Recently, the security researchers at HP’s threat intelligence team have discovered a malicious campaign in which the threat actors are delivering Magniber ransomware and with the help of fraudulent security updates targeted Windows Home users.
A number of fake websites were created by threat actors in September 2022. On those fake websites, fraudulent antivirus and security updates for Windows 10 were promoted and distributed by the threat actors.
A complex infection chain begins with the deployment of the file-encrypting malware that gets downloaded as JavaScript.
In order to receive a decryption tool to be able to recover home users’ files, Magniber ransomware’s operators demanded a payment of up to $2,500 from the victims.
Targeted Versions
This strain focuses exclusively on Windows 10 and Windows 11 builds that are currently available for download. Here below we have mentioned all the targeted versions of Windows 10 and Windows 11:-
| Version Code | Name | Release Date |
| 17134 | Windows 10, Version 1803 | April 30, 2018 |
| 17763 | Windows 10, Version 1809 | November 13, 2018 |
| 18362 | Windows 10, Version 1903 | May 21, 2019 |
| 18363 | Windows 10, Version 1909 | November 12, 2019 |
| 19041 | Windows 10, Version 2004 | May 27, 2020 |
| 19042 | Windows 10, Version 20H2 | October 20, 2020 |
| 19043 | Windows 10, Version 21H1 | May 18, 2021 |
| 19044 | Windows 10, Version 21H2 | November 16, 2021 |
| 20348 | Windows Server 2022, Version 21H2 | August 18, 2021 |
| 22000 | Windows 11, Version 21H2 | October 4, 2021 |
| 22610 | Windows 11 Insider Preview | April 29, 2022 |
| 22621 | Windows 11, Version 22H2 | September 20, 2022 |
| 25115 | Windows 11 Insider Preview | May 11, 2022 |
| 25145 | Windows 11 Insider Preview | June 22, 2022 |
| 25163 | Windows 11 Insider Preview | July 20, 2022 |
Infection Chain
It is important to note that the threat actor used MSI and EXE files in their previous campaign. While the most recent version was based on JavaScript files named as follows:-
- SYSTEM.Critical.Upgrade.Win10.0.ba45bd8ee89b1.js
- SYSTEM.Security.Database.Upgrade.Win10.0.jse
- Antivirus_Upgrade_Cloud.29229c7696d2d84.jse
- ALERT.System.Software.Upgrade.392fdad9ebab262cc97f832c40e6ad2c.js
The files that are used in this attack are obfuscated and they execute a .NET file in system memory using a variation of the “DotNetToJScript” technique. Consequently, the host’s anti-virus products are less likely to detect this attack.
Before terminating its own process, the .NET file injects the shellcode it decodes into a new script that makes stealthy syscalls using its own wrapper.
Using a bypass for the Windows User Account Control feature, Magniber can take advantage of this option to perform this action. In order to perform this, a registry key has to be created to allow the user to specify the shell command that should be executed.
Then a VBScript script is executed later in the process to delete the shadow copies as is the “fodhelper.exe” utility in a subsequent step.
Once everything is in place, the Magniber ransomware starts encrypting the files, and then it drops the ransom note on the host. However, it has been found that Magniber encrypts specific file types only.
Recommendation
- Make use of administrator accounts only when you need them.
- The most reliable way to update your software is to download it from an authoritative source.
- Make sure you are backing up your data on a regular basis.
