Stay Alert to Traps in Updates: A New Variant of Magniber Ransomware

Stay Alert to Traps in Updates: A New Variant of Magniber Ransomware

October 26, 2022 | Adeline Zhang

Overview

The Magniber is a notorious ransomware. Unlike the common ransomware families such as Hive and LockBit that target companies, it is primarily used to blackmail individuals with a relatively low ransom around USD 2,500. The Magniber ransomware can neither be transmitted automatically nor used to upload user files, but encrypt files only. Here listed some Magniber-related ransom activities in 2022:

In January 2022, the Magnber ransomware was disguised as a signed APPX file to infect the users’ hosts when the user updated their Chrome and Edge browsers.

In April 2022, the Magniber ransomware was disguised as Windows 10 updates (.msi file) and was distributed through malicious websites to infect user hosts.

In September 2022, the improved Magnber ransomware was disguised as a JavaScript (.js file) to infect the users’ hosts.

Attack Method

The new variant of Magniber captured in September 2022 used an attack method similar to that in May this year – masquerading as a Windows update file to encrypt the users’ host files for ransom.

Magniber samples disguised as Windows update files(.msi file) in May 2022

Magniber samples disguised as Windows update file (.js file)in September 2022

Reverse Analysis  

Before we dive into the details, let’s see the implementation process first.

Implementation process

1. JavaScript file

This time the Magniber ransomware was written in JavaScript, and its code was obfuscated slightly.

JavaScript code used in Magniber ransomware

When we examined the code, we found that the JavaScript code in the Magniber ransomware was similar to the code generated by an open-source tool GadgetToJScript.

With this tool, .NET programs can be encapsulated in JS, VBS, VBA or HTA scripts. Although the sample captured this time is a JavaScript file, it does not rule out the possibility that ransomware will be converted into VBS, VBA or HTA scripts in subsequent attacks.

When the BinaryFormatter in the JS/VBS/VBA script is used for deserialization, .NET assembly loading/execution can be triggered. Taking this advantage, attackers can execute its built-in. NET code in the above JavaScript code.

The .NET program contains little code. Its primary function is to decrypt the shellcode and set the callback function address of EnumUILanguages as the shellcode entry, then call the EnumUILanguages function to execute the shell code.

2. Shellcode

When Shellcode was executed, it called NtQuerySystemInformation first to obtain all processes running on the current system, used the NtOpenProcess function to obtain handles of the injection process, and then used the NtQueryInformationProcess function to identify whether the current process is 64-bit. If true, it called functions such as NtWriteVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx, and NtResumeThread for thread injection.

Process of injection function judgment

Process of execution injection

It is worth mentioning that Magniber selected uploading the call number and used Syscall to call the kernel function directly to bypass the anti-virus software’s monitoring of Windows APIs. However, the call number required to call the same function in different Windows kernel versions is not necessarily the same. To support Windows hosts with different kernel versions, Magniber needs to judge the call number. By reverse analysis of Magniber calling the NtCreateThreadEx function, the currently supported Windows versions are found as follows:

3. Injection Code

When executing the thread, the injected code is the ransomware virus itself actually. The samples captured this time are entirely consistent with the core functions captured earlier. The encryption process is as follows:

(1) Obtain the list of folders and files on the current host;

(2) Check the folder to be encrypted. If it is in the white list, do not encrypt it;

(3) Judge whether the file extension of the current file is the extension of the file to be encrypted, and if it is, encrypt it;

(4) Randomly generate the Key and IV required for AES encryption;

(5) Use AES CBC mode to encrypt the current file;

(6) Use the built-in RSA public key to encrypt the AES Key and IV and append the encryption result to the end of the file;

(7) Add the extension. rfguxgmap to the encrypted file;

(8) Create a README.html blackmail message in the folder of the encrypted file;

(9) Use the Edge browser to open the blackmail page to remind users that their files have been encrypted.

