Hackers are utilizing the malevolent Magnitude Exploit Kit to distribute the new Magniber ransomware to targets in South Korea. Previously the kit has been used to deliver high-impact malware, namely the majority of Cerber ransomware strains on a global scale.
Update July 2018 – Magniber Ransomware Expands
In mid-July, 2018 there are reports indicating that Magniber has expanded its operations and has more features, including:
- Usage of different and plentiful obfuscation techniques
- Payload binary delivers, targets and infects beyond South Korea
- Usage of a more sophisticated and polished malicious code
- No longer depends on C2C servers, nor a hardcoded key for encryption
According to malware researchers, in addition to the changes stated above, the Magnitude Exploit Kit has also changed its ‘modus operandi’. Instead of pushing the well-known Cerber ransomware accross the World, the EK is now primarily focused on spreading the binary executable of Magniber.
That is not all, as newer Magniber versions are using an Internet Explorer’s zero-day vulnerability since the month of April. The newer version of the ransomware threat is easily recognised as it uses the “.dyaaghemy” file extension.
Magniber Ransomware Revealed in Latest Hacker Attack
The onset of the hacker campaign started when criminals loaded a newly devised malware into the Magnitude exploit kit. This is the same mechanism previously used to deliver the majority of the Cerber ransomware strains. One of the reasons why the security experts fear that this is going to become the next big infection. If its source code is released or sold on the hacker underground forums or is shared by the hacker collectives then it can very well turn into the latest weapon.
The security reports indicate that the captured strains so far are merely the first releases. We might see updated versions of the threat if it proves successful during the ongoing attacks. One of the reasons why the attack is so feared is because this exploit kit became inactive for a long time in late September. When it came back online the payload was changed with the new Magniber ransomware.
Magniber Ransomware Set Against South Korea
One of the key characteristics of the Magnitude Exploit Kit is the fact that it is specifically made to infect uses from South Korea. The analysts report that at the moment the email message is the preferred payload delivery mechanism.
The exploit kit is customized with several template messages that are sent in an automated way to the victims. As always social engineering tricks may be used to increase the infection ratio. Depending on the configuration the emails may come in different forms. Some of the most popular examples include the following:
- File Attachments ‒ The Magniber ransomware can be directly inserted into the messages as a file attachment either in an archived form or as the executable file.
- Hyperlink Insertion ‒ The criminals behind the malware can utilize different scams, blackmail tactics and various social engineering tricks to try and make the users download the virus via a link found in the body contents.
- Archives ‒ In many cases such threats can be packaged in archives that contain other software as well. The Magniber ransomware can be found in packages that pretend to include important documents, applications, utilities and etc.
- Infected Installers ‒ Email messages can be used to distribute modified software installers which can inclue the Magniber ransomware code in themselves.
- Scripts in Documents ‒ Various documents that may be of user interest (rich text documents, spreadsheets or presentations) can include malware scripts (macros) which when executed by the user download the Magniber ransomware from a remote server and run it on the victim computers.
Another identified source of infections include fraudulent advertisments found on hacker-controlled sites. They are frequently made to look like legitimate products or services. Links to them are placed via ad networks, search engines and even fake accounts on social networks.
Another option to deliver the threat is a redirect via browser hijackers. They are dangerous browser extensions that seek to modify the settings of the infected web applications. Hackers tend to make them for the popular browsers: Mozilla Firefox, Safari, Internet Explorer, Opera, Microsoft Edge and Google Chrome. When the infections are complete important settings are reconfigured to point to the hacker-controlled sites. In other cases the Magniber ransomware is delivered as part of the hacker sequence. They are also able to obtain sensitive data from the applications including: cookies, browser cache, preferences, history, bookmarks, form data, passwords and account credentials.
The experts discovered that the criminals attempt to exploit a vulnerability tracked by the CVE-2016-0189 advisory, which is also being used by kits like Disdain and Sundown:
The Microsoft JScript 5.8 and VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Scripting Engine Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0187.
