In fact, Magnitude EK is one of the longest-standing ones out there, being offered in underground forums since 2013. According to the latest Kaspersky analysis dedicated to the exploit kit, Magnitude has switched its focus to distribute ransomware specifically to users from Asia Pacific countries, via the method of malvertising.
Evolution of the Magnitude Exploit Kit
According to the researchers, the exploit kit is actively supported and has been improved constantly. One of the most noteworthy changes seen in the EK is the employment of a more recent vulnerability known as, CVE-2019-1367 in Internet Explorer. This particular vulnerability was originally discovered as an exploited zero-day in the wild. Furthermore, Magniture’s operators are now using a previously unknown elevation of privilege exploit for CVE-2018-8641 which seems to have been developed by a prolific exploit writer, Kaspersky says.
What vulnerabilities has Magnitude EK been using?
Like most exploit kits available, in 2019 Magnitude EK primarily utilized CVE-2018-8174. However, its operators were the first to adopt to the much newer CVE-2019-1367 vulnerability, and they have been using it as their primary exploit since February 11, 2020, Kaspersky notes. The attackers reused the original zero-day exploit and just modified it with their own shellcode and obfuscation.
What is CVE-2019-1367?
The bug could allow attackers to perform remote attacks with the purpose of gaining access over a system. The vulnerability is a scripting engine memory corruption issue, which was discovered by Clément Lecigne of Google’s Threat Analysis Group.
An attack based on the CVE-2019-1367 exploit could be launched via email (malspam) or by tricking the user into visiting a maliciously crafted website. It should be mentioned that the targeted browser is Internet Explorer, which continues to be used by a large userbase.
Magnitude EK dropping its own ransomware payload
Another curious fact about Magnitude is that its operators are using its own ransomware payload in their attacks. This ransomware comes with a temporary encryption key and a list of domain names which the attackers change frequently. Victim’s files are encrypted using Microsoft CryptoAPI as well as Microsoft Enhanced RSA and AES Cryptographic Provider (PROV_RSA_AES).
The initialization vector (IV) is generated pseudo randomly for each file and a 0x100 byte long blob with encrypted IV is appended to the end of the file. The ransomware doesn’t encrypt the files located in common folders such as documents and settings, appdata, local settings, sample music, tor browser, etc. Before encryption, the extensions of files are checked against a hash table of allowed file extensions that contains 715 entries.
Of course, a ransom note is also dropped in each folder with encrypted files and at the end a notepad.exe process is created to display the ransom note. To conceal the origin of the executed process, this ransomware deploys either the “wmic process call create” technique or “pcalua.exe –a … -c …”. After encryption the ransomware also attempts to delete backups of the files with the help of the “wmic shadowcopy delete” command executed with an UAC-bypass, Kaspersky discovered.