There is a certainty in the multitude of cybercrime campaigns that have threatened – and unfortunately continue to threaten – the computer network: social engineering . In fact, I can change the attack methods or the vectors of diffusion of malicious programs, but not the element of deception and psychological pressure. We talked about it about smishing and we continue to do so with another threat discovered (or rather, re-emerged) on the web: the Magniber ransomware . First discovered in 2017, the computer virus is back in the limelight again this time as a fake update for browsers Microsoft Edge and Google Chrome . Again, we unfortunately have to deal with deception, an element used by cybercriminals to lure new victims.
Magniber is a type of ransomware first identified towards the end of 2017. It circulates mainly in the territory in which it was created, namely the South Korea , it is not uncommon to find it in other countries of Asia Pacific – as happened in one of its forays dating back to mid-2018 – and outside the Asian territories. Initially, Magniber used the Magnitude exploit kit to infect Internet Explorer users via JavaScript. But since the old browser of the Windows operating system has been put in the “attic” in favor of the more modern Microsoft Edge , ransomware has changed its attack strategy in recent years, even if only for reach a larger number of users (considering the numbers relating to the utilization rate of the new Microsoft browser, created according to the Chromium “engine”).
In particular, the security researchers AhnLab have identified Magniber in files of the application package .APPX , signed with valid certificates used to release malware in the form of fake Microsoft Edge and Google Chrome browser updates. The report of the research researchers illustrated the new attack strategy of the Korean-origin ransomware and a video published on the official AhnLab YouTube channel – which you can view below – concretely shows how Magniber . But as we anticipated at the beginning of this article, it is above all social engineering that makes the difference.
The new strategy of Magniber focuses on .APPX files, which are digitally signed with a valid certificate so as to bypass the Windows operating system checks and make the latter believe that the file in question is reliable and safe. .APPX files are created for simplified distribution and installation.
To spread the ransomware, cybercriminals are likely to use phishing campaigns via email and through major messaging apps. These messages contain a link where the criminal file is released and the user is encouraged to click on it by exploiting the techniques of social engineering and psychological pressure. It could also be that it prompts the user to update their Internet browser as it is no longer secure.
As illustrated by AhnLab's Korean security researchers, there are at least two URLs that contain the infected file (“hxxp: //b5305c364336bqd.bytesoh.cam” and “hxxp: //hadhill.quest/376s53290a9n2j”), but it is not from exclude that the list could be wider. In fact, visiting one of these two sites, which in fact artfully simulate a page very close to the graphic layout of those of Microsoft and Google, the user comes across a screen that shows a manual update notice of your browser: once you click on download, the system automatically downloads an .APPX file to complete the update procedure.
Once you have clicked on it and installed the file, the system creates two new files in the “C: \ Program Files \ WindowsApps” directory, namely “wjoiyyxzllm.exe” and “wjoiyyxzllm.dll”:
- wjoiyyxzllm.exe has the task of loading the DLL file and executing a specific function;
- wjoiyyxzllm.dll instead downloads the encoded payload of the Magniber ransomware , with decoding and execution of the same.
The next step is to encrypt the data on the system and ask for a ransom. The first factor differentiates Magniber from other malware, given the absence of the double extortion tactic: it therefore does not steal files before encrypting the system.
As for the other campaigns, Magniber mainly moves in South Korea , the territory where it was born and where it continues to threaten users; however, we cannot exclude its presence even outside the natural territories, and the change of the attack strategy – with the mechanics of .APPX files – seems to go in this direction.
As is well known, Magniber is a ransomware, that is a computer virus that encrypts files or prevents you from using a computer until the payment of what is called a ransom in jargon. The absence of double extortion tactics and the use of social engineering to target new victims leads us to suggest some tips for defending against threats such as this type, including reproducing an offline copy of corporate data from an off-site location and enabling two-factor authentication. But the classic tips to defend against phishing attacks also apply, taking into account that in this case everything comes from clicking on a suspicious link. It is therefore advisable:
- to refrain from visiting unsafe, suspicious or false websites;
- do not open attachments from unknown senders or links from unknown senders that are sent via email or through messaging applications, now a breeding ground for cybercriminals