One of the reasons why the Magniber ransomware is feared by many to be a new emerging threat competing with the large malware families is its complex infection module. Upon initial delivery the virus engine automatically starts to scan the local computer and check important values which are compared with the built-in instructions to deliver the dangerous components only to victims from South Korea.
This is done by checking the external IP location of the computer and comparing it to geolocation databases, the regional settings set by the user, searching for specific strings and etc. According to the security researchers the complex level of the security checks are noteworthy for this specific strain. An automated kill switch is placed in the engine, if the Magniber ransomware is executed on a non-Korean system the malware will automatically delete itself after the initial check is complete.
Magniber Ransomware Capabilities
Once the Magniber ransomware infects the compromised machines a number of attack sequences can be programmed. Depending on the configuration it may feature different modules which can be activated on the machines. Examples include the following:
- Trojan Module ‒ Using such a module allows the criminals to spy on the victim machines or take over control at any given moment.
- Data Theft ‒ Prior to the encryption phase the hackers can opt to steal sensitive files and use their contents to carry out different crimes. Examples include identity theft, financial documents abuse and others.
- Additional Malware Delivery ‒ The Magniber ransomware can also be used to deliver additional viruses to the compromised computers.
The initial infections begins with the virus files being copied to a temporary folder which can be changed according to the initial configuration. After this the malware files are changed with random names and set for automatic startup when the computer boots.
There are several important characteristics of the infection process that are noteworthy to the Magniber ransomware. One of them is the fact that the malware is able to spawn other processes which are placed under its control. It can interact with the child processes and inject data into them. One of the reasons why this is considered dangerous is the fact that such applications can be used to confuse the others or attempt to extract information from the victims. A case scenario is the launch of web browser window. The users might think that they have issued the command and use it as they normally would do. If any sensitive data is entered by them, it is immediately recorded by the malware and sent to operators.
An in-depth analysis of the compromised machine is being conducted which includes both the hardware components, software configuration and user settings. Network availability and available interfaces are probed using the “ping” command, as well as regional settings (system locale settings, keyboard layouts and machine time zone).
The identified Magniber ransomware strains also can run shell commands on their own. When combined with a Trojan module this option gives hackers nearly unlimited capabilities on using the victim computers. The analyzed samples have several stealth protection and anti-debugging features built-in. They prevent the researchers from conducting analysis of the virus strains in certain conditions.
Magniber Ransomware Infection Consequences
The end goal of the Magniber ransomware is to blackmail the users by using typical ransomware tactics. Sensitive user files are encrypted with a strong cipher. Like other similar strains a built-in list of target file type extensions is used. This is a widely used tactic as it allows the criminals to customize the victim files according to the intended victims. The security researchers were able to extract the bundled list of one of the captured strains. It targeted the following extensions:
docx xls xlsx ppt pptx pst ost msg em vsd vsdx csv rtf 123 wks wk1 pdf dwg
onetoc2 snt docb docm dot dotm dotx xlsm xlsb xlw xlt xlm xlc xltx xltm pptm
pot pps ppsm ppsx ppam potx potm edb hwp 602 sxi sti sldx sldm vdi vmx gpg
aes raw cgm nef psd ai svg djvu sh class jar java rb asp php jsp brd sch dch
dip vb vbs ps1 js asm pas cpp cs suo sln ldf mdf ibd myi myd frm odb dbf db
mdb accdb sq sqlitedb sqlite3 asc lay6 lay mm sxm otg odg uop std sxd otp
odp wb2 slk dif stc sxc ots ods 3dm max 3ds uot stw sxw ott odt pem p12 csr
crt key pfx der 1cd cd arw jpe eq adp odm dbc frx db2 dbs pds pdt dt cf cfu
mx epf kdbx erf vrp grs geo st pff mft efd rib ma lwo lws m3d mb obj x3d c4d
fbx dgn 4db 4d 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr
cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx dd df1 dmo dnc
dp1 dqy dsk dsn dta dtsx dx eco ecx emd fcd fic fid fi fm5 fo fp3 fp4 fp5
fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt
mrg mud mwb s3m ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96
p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq
sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb
zdc cdr cdr3 abw act aim ans apt ase aty awp awt aww bad bbs bdp bdr bean
bna boc btd cnm crw cyi dca dgs diz dne docz dsv dvi dx eio eit emlx epp err
etf etx euc faq fb2 fb fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt
fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hz idx ii ipf jis joe jp1 jrtf
kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man
map mbox me mel min mnt mwp nfo njx now nzb ocr odo of oft ort p7s pfs pjt prt
psw pu pvj pvm pwi pwr qd rad rft ris rng rpt rst rt rtd rtx run rzk rzn saf
sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa sty sub sxg tab
tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof upd utf8 utxt vct vnt
vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wp wps wpt wpw
wri wsc wsd wsh wtx
xd xlf xps xwp xy3 xyp xyw ybk ym zabw zw abm afx agif agp aic albm apd apm
apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 ca cals can cd5 cdc
cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv dm3
dmi vue dpx wire drz dt2 dtw dv ecw eip exr fa fax fpos fpx g3 gcdp gfb gfie
ggr gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx
itc2 iwi j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jw
jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs my ncr nct
nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cmx cnv csy
cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf
fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg
gem glox hpg hpg hp idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx
mmat mat ovp ovr pcs pfv plt vrm pobj psid rd scv sk1 sk2 ssk stn svf svgz
tlc tne ufr vbr vec vm vsdm vstm stm vstx wpg vsm xar ya orf ota oti ozb
ozj ozt pa pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3
pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg
ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli
rpf rri rs rsb rsr rw2 rw s2mv sci sep sfc sfw skm sld sob spa spe sph spj
spp sr2 srw wallet jpeg jpg vmdk arc paq bz2 tbk bak tar tgz gz 7z rar zip
backup iso vcd bmp png gif tif tiff m4u m3u mid wma flv 3g2 mkv 3gp mp4 mov
avi asf mpeg vob mpg wmv fla swf wav mp3
Magniber communicates with hacker command and control servers to report the infections. At the start of the encryption process the malware reports the operation to the server which returns a valid response to the victim machine. It contains a 16-character long string which is used by encryption engine to generate the private key. In the case where network connectivity is not available a hardcoded is used to process the files. An attempt to report the finished process is performed after everything is complete.
The experts discovered that the samples also disallow encryption of certain critical folders. This is done with intent as encryption of the files contained therein may permament damage to the operating system and render it unusable. This effectively stops the hackers from being able to blackmail the victims. The list contains the following directories:
:\documents and settings\all users\
:\documents and settings\default user\
:\documents and settings\localservice\
:\documents and settings\networkservice\
\appdata\local\
\appdata\locallow\
\appdata\roaming\
\local settings\
\public\music\sample music\
\public\pictures\sample pictures\
\public\videos\sample videos\
\tor browser\
\$recycle.bin
\$windows.~bt
\$windows.~ws
\boot
\intel
\msocache
\perflogs
\program files (x86)
\program files
\programdata
\recovery
\recycled
\recycler
\system volume information
\windows.old
\windows10upgrade
\windows
\winnt
Magniber Ransomware Note
Random extensions such as .ihsdj or .kgpvwnr are assigned to the compromised files. A ransomware note is crafted according to the following template ‒ READ_ME_FOR_DECRYPT_[id].txt. Its contents read the following:
ALL YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILE HAVE BEEN ENCRYPTED!
====================================================================================
Your files are NOT damaged! Your files are modified only. This modification is reversible.
The only 1 way to decrypt your files is to receive the private key and decryption program.
Any attempts to restore your files with the third-party software will be fatal for your files!
=====================================================================================
To receive the private key and decryption program follow the instructions below:
1. Download “Tor Browser” from https://www.torproject.org/ and install it.
2. In the “Tor Browser” open your personal page here:
https://oc77jrv0xm9o7fw55ea.ofotqrmsrdc6c3rz.onion/EP8666p5M93wDS513
Note! This page is available via “Tor Browser” only.