Extension of the encrypted file

Blackmail massage

In the samples captured in May, the Magniber ransomware can delete the shadow copy and disable the Windows recovery function by thread injection. The new variant cut the thread injection process but deleted the shadow copy and disabled the Windows recovery function directly after the blackmail execution was completed.

Similar to the sample captured in May, The Magniber ransomware chose to use UAC Bypass to trigger the operation of cleaning up Windows backups. The specific steps of UAC Bypass used in the sample are as follows:

1. Locate Registry Key

“HKCU\SOFTWARE\Classes\AppX04g0mbrz4mkc6e879rpf6qk6te730jfv\Shell\open\command”

2. Set the default Key value to:

“wscript.exe /B /E:VBScript.Encode ../../Users/Public/chvzelmd.rdb”

3. Write encoded VBScript code that includes deleting shadow copies and system backups and disabling Windows recovery to the Public directory

4. Create fodhelper.exe processes to trigger the UAC Bypass operation and execute the commands written in the registry

Steps of UAC Bypass

Decrypted VBScript

Protection Recommentations

  • Do not download or run any patch files from unofficial websites;
  • Install anti-virus software with self-protection to prevent attackers from exiting or ending the process, and update the virus database on time;
  • In addition to the Magniber ransomware with the extensions of .exe, .msi and .js, stay alert of its variants with the extensions of .vbs and .hta;
  • Strengthen the security awareness of employees, and do not open any strange emails and suspicious links;
  • Modify the default user name of the system administrator and do not use user names such as admin, administrator, and test that attackers easily crack.
  • Strengthen host account and password management and level up the complexity and modification frequency;
  • Configure account locking policy through Windows group policy to lock accounts that fail to log in after several continuous attempts during a short time;
  • Enable the Windows system firewall, and strengthen RDP and SMB service access through ACL and other methods;
  • Timely update the security patches for critical vulnerabilities of the operating system and other commonly used software;
  • Back up critical business data regularly to prevent data damage or loss.

Appendix

1. Encryption-related information

White list:

“documents and settings”

“appdata”

“local settings”

“sample music”

“sample pictures”

“sample videos”

“tor browser”

“recycle”

“windows”

“boot”

“intel”

“msocache”

“perflogs”

“program files”

“programdata”

“recovery” “system volume information”

Extensions of encrypted files:

1-bit extensions for small-size files: [‘c’, ‘h’, ‘j’, ‘p’, ‘x’]

