A new and improved version of the Magniber ransomware is expanding beyond South Korea to target other Asian countries, security researchers discovered. Malwarebytes researchers said the malware, which has been active since 2013, comes with some notable improvements including a more refined source code, various new obfuscation techniques and new targets.
The authors behind Magniber previously seemed to focus on limiting infections to South Korea through country-country specific malvertising chains and installations only when a specific country code was returned. However, MalwareHunterTeam noted earlier this month that Magniber seemed to be becoming a global threat infecting multiple victims in Taiwan, Hong Kong and other countries.
Now, Malwarebytes researchers confirmed the same saying changes in its source code seems to indicate expansion to target other Asia Pacific countries besides South Korea.
“In early July, we noted exploit attempts happening outside of the typical area we had become used to, for instance in Malaysia,” researchers wrote in a blog post. “At about the same time, a tweet from MalwareHunterTeam mentioned infections in Taiwan and Hong Kong.”
New functions and tricks
Researchers said the malware's code has been updated to whitelist more languages and now includes other Asian languages such as Chinese (Macau, China, Singapore) and Malay (Malaysia, Brunei).
Magniber's authors are actively developing and continually improving the ransomware. While the initial version of Magniber had simple code and no obfuscation, the latest version's entire source code seems to be more polished.
"Its source code is now more refined, leveraging various obfuscation techniques and no longer dependent on a Command and Control server or hardcoded key for its encryption routine," researchers noted. "Magniber is constantly evolving with big portions of its code fully rewritten over time."
The actions performed by the newly updated Magniber haven't changed much from the original. Encrypted files are appended with the extension .dyaaghemy and a ransom note named README.txt is left behind.
"While in the past each file was encrypted with the same AES key, this time each file is encrypted with a unique key—the same plaintext gives a different ciphertext," researchers said. "The encrypted content has no patterns visible. That suggests that a stream cipher or a cipher with chained blocks was used (probably AES in CBC mode)."
"This time, Magniber comes with a public RSA key of the attackers that makes it fully independent from the Internet connection during the encryption process. This key is used for protecting the unique AES keys used to encrypt files."
In addition to functionality changes, the authors have also worked to improve Magniber's obfuscation techniques and make changes to its functionality.
Changes to Magnitude EK
In 2017, the Magnitude exploit kit delivered the Cerber ransomware to a few select Asian countries before beginning to distribute its own strain of ransomware - Magniber - in October. In April 2018, it began pushing the infamous GandCrab ransomware after incorporating a newly discovered Adobe Flash zero-day CVE-2018-4878. However, it soon shifted back to distributing Magniber again.
Researchers noted that Magnitude's newer campaign seems to be leveraging the new Internet Explorer exploit CVE-2018-8174 that was discovered in April and patched in May. However, users who have failed to patch their software are still vulnerable to attack and likely infection.
There is currently no way to recover files encrypted by the Magniber ransomware.
"While Magniber was not impressive at first, having simple code and no obfuscation, it is actively developed and its quality continuously improves," researchers noted. "Their authors appear professional, even though they commit some mistakes.
"This ransomware operation is carried with surgical precision, from a careful distribution to a matching whitelist of languages. Criminals know exactly which countries they want to target, and they put their efforts to minimize noise and reduce collateral damage."