I guess it is time for an explanation of why I made the Defender vs Magniber videos. Although I can determine HOW it occurred only Microsoft itself can explain WHY it occurs. And please forgive in advance if the reader of this post already knows this stuff, but as there may be malware newbies here that want to understand (please god let it be so!!) I'll be as basic as possible:
It starts with the malware author (we'll call her Ophelia). Ophelia has just developed a new mechanism for encrypting files that bypasses all known security applications. As Ophelia's motive is to cash in on this discovery (ransomware) she could just distribute it herself, wait for victims to have their data trashed, and wait for ransom payment and collect all the cash herself.
But as she is just a single individual with limited access to victims, even better may be to sell the ransomware to others on the Darkweb, this pocketing a bit more cash for herself. But EVEN BETTER is to sell a ransomware builder to folks. Now the pool of potential victims gets larger, Blackhats that can't code for themselves can infect others and collect the ransom, and Ophelia has made it so that SHE would get a piece of the action (usually ~25%) for any ransom paid by the victim of her affiliate.
So with that as a given, let's see how this will work- say we have 2 per-pubesent Blackhats named Frodo and Sam. Both Frodo and Sam gt on the Darkweb and purchase the new Magniber Builder application from Ophelia the main page of which will look something like this (actually a bit more complicated with encrypt and Decrypt key entries, but I won't go overboard):
Now Frodo will run this compiler on his Win7 system and Sam does the same on his win11 system, each inserting their own individual Bitcoin information, No both hit on the generate button and quick as a bunny they each have unique samples of Magniber, each of which are only a few bytes different in size. Both release them on the same day to victims and wait. The victims have their data encrypted and get presented with the Ransomware page (like in my video). For Frodo, his victims will have an extension placed on their files and also see this:
For Sam, his victims will see that their files also have an extension on them and will be presented with this ransom page:
Notice the difference? the file extension will differ for Frodo and Sam's particular Magniber as well as the addy to send the bitcoin. But the result is the same- they profit individually for every victim while Ophelia gets a piece of the action from everyone! Smart Kitty, yes?
But an issue occurs- Frodo notices that he stopped making any money in 2 week after malware release, whereas Sam is still raking it in! What happened?
Well it turns out that Microsoft Defender (on which every victim seems to exclusively rely) actually detected Frodo's Magniber while Sam's is still undetected and going strong. The question is why?
Discussion- Malware as a service such as what is seen by Magniber is increasing in popularity. Not only ransomware but also stuff like Qbot are so offered. And although a majority of the variants created are detected by various anti-malware applications, many are not EVEN THOUGH THEY ARE ESSENTIALLY IDENTICAL. With the Magniber we are discussing the undetected sample seen in my video was in no way MAGIC, just Slightly different, so analysis is really pointless as the fault here is in how Defender aspires to defend, and Lord alone knows why it does what it does.
So to sum up- This was the rationale behind the Defender videos, published because no one seems to want to acknowledge this is what is occurring.
(ps- I verified last night after the Wine wore off that the Frodo and Sam variant detection difference is still valid)
m
