Magniber Ransomware
Overview
After delivering a number of payloads for number of
ransomware in selected countries in Asia, The Magnitude EK exploit
kit has resurfaced, this time with a new payload. The delivered malware is also
a ransomware, but of a family that was not known before. It has been named “Magniber”.
This Magniber ransomware is highly targeted, as it checks at several levels
(external IP, the language installed, etc.) to ensure that the attacked system
is only South Korean. Targeting a single country is unusual on its own, but
performing multiple checks to be sure of the country and language of origin
makes this a first for ransomware. Magniber is delivered packed by various
crypters, and the unpacking method will depend on the crypter’s features
Behavioral Analysis
This ransomware is dropped only by the Magnitude exploit
kit. If the malware is executed on non-Korean systems, the only thing we can
see is the operation of deleting itself, delayed by running the ping command.
It only starts its malicious operations on systems with Korean language
detected. The executable is pretty noisy, because it implements various tasks
just by command line. The malware copies itself in %TEMP% and deploys itself
with the help of task scheduler. It can be seen that the ransom note and
yet another file are in the same folder . Its name is the same as the part of
the domain that has been generated for the particular user, and its extension
is the same as the extension of the encrypted files. To each encrypted file is
added an extension that is composed of small Latin characters and is constant
for the particular sample of Magniber
Ransomware Note
Indicators Of Compromise(IOC’s)
HASHES - SHA- 256
- 9bb96afdce48fcf9ba9d6dda2e23c936c661212e8a74114e7813082841667508
- 8968c1b7a7aa95931fcd9b72cdde8416063da27565d5308c818fdaafddfa3b51
- aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30
- 7361a5e7da06f7fa61f53d98e1548436ae6888e6d2decdce36c9ca1387f851df
C&C
- http://xat91h3evntk5zb66dr.bankme.date/new1
- http://xat91h3evntk5zb66dr.bankme.date/end1
- http://xat91h3evntk5zb66dr.bankme.date/EP866p5M93wDS513
- http://xat91h3evntk5zb66dr.jobsnot.services/EP866p5M93wDS513
- http://xat91h3evntk5zb66dr.carefit.agency/EP866p5M93wDS513
- http://xat91h3evntk5zb66dr.hotdisk.world/EP866p5M93wDS513
For other New variants check below link for details and IOC's
No comments:
Post a Comment