Friday, February 14, 2025
HomeRansomwareBeware!! Magniber Ransomware Delivered via Microsoft Edge and Google Chrome as an...

Beware!! Magniber Ransomware Delivered via Microsoft Edge and Google Chrome as an Update

Published on

SIEM as a Service

Follow Us on Google News

In an ongoing campaign, the threat actors are distributing Magniber ransomware as an update through modern web browsers.

Cybersecurity researchers at ASEC have closely monitored Magniber and reported that to deploy this ransomware the operators behind it are actively exploiting the Internet Explorer (IE) vulnerabilities for the last couple of years.  

But, now apart from Internet Explorer (IE), currently, the hackers are also exploiting the modern web browsers:- 

  • Microsoft Edge
  • Google Chrome

Technical Analysis

In the image below the distribution pages are shown that are opened in Microsoft Edge and Google Chrome, prompting users to install the fake update package with “.appx” extension. 

This fake Chrome or Edge’s Windows update package with .appx extension contains an authentic certificate which makes it look legit and allows the installation of the fake package.

Later, in the child paths of C:\Program Files\WindowsApps when the fake downloaded APPX package was executed, it automatically puts the maliciously crafted EXE and DLL files with the following name:-

  • For EXE file: wjoiyyxzllm.exe
  • For DLL file: wjoiyyxzllm.dll

Now here at this stage, the wjoiyyxzllm.exe file loads the wjoiyyxzllm.dll to execute a distinct function that is dubbed as “mbenooj.” After completing these stages now the Magniber ransomware gets deployed from the memory of wjoiyyxzllm.exe.

Once deployed, the ransomware starts encrypting all the files present on the user’s system and leaves a ransom note after completing the encryption procedure.

Now if you are thinking that why “APPX” files were chosen by the threat actors? They chose the APPX files due to their wide usage. However, in the below video you can see the whole thing in action.

Moreover, if anyone wants to decrypt the files encrypted by Magniber ransomware for free of cost then it’s not possible to do so. Before encrypting the system the Magniber ransomware do not steal any files, since it did not embrace the double extortion tactic in its operation. 

So, for now, the best solution to mitigate such attacks is to back up the data on a regular basis.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...

BadPilot Attacking Network Devices to Expand Russian Seashell Blizzard’s Attacks

A newly uncovered cyber campaign, dubbed "BadPilot," has been linked to a subgroup of...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Palo Alto Firewall Flaw Exploited in RA World Ransomware Attacks

A recent ransomware attack leveraging a vulnerability in Palo Alto Networks' PAN-OS firewall software...

ZeroLogon Ransomware Exploits Windows AD to Hijack Domain Controller Access

A newly intensified wave of ransomware attacks has surfaced, leveraging the infamous ZeroLogon vulnerability...

Cl0p Ransomware Hide Itself on Compromised Networks After Exfiltrate the Data

The Cl0p ransomware group, a prominent player in the cybercrime landscape since 2019, has...