2-bit extensions for samll-size files: [‘ai’, ‘ca’, ‘cd’, ‘cf’, ‘cs’, ‘ct’, ‘db’, ‘dd’, ‘dt’, ‘dv’, ‘dx’, ’em’, ‘ep’, ‘eq’, ‘fa’, ‘fb’, ‘fi’, ‘fo’, ‘gv’, ‘hp’, ‘hs’, ‘hz’, ‘ib’, ‘ii’, ‘js’, ‘jw’, ‘ma’, ‘mb’, ‘me’, ‘mm’, ‘mx’, ‘my’, ‘of’, ‘pa’, ‘pm’, ‘pu’, ‘px’, ‘qd’, ‘rb’, ‘rd’, ‘rs’, ‘rt’, ‘rw’, ‘sh’, ‘sq’, ‘st’, ‘te’, ‘tm’, ‘vb’, ‘vm’, ‘vw’, ‘wn’, ‘wp’, ‘xd’, ‘ya’, ‘ym’, ‘zw’]
2-bit extension for large-size files: [‘gz’]
3-bit extensions for small-size files:[‘abm’, ‘abs’, ‘abw’, ‘act’, ‘adn’, ‘adp’, ‘aes’, ‘aft’, ‘afx’, ‘agp’, ‘ahd’, ‘aic’, ‘aim’, ‘alf’, ‘ans’, ‘apd’, ‘apm’, ‘aps’, ‘apt’, ‘apx’, ‘art’, ‘arw’, ‘asc’, ‘ase’, ‘ask’, ‘asm’, ‘asp’, ‘asw’, ‘asy’, ‘aty’, ‘awp’, ‘awt’, ‘aww’, ‘azz’, ‘bad’, ‘bay’, ‘bbs’, ‘bdb’, ‘bdp’, ‘bdr’, ‘bib’, ‘bmx’, ‘bna’, ‘bnd’, ‘boc’, ‘bok’, ‘brd’, ‘brk’, ‘brn’, ‘brt’, ‘bss’, ‘btd’, ‘bti’, ‘btr’, ‘can’, ‘cdb’, ‘cdc’, ‘cdg’, ‘cdr’, ‘cdt’, ‘cfu’, ‘cgm’, ‘cin’, ‘cit’, ‘ckp’, ‘cma’, ‘cmx’, ‘cnm’, ‘cnv’, ‘cpc’, ‘cpd’, ‘cpg’, ‘cpp’, ‘cps’, ‘cpx’, ‘crd’, ‘crt’, ‘crw’, ‘csr’, ‘csv’, ‘csy’, ‘cvg’, ‘cvi’, ‘cvs’, ‘cvx’, ‘cwt’, ‘cxf’, ‘cyi’, ‘dad’, ‘daf’, ‘dbc’, ‘dbf’, ‘dbk’, ‘dbs’, ‘dbt’, ‘dbv’, ‘dbx’, ‘dca’, ‘dcb’, ‘dch’, ‘dcr’, ‘dcs’, ‘dct’, ‘dcx’, ‘dds’, ‘ded’, ‘der’, ‘dgn’, ‘dgs’, ‘dgt’, ‘dhs’, ‘dib’, ‘dif’, ‘dip’, ‘diz’, ‘djv’, ‘dmi’, ‘dmo’, ‘dnc’, ‘dne’, ‘doc’, ‘dot’, ‘dpp’, ‘dpx’, ‘dqy’, ‘drw’, ‘drz’, ‘dsk’, ‘dsn’, ‘dsv’, ‘dta’, ‘dtw’, ‘dvi’, ‘dwg’, ‘dxb’, ‘dxf’, ‘eco’, ‘ecw’, ‘ecx’, ‘edb’, ‘efd’, ‘egc’, ‘eio’, ‘eip’, ‘eit’, ’emd’, ’emf’, ‘epf’, ‘epp’, ‘eps’, ‘erf’, ‘err’, ‘etf’, ‘etx’, ‘euc’, ‘exr’, ‘faq’, ‘fax’, ‘fbx’, ‘fcd’, ‘fcf’, ‘fdf’, ‘fdr’, ‘fds’, ‘fdt’, ‘fdx’, ‘fes’, ‘fft’, ‘fic’, ‘fid’, ‘fif’, ‘fig’, ‘flr’, ‘fmv’, ‘fpt’, ‘fpx’, ‘frm’, ‘frt’, ‘frx’, ‘ftn’, ‘fxc’, ‘fxg’, ‘fzb’, ‘fzv’, ‘gdb’, ‘gem’, ‘geo’, ‘gfb’, ‘ggr’, ‘gih’, ‘gim’, ‘gio’, ‘gpd’, ‘gpg’, ‘gpn’, ‘gro’, ‘grs’, ‘gsd’, ‘gtp’, ‘gwi’, ‘hbk’, ‘hdb’, ‘hdp’, ‘hdr’, ‘hht’, ‘his’, ‘hpg’, ‘hpi’, ‘htc’, ‘hwp’, ‘ibd’, ‘imd’, ‘ink’, ‘ipf’, ‘ipx’, ‘itw’, ‘iwi’, ‘jar’, ‘jas’, ‘jbr’, ‘jia’, ‘jis’, ‘jng’, ‘joe’, ‘jpe’, ‘jps’, ‘jpx’, ‘jsp’, ‘jtf’, ‘jtx’, ‘jxr’, ‘kdb’, ‘kdc’, ‘kdi’, ‘kdk’, ‘kes’, ‘key’, ‘kic’, ‘klg’, ‘knt’, ‘kon’, ‘kpg’, ‘kwd’, ‘lay’, ‘lbm’, ‘lbt’, ‘ldf’, ‘lgc’, ‘lis’, ‘lit’, ‘ljp’, ‘lmk’, ‘lnt’, ‘lrc’, ‘lst’, ‘ltr’, ‘ltx’, ‘lue’, ‘luf’, ‘lwo’, ‘lwp’, ‘lws’, ‘lyt’, ‘lyx’, ‘mac’, ‘man’, ‘map’, ‘maq’, ‘mat’, ‘max’, ‘mbm’, ‘mdb’, ‘mdf’, ‘mdn’, ‘mdt’, ‘mef’, ‘mel’, ‘mft’, ‘min’, ‘mnr’, ‘mnt’, ‘mos’, ‘mpf’, ‘mpo’, ‘mrg’, ‘msg’, ‘mud’, ‘mwb’, ‘mwp’, ‘myd’, ‘myi’, ‘ncr’, ‘nct’, ‘ndf’, ‘nef’, ‘nfo’, ‘njx’, ‘nlm’, ‘now’, ‘nrw’, ‘nsf’, ‘nyf’, ‘nzb’, ‘obj’, ‘oce’, ‘oci’, ‘odb’, ‘odg’, ‘odm’, ‘odo’, ‘odp’, ‘ods’, ‘odt’, ‘oft’, ‘omf’, ‘oqy’, ‘ora’, ‘orf’, ‘ort’, ‘orx’, ‘ost’, ‘ota’, ‘otg’, ‘oti’, ‘otp’, ‘ots’, ‘ott’, ‘ovp’, ‘ovr’, ‘owc’, ‘owg’, ‘oyx’, ‘ozb’, ‘ozj’, ‘ozt’, ‘pan’, ‘pap’, ‘pas’, ‘pbm’, ‘pcd’, ‘pcs’, ‘pdb’, ‘pdd’, ‘pdf’, ‘pdm’, ‘pds’, ‘pdt’, ‘pef’, ‘pem’, ‘pff’, ‘pfi’, ‘pfs’, ‘pfv’, ‘pfx’, ‘pgf’, ‘pgm’, ‘phm’, ‘php’, ‘pic’, ‘pix’, ‘pjt’, ‘plt’, ‘pmg’, ‘pni’, ‘pnm’, ‘pnz’, ‘pop’, ‘pot’, ‘ppm’, ‘pps’, ‘ppt’, ‘prt’, ‘prw’, ‘psd’, ‘pse’, ‘psp’, ‘pst’, ‘psw’, ‘ptg’, ‘pth’, ‘ptx’, ‘pvj’, ‘pvm’, ‘pvr’, ‘pwa’, ‘pwi’, ‘pwr’, ‘pxr’, ‘pza’, ‘pzp’, ‘pzs’, ‘qmg’, ‘qpx’, ‘qry’, ‘qvd’, ‘rad’, ‘ras’, ‘raw’, ‘rcu’, ‘rdb’, ‘rft’, ‘rgb’, ‘rgf’, ‘rib’, ‘ric’, ‘ris’, ‘rix’, ‘rle’, ‘rli’, ‘rng’, ‘rpd’, ‘rpf’, ‘rpt’, ‘rri’, ‘rsb’, ‘rsd’, ‘rsr’, ‘rst’, ‘rtd’, ‘rtf’, ‘rtx’, ‘run’, ‘rzk’, ‘rzn’, ‘saf’, ‘sam’, ‘sbf’, ‘scc’, ‘sch’, ‘sci’, ‘scm’, ‘sct’, ‘scv’, ‘scw’, ‘sdb’, ‘sdf’, ‘sdm’, ‘sdw’, ‘sep’, ‘sfc’, ‘sfw’, ‘sgm’, ‘sig’, ‘skm’, ‘sla’, ‘sld’, ‘slk’, ‘sln’, ‘sls’, ‘smf’, ‘sms’, ‘snt