Magniber ransomware now infects Windows users via JavaScript files

SeriousHoax

Level 47
Thread author
Well-known
Mar 16, 2019
3,630
A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates.

Threat actors created in September websites that promoted fake antivirus and security updates for Windows 10. The downloaded malicious files (ZIP archives) contained JavaScript that initiated an intricate infection with the file-encrypting malware.

A report from HP's threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10 and Windows 11 builds.

Windows builds targeted by Magniber
Windows builds targeted by Magniber (HP)
In April 2022, Magniber was seen distributed as a Windows 10 update via a network of malicious websites.

In January, the its operators used Chrome and Edge browser updates to push malicious Windows application package files (.APPX).

Magniber's new infection chain​

In previous campaign, the threat actor used MSI and EXE files. For the recent on, it switched to JavaScript files that had the following names:

  • SYSTEM.Critical.Upgrade.Win10.0.ba45bd8ee89b1.js
  • SYSTEM.Security.Database.Upgrade.Win10.0.jse
  • Antivirus_Upgrade_Cloud.29229c7696d2d84.jse
  • ALERT.System.Software.Upgrade.392fdad9ebab262cc97f832c40e6ad2c.js
These files are obfuscated and use a variation of the "DotNetToJScript" technique to execute a .NET file in the system memory, lowering the risk of detection by antivirus products available on the host.

The .NET file decodes shellcode that uses its own wrapper to make stealthy syscalls, and injects it into a new process before terminating its own.

The shellcode deletes shadow copy files via WMI and disables backup and recovery features through "bcdedit" and "wbadmin." This increases the chances of getting paid as victims have one less option to recover their files.

To perform this action, Magniber uses a bypass for the User Account Control (UAC) feature in Windows.

It relies on a mechanism that involves creating of a new registry key that allows specifying a shell command. In a later step, the "fodhelper.exe" utility is executed to run a script for deleting the shadow copies.
UAC bypass process
UAC bypass process (HP)
VBScript that deletes shadow copies
VBScript that deletes shadow copies and disables restore functions (HP)
Finally, Magniber encrypts the files on the host and drops the ransom notes containing instructions for the victim to restore their files.
Magniber's new infection chain
Magniber's new infection chain (HP)
HP's analysts noticed that while Magniber attempts to limit the encryption only to specific file types, the pseudohash it generates during the enumeration isn't perfect, which results in hash collisions and "collateral damage", i.e., encrypting non-targeted file types as well.

Home users can defend against a ransomware attack by making regular backups for their files and to keep them on an offline storage device. This allows recovery of the data onto a freshly installed operating system.

Before restoring the data, users should make sure that their backups were not been infected.

 

TedCruz

Level 5
Aug 19, 2022
176

Oh good, and here I was thinking that average Joe is safe from Java ransomware.
 
F

ForgottenSeer 95367

The general consensus here at MT's has been for some time that a home user need not worry about this type of threat and I still think you would have to go out of your way to be infected by this one but, there it is.
There's a significant portion of the population that are clueless. They are the reason that the malware problem is as bad as it is.

And I'm going to add that admins can be every bit as clueless.
 
Last edited by a moderator:

TedCruz

Level 5
Aug 19, 2022
176
There's a significant portion of the population that are clueless. They are the reason that the malware problem is as bad as it is.

And I'm going to add that admins can be every bit as clueless.
Have you ever attempted to deal with a wife who just came home from a 36 hour hospital shift because 3 of her patients had COVID and required emergency C-sections before they went on ECMO resulting with moms never seeing their babies (late 2020 early 2021 time period) and all she wanted to do is watch some Disney+ but alas one of the NextDns filters you subscribe to decided to somehow block a portion of Disney+ auth servers so now you are playing an egg hunt through the log files?! In the end you give up and just switch the TV to 8.8.8.8 DNS so your wife can decompress. Happy wife happy life.

Sometimes it's not people that are stupid it's the situations.


I apologize if this post seems like I am picking on you, I am just using your comment as an example when even an IT situational aware person could be forced into making a dumb "mistake".
 
Last edited:

Antimalware18

Level 10
Verified
Well-known
Jan 17, 2014
485
And I'm going to add that admins can be every bit as clueless.

I second this. Back when I was in my junior/senior year of High School i went to a vocational school. Now at this vocational school they gave us laptops to work on and these laptops were ancient. Old IBM thinkpads with Windows XP and only 512mb of ram.
these laptops came with Symantec Endpoint but i was looking through its settings one day when i had some down time and it was only set to receive 1 update a week.

Edit: this was back in 07-08 so not like early 00's and we were allowed to take these laptops home and use them there.
 

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,448

Broken code signature? LGTM, says Microsoft OS​

A cybersecurity firm has issued another unofficial patch to squash a bug in Windows that Microsoft has yet to fix, with this hole being actively exploited to spread ransomware.…

Rewind to October 17, and Acros Security released a small binary patch to address a flaw in Microsoft's Mark-of-the-Web (MotW) feature. This feature is supposed to set a flag in the metadata for files obtained from the internet, USB sticks, and other untrusted sources. This flag ensures that when those files are opened, extra security protections kick in, such as Office blocking macros from running or the operating system checking that the user really did want to run that .exe.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top