
The threat actors are distributing Magniber ransomware as an update through modern web browsers in ongoing campaign.
The operators behind it are actively exploiting the Internet Explorer (IE) vulnerabilities for the last couple of years. Apart from Internet Explorer (IE), currently, the hackers are also exploiting the modern web browsers:-
- Microsoft Edge
- Google Chrome
Technical Analysis
In the image below the distribution pages are shown that are opened in Microsoft Edge and Google Chrome, prompting users to install the fake update package with “.appx” extension.
This fake Chrome or Edge’s Windows update package with .appx extension contains an authentic certificate which makes it look legit and allows the installation of the fake package.
Later, in the child paths of C:\Program Files\WindowsApps when the fake downloaded APPX package was executed, it automatically puts the maliciously crafted EXE and DLL files with the following name:-
- For EXE file: wjoiyyxzllm.exe
- For DLL file: wjoiyyxzllm.dll
Now here at this stage, the wjoiyyxzllm.exe file loads the wjoiyyxzllm.dll to execute a distinct function that is dubbed as “mbenooj.” After completing these stages now the Magniber ransomware gets deployed from the memory of wjoiyyxzllm.exe.
The ransomware starts encrypting all the files present on the user’s system and leaves a ransom note after completing the encryption procedure. They chose the APPX files due to their wide usage.
To decrypt the files encrypted by Magniber ransomware for free of cost then it’s not possible to do so. Before encrypting the system the Magniber ransomware do not steal any files, since it did not embrace the double extortion tactic in its operation.
Indicators of Compromise
- cf16310545bf91d3ded081f9220af7cc (exe)
- 12a12ea3b7d84d1bd0aad215d024665c (dll)
- hxxp://b5305c364336bqd.bytesoh.cam
- hxxp://hadhill.quest/376s53290a9n2j