Magniber ransomware

Original Issue Date:- July 18, 2018
Virus Type:- Ransomware
Severity:- Medium

It has been reported that ransomware named "Magniber" is spreading. Magniber Ransomware is being distributed through malvertisements, compromised websites which make the victim to land on the Magnitude exploit kit page.

Malicious Activity:

  • First victim is landed on the Magnitude exploit page with the help of obfuscated java script along with a Base64 encoded VBScript as shown in Figure1.
  • Now attacker try to exploit the vulnerability (CVE-2018-8174) present in VBScript engine with the help of internet explorer. This vbscipt then executes the shell code.
  • The shell code just act as simple downloader for downloading the obfuscated payload. This obfuscated payload contains the Magniber ransomware in packed form, which it unpack and try to inject it into the legitimate process.
  • Finally the ransomware start encrypting all the files with a unique key and add the .dyaaghemy extension to all the encrypted files.
  • While encrypting the files, Magniber will also create a ransom note and links to a URL (which contains the victim actual ID) of TOR decryption service to decrypt its files.



Indicators of Compromise:

IP addresses:

  • 178[.]32[.]62[.]130
  • 94[.]23[.]165[.]192
  • 92[.]222[.]121[.]30
  • 149[.]202[.]112[.]72

Hashes:

  • 6e57159209611f2531104449f4bb86a7621fb9fbc2e90add2ecdfbe293aa9dfc
  • fb6c80ae783c1881487f2376f5cace7532c5eadfc170b39e06e17492652581c2

Countermeasures and Best practices for prevention:

  • Perform regular backup of all the critical information to minimize the loss.
  • Keep the operating system and third party applications (MS office, browsers, browser Plugins and antivirus) up-to-date with the latest patches.
  • Use Microsoft Bit locker full-drive encryption feature to mitigate the unauthorized data access by enhancing file and system protection.
  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.

    Reference:https://www.fireeye.com/blog/threatresearch/2016/02/greater_visibilityt.html

  • Enabled Windows Defender Application Guard with designated the trusted sites as whitelisted, so that rest all sites will be open in container to block the access to memory, local storage, other installed applications or any other resources of interest to the attacker.

References: