Wednesday, May 22, 2024

Magniber Ransomware Weaponize JavaScript to Attack Windows Users

Recently, the security researchers at HP’s threat intelligence team have discovered a malicious campaign in which the threat actors are delivering Magniber ransomware and with the help of fraudulent security updates targeted Windows Home users.

A number of fake websites were created by threat actors in September 2022. On those fake websites, fraudulent antivirus and security updates for Windows 10 were promoted and distributed by the threat actors.

A complex infection chain begins with the deployment of the file-encrypting malware that gets downloaded as JavaScript.

In order to receive a decryption tool to be able to recover home users’ files, Magniber ransomware’s operators demanded a payment of up to $2,500 from the victims. 

Targeted Versions

This strain focuses exclusively on Windows 10 and Windows 11 builds that are currently available for download. Here below we have mentioned all the targeted versions of Windows 10 and Windows 11:-

