AES and RSA encryption techniques (T1486 – Data Encrypted for Impact). Files are first encrypted using AES encryption in 1MB blocks. Then, the AES key and initialization vector (IV) are encrypted using RSA. Magniber is designed to avoid encrypting specific files and directories critical to system functionality, such as system files, boot files, and directories like “Program Files” and “Windows.” This selective encryption ensures that the malware remains operational on the infected machine while maximizing the damage to user data. Once encryption is complete, the ransomware appends a unique mutex name to the encrypted files, making it clear that they are part of the attack.

Finally, Magniber attempts to inhibit recovery by deleting volume shadow copies (T1490 – Inhibit System Recovery). Using WMI and registry modifications, the malware ensures that the victim cannot restore files from backups. This, combined with the encryption of valuable data, leaves victims with few recovery options other than paying the ransom. Throughout the attack lifecycle, Magniber employs multiple layers of defense evasion, fileless techniques, and sophisticated encryption methods, making it a highly effective and dangerous ransomware strain.

In summary, Magniber’s technical operation demonstrates the evolving sophistication of modern ransomware attacks. By exploiting vulnerabilities, leveraging obfuscation, and carefully encrypting user data while disabling recovery options, Magniber poses a significant threat to both individuals and organizations. Recognizing and understanding the detailed tactics, techniques, and procedures used by Magniber is crucial for developing effective defense strategies to counteract and mitigate the impact of such attacks. As attackers continue to refine their tools and techniques, organizations must adopt robust security measures, including timely patching, user awareness training, and multi-layered defenses, to protect against evolving ransomware threats like Magniber.

MITRE Tactics and Techniques

Initial Access

T1190 – Exploit Public-Facing Application: Magniber exploits vulnerabilities in public-facing applications to gain initial access to systems. Vulnerabilities such as CVE-2016-0189, CVE-2018-8174, CVE-2019-1367, and others are used for this purpose.

T1203 – Exploitation for Client Execution: Magniber exploits vulnerabilities to execute its payload on the victim’s machine, including CVE-2022-44698.

T1204 – User Execution: Magniber uses phishing techniques, often via malicious ZIP attachments or fake Windows updates, to trick users into executing the malware.

Execution

T1059.003 – Command and Scripting Interpreter: Windows Command Shell: Magniber uses cmd.exe to execute commands for various purposes, including the execution of malicious scripts.

T1059.007 – Command and Scripting Interpreter: JavaScript: In newer versions, Magniber is written in JSE/JS format and masquerades as legitimate software to deceive users into executing the ransomware.

T1047 – Windows Management Instrumentation (WMI): Magniber uses WMI to perform actions like deleting shadow copies and carrying out other malicious activities.

T1218.010 – Signed Binary Proxy Execution: Regsvr32: Magniber uses regsvr32.exe and scrobj.dll to execute its payload, often bypassing security measures.

Defense Evasion

T1553.005 – Subvert Trust Controls: Mark-of-the-Web Bypass: Magniber bypasses security features, such as the Mark-of-the-Web (MOTW), by exploiting malformed digital signatures.

T1055.003 – Process Injection: Thread Execution Hijacking: Magniber can inject malicious code into running processes that meet specific criteria, such as processes that are not critical system processes like iexplore.exe.

T1140 – Deobfuscate/Decode Files or Information: Magniber decrypts its payload and other associated strings before executing them, obfuscating its presence.

Privilege Escalation

T1071.001 – Application Layer Protocol: Web Protocols: Magniber can escalate privileges by communicating with external servers to collect additional data about the infected system.

Discovery

T1083 – File and Directory Discovery: Magniber performs searches for files and directories to determine which files to encrypt.

T1135 – Network Share Discovery: The malware scans for network and remote drives to spread the encryption.

T1057 – Process Discovery: Magniber queries the system for a list of running processes, which may aid in its evasion and persistence.

T1082 – System Information Discovery: Magniber gathers system information, such as the machine name and OS build number, to tailor its attack.

Command and Control

T1071.001 – Application Layer Protocol: Web Protocols: Magniber uses HTTP or HTTPS to communicate with its command and control server, often sending information about the infected system and receiving commands.

Impact

T1490 – Inhibit System Recovery: Magniber deletes volume shadow copies via WMI and registry modifications to prevent recovery from backup files.

T1486 – Data Encrypted for Impact: The malware encrypts files across the system using AES and RSA encryption, demanding a ransom for the decryption key.

T1608.005 – Stage Capabilities: Link Target: Magniber uses typosquatting to create malicious links that trick users into accessing the ransomware payload.

Reference: 

• Magniber