’, ‘sob’, ‘spa’, ‘spe’, ‘sph’, ‘spj’, ‘spp’, ‘spq’, ‘spr’, ‘sqb’, ‘srw’, ‘ssa’, ‘ssk’, ‘stc’, ‘std’, ‘sti’, ‘stm’, ‘stn’, ‘stp’, ‘str’, ‘stw’, ‘sty’, ‘sub’, ‘suo’, ‘svf’, ‘svg’, ‘sxc’, ‘sxd’, ‘sxg’, ‘sxi’, ‘sxm’, ‘sxw’, ‘tab’, ‘tcx’, ‘tdf’, ‘tdt’, ‘tex’, ‘thp’, ‘tlb’, ‘tlc’, ‘tmd’, ‘tmv’, ‘tmx’, ‘tne’, ‘tpc’, ‘trm’, ‘tvj’, ‘udb’, ‘ufr’, ‘unx’, ‘uof’, ‘uop’, ‘uot’, ‘upd’, ‘usr’, ‘vbr’, ‘vbs’, ‘vct’, ‘vdb’, ‘vdi’, ‘vec’, ‘vmx’, ‘vnt’, ‘vpd’, ‘vrm’, ‘vrp’, ‘vsd’, ‘vsm’, ‘vue’, ‘wbk’, ‘wcf’, ‘wdb’, ‘wgz’, ‘wks’, ‘wpa’, ‘wpd’, ‘wpg’, ‘wps’, ‘wpt’, ‘wpw’, ‘wri’, ‘wsc’, ‘wsd’, ‘wsh’, ‘wtx’, ‘xar’, ‘xdb’, ‘xlc’, ‘xld’, ‘xlf’, ‘xlm’, ‘xls’, ‘xlt’, ‘xlw’, ‘xps’, ‘xwp’, ‘xyp’, ‘xyw’, ‘ybk’, ‘zdb’, ‘zdc’]
3-bit extensions for large-size files: [‘arc’, ‘asf’, ‘avi’, ‘bak’, ‘bmp’, ‘fla’, ‘flv’, ‘gif’, ‘iso’, ‘jpg’, ‘mid’, ‘mkv’, ‘mov’, ‘mpg’, ‘paq’, ‘png’, ‘rar’, ‘swf’, ‘tar’, ‘tbk’, ‘tgz’, ‘tif’, ‘vcd’, ‘vob’, ‘wav’, ‘wma’, ‘wmv’, ‘zip’]
4-bit extensions for small-size files [‘agif’, ‘albm’, ‘apng’, ‘awdb’, ‘bean’, ‘cals’, ‘cdmm’, ‘cdmt’, ‘cdmz’, ‘cimg’, ‘clkw’, ‘colz’, ‘djvu’, ‘docb’, ‘docm’, ‘docx’, ‘docz’, ‘dotm’, ‘dotx’, ‘dtsx’, ’emlx’, ‘epsf’, ‘fdxt’, ‘fodt’, ‘fpos’, ‘fwdn’, ‘gcdp’, ‘gdoc’, ‘gfie’, ‘glox’, ‘grob’, ‘gthr’, ‘icon’, ‘icpr’, ‘idea’, ‘info’, ‘itdb’, ‘java’, ‘jbig’, ‘jbmp’, ‘jfif’, ‘jrtf’, ‘kdbx’, ‘mbox’, ‘mgcb’, ‘mgmf’, ‘mgmt’, ‘mgmx’, ‘mgtx’, ‘mmat’, ‘mrxs’, ‘oplc’, ‘pano’, ‘pict’, ‘pjpg’, ‘pntg’, ‘pobj’, ‘potm’, ‘potx’, ‘ppam’, ‘ppsm’, ‘ppsx’, ‘pptm’, ‘pptx’, ‘psdx’, ‘psid’, ‘rctd’, ‘riff’, ‘scad’, ‘sdoc’, ‘sldm’, ‘sldx’, ‘svgz’, ‘text’, ‘utxt’, ‘vsdm’, ‘vsdx’, ‘vstm’, ‘vstx’, ‘wire’, ‘wmdb’, ‘xlgc’, ‘xlsb’, ‘xlsm’, ‘xlsx’, ‘xltm’, ‘xltx’, ‘zabw’]
4-bit extensions for large-size files: [‘jpeg’, ‘mpeg’, ‘tiff’, ‘vmdk’]
5-bit extensions for small-size files: [‘accdb’, ‘class’]