========================================================================================
Also you can use temporary addresses on your personal page without using “Tor Browser”:
https://oc77jrv0xm9o7fw55ea.bankme.date/EP8666p5M93wDS513
https://oc77jrv0xm9o7fw55ea.jobsnot.services/EP8666p5M93wDS513
https://oc77jrv0xm9o7fw55ea.carefit.agency/EP8666p5M93wDS513
https://oc77jrv0xm9o7fw55ea.hotdisk.world/EP8666p5M93wDS513Note! These are temporary addresses! They will be available for a limited amount of time!
If the users visit the TOR payment gateway they will a modern-looking page that displays a similar text message. It seeks to extort a ransomware payment from the victims by using the well-known social engineering “time trick”. The users are shown a “cheaper” price if they within a certain time limit (in this case within 5 days of initial infection). The sum quoted is 0.2 Bitcoins which is the equivalent of $1112. If this is not done the ransomware engine will double the amount to 0.5 Bitcoins or $2225 respectively.
The note itself reads the following:
Your documents, photos, databases and other important files have been encrypted!
WARNING! Any attempts to restore your files with the third-party software will be fatal for your files! WARNING!
To decrypt your files you need to buy the special software – “My Decryptor”
All transactions should be performed via BITCOIN network.
Within 5 days you can purchase this product at a special price: BTC 0.200 (~$1117)
After 5 days the price of this product will increase up to: BTC 0.400 (~$2225)The special price is available:
04. 22:41:48How to get “My Decryptor”?
1. Create a Bitcoin Wallet (we recommend Blockchain.info)
2. Buy necessary amount of Bitcoins
Here are our recommendations:
Buy Bitcoins with Cash or Cash Deposit
LocalBitcoins (https://localbitcoins.com/)
BitQuick (https://www.bitquick.co/)
Wall of Coins (https://wallofcoins.com/)
LibertyX (https://libertyx.com/)
Coin ATM Radar (https://coinatmradar.com/)
Bitit (https://bitit.io/)Buy Bitcons with Bank Account or Bank Transfer
Coinbase (https://www.coinbase.com/)
BitPanda (https://www.bitpanda.com/)
GDAX (https://www.gdax.com/)
CEX.io (https://cex.io/)
Gemini (https://gemini.com/)
Bittylicious (https://bittylicious.com/)
Korbit (https://www.korbit.co.kr/)Coinfloor (https://www.coinfloor.co.uk/)
Coinfinity (https://coinfinity.co/)
CoinCafe (https://coincafe.com/)
BTCDirect (https://btcdirect.eu/)
Paymium (https://www.paymium.com/)
Bity (https://bity.com/)
Safello (https://safello.com/)
Bitstamp (https://www.bitstamp.net/)
Kraken (https://www.kraken.com/)
CoinCorner (https://coincorner.com/)
Cubits (https://cubits.com/)
Bittinex (https://www.bitfinex.com/)
Xapo (https://xapo.com/)
HappyCoins (https://www.happycoins.com/)
Poloniex (https://poloniex.com/)Buy Bitcoin with Credit/Debit Card
CoinBase (https://www.coinbase.com/)
CoinMama (https://www.coinmama.com/)
BitPanda (https://www.bitpanda.com/)
CEX.io (https://cex.io/)
Coinhouse (https://www.coinhouse.io/)Buy Bitcoins with PayPal
VirWoX (https://www.virwox.com/)
Could not find Bitcoins in your region? Try searching here:
BittyBot (https://bittybot.co/eu/)
How To Buy Bitcoins (https://howtobuybitcoins.info/)
Buy Bitcoin Worldwide (https://www.buybitcoinworldwide.com/)
Bitcoin-net.com (https://bitcoin-net.com/)3. Send BTC 0.200 to the following Bitcoin address:
1AwpzNSn4ZkWf4pSCtzZ16ungkEqea93tr
4. Control the amount transaction at the “Payments History” panel below
5. Reload current page after the payment and get a link to download the software.
We strongly recommend that all users employ a quality anti-spyware solution. It is able to remove active infections of all kinds of viruses, Trojans and browser hijackers and delete them via a few mouse clicks.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
April 2018 Update: Magniber Decryptor Released: Security researchers have devised a decryptor that is compatible with some of the Magniber strains. The tool may be used to decrypt some of the affected data and is available from this site.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: