A malicious campaign is spreading Magniber ransomware in the systems of Windows home users. Last month, the attackers created websites advertising fake antivirus and security updates for Windows 10, loaded with the malware.

The Magniber ransomware

The Magniber ransomware operators focus especially on Windows 10 and Windows 11 operating systems. 
  • During the infection, attackers would deliver Windows fake updates inside malicious files (e.g., ZIP archives) including JavaScript files.
  • A report from HP disclosed that Magniber operators demand payment of up to $2,500 from home users for the decryption tool. 
  • Additionally, the Magniber group uses evasion tactics, such as bypass for the User Account Control feature in Windows, runs the ransomware in-memory, and uses syscalls instead of standard Windows API libraries to remain hidden from detection software.

In April 2022, Magniber was spotted spreading as a Windows 10 update through malicious websites. In the previous campaign, the attackers used MSI/EXE files. In January, its operators used Edge and Chrome browser updates pushing APPX files.

Use of DotNetToJScript technique

In the recent campaign, the attackers have started using JavaScript files. These files are obfuscated and use a variation of the DotNetToJScript technique.
  • The DotNetToJScript technique is used to run a DotNET file in the system memory to limit the chances of being detected. 
  • The DotNET file decodes shellcode that makes stealthy syscalls and injects inside a new process before ending its own.
  • The shellcode deletes shadow copy files using WMI and disables backup and recovery features via wbadmin and bcdedit. Thus, ensuring a clever campaign.

Conclusion

Magniber operators seem to be ramping up their attacks to target Windows-based systems. Experts suggest home users must keep taking regular backups of important files and ensure storing critical data on isolated storage devices if possible. Also, one need to be sure that backups are not infected during the process.
Cyware Publisher

Publisher

Cyware