2. Summary of signatures and behaviors in captured samples

  1. Key APIs of process injection
    NtAllocateVirtualMemory、NtWriteVirtualMemory、NtProtectVirtualMemory、NtCreateThreadEx、NtResumeThread
  2. Key APIs of encryption
    CryptAcquireContextW、CryptGenRandom、CryptImportKey、CryptSetKeyParam、CryptEncrypt、NtCreateFile、NtQueryInformationFile、NtReadFile、NtWriteFile
  3. Modify the default registry
    “HKCU\SOFTWARE\Classes\AppX04g0mbrz4mkc6e879rpf6qk6te730jfv\Shell\open\command”to“wscript.exe /B / E:VBScript.Encode ../../Users/Public/%RandomString%.rdb”
  4. Use cmd.exe to create fodheler.exe process

3. IOCs

HASH list of published sample files:

934cfeb5ee3d2ba49831d76dffb1a2658326e1cd90b50779d6670eb2fbdc7ed1

6155453a58b0ba360fd18a32d838c4452fec374c364824b50447500c8fd12e80

5b2a5ac50977f41ac27590395bb89c1afd553e58f2979b680d545bff1530a17b

79590d91e9131918df458221e8fcb9c5e33d0200f05f9704dcf88167a5515b3f

7064eab88837bc68b8c5076300170cd73dbea046c9594b588779082396dbfe4c

a292ff42e0e1b58b13c867d2c94da2a5d34caa2e9c30b63610f7e12be5e7d3d9

dfa32d8ed7c429b020c0581148a55bc752c35834d7a2b1bae886f2b436285c94

c1d1402226179c66570d66290dff2238b6a9f918c81267a61d58f4807f0d911c

56fb0d5e2e216f2b4d9846517d9ed23b69fba4f19f2bad71cdce47d9081642eb

92ec900b0aa0f8a335cf63d4f313729da2831ffc7d15985adf2d98f2c85c3783

c7729a7817a3d63f71d6c9066bd87192d07992ae57fc3d3e6d0e67c5ab9fb213

9d665f87440c22e3ae209308e3712a83a67932643be019e18b1ae00dc4ab8cbd

b12461bdd88bb2a7f56d11324272ae2a766d560371b2725be6f9d3175fb32f8c

abeec5267f6eb9fc9f01f4688a53e83c87898845767b8cd8599c75dbce1766a8

aeee31c3649724686cb9ad17fe1ee2b70b1ad1b6cd77cb8b1997aa6e75d49cc5

1eba630a870ce1aa840219d77e280cfd05d3d5e5cdea6f382c1c2b8b14ddf04d

54a5b06060639a483a8f6c80c8f095fb41e3eb5e7c02c3ad4ba29ee3a9ed7aab

76c012f134e81138fb37ac3638488f309662efcc9bb4011ff8e54869f26bb119

56d301fe7a6b1a9e21898162b0dada9ff12878c539591052919fabcc36d28541

4936cf896d0e76d6336d07cc14fbe8a99fbe10ad3e682dbc12fdfe7070fd1b24

6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c

05cf26eaea577417804075a2458ac63f58a56b7612653d3a4c2ce8fa752bd418

266f930572d3006c36ba7e97b4ffed107827decd7738a58c218e1ae5450fbe95

9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6

98d96f56deaec6f0324126fcdd79fd8854d52ac2996d223d0cb0ab4cff13ff7c

0c5956b7f252408db7e7b0195bb5419ad3b8daa45ec1944c44e3ec1cca51920f

c4f9dbff435d873b4e8ecbab8c1b7d2dbdb969ac75af4b1d325e06eb4e51b3ad

5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34

d0375fc9cbb564fb18e0afea926c7faf50464b9afb329913dd5486c7cbb36e2e

ad89fb8819f98e38cddf6135004e1d93e8c8e4cba681ba16d408c4d69317eb47

99f0e7f06831c6283f5f4dc261a7bcbe4109b4a6717b534c816ca65cd2f05dc4

b81f76bd5c6e66b9b3a4f2828e58d557091475bed656c9a8d13c8c0e4b7f3936

c6f1da2490fe78b1f281a98c32d6fa88d675598e658d4e660274047e36f1b189

dd30688a0e5ac08fc547f44b60f13ef664654c9a8977f7a5f8f619b08c09620b

c0bf9153ce1641791b357fdb5c2c596fbbf15991a86f510cc444bdb477574d44

bf50794c33eebc9dc2ce3902fe29f683a37da50de3654a2775baa74d0bbd1188

b8e76ad7c7857d9985b15dcd064664d198db7201cb9eb6a0e53d81b6002f7d29

cc1ce8c687450b082dd19a6c5d868f5798e52422172f91ee4b70cb5ffd9f6fcd

a587172f1bbe665cdfc0cbcec54e72d8b9048c77f344ba5076a17fbf620597de

c4560eee4b02dc0ef087e48848cc83b270068d167f613f04d43a64025e72c09f

82fcea3c48509a1724c0a6ded9e3d3cab775a86588119c35b79355105bd828c4

e993e4ddd05007e62e6e2d00e70927933446ff4bcae2b559bb6be3bc5e4ad2d8

5b513dfd8f94f9b6e962eb691caa56d52ab4453369108ae3b572e2ee7f9b555d

d2d3fbfa73dfeb73a6f5c59fefab8dd99dcff58cefeb0d3b3b1c1a8854178933

d80d90ef631bb60b773bf1211f3c53c1cac043674c85eb65dbc457656ba5d4cc

757cd5b65155cd115b71021685fcc52a42ee80aca247ea68f41aa0d82dc20fc0

bba85d79db69db1b638e24e0a426ccccdc5c95875b8c3a26aa959cce3f6c8575

beb5e1c5ba835f29e272b2942b27b63f6f15647f3da51754fcf53c277e0eccf7

f41ec94f9d0c7480df2196b3fc5493599d50de222d2c903b173db3e7caff8747

397aa7bcc4a574dc30f0a491e03be15da55fa898624c7b15d0197e72802d048d

6b18a287aa2c170605409a4675fd600d0597623d174445aaea5a2279bee0c145

46d8d6230083254fa324299fc609125ee404e4bbdd3936ddc0235ae21479b655

e8663c5c28d8591f06eb7995e0f22b7ae7909f9431786f8557f2c081e0e79fad

d3f626d3e533f3b4aa0599c231210d53f709c46f0cfc3d28f0303df544a39b1b

814061567356daf6306eb673cfb97cab264c798320bf1b432d396b66393adf83

2c93879d024238d23270fab734a5ba530bfba2d35b44d265c8be3c93ff8cf463

3055baf30466f1c0f4cd5b78d05fe32ef7fd406dead3ecfcbdef464fdee551b8

568e1e3d55a6146f0f899159c3a5183362b8b13304109b49f7394a9fe8c69ea7

932d2330dc3c1366a8e956183858246c4052027cae1590d2211186be648fdcf4

dfabd6462ab2ecb9fb0cea7caa257841a751c1e91118168ef5a082cf8a25210f

fbd69303e6255aae830daba957c8ef62eb6d23340274eb8058826a08e82773db 123d7744a407af376b4ee4402ff8bee588b40540bcfba22fb64768d1de8c1861

Published domain names:

totwo[.]pw

ittakes[.]fun

catat[.]site

tinpick[.]online

pirlay[.]fun

buyaims[.]online

orhung[.]space actred[.]site

Reference

  • https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/
  • https://github.com/med0x2e/GadgetToJScript
  • https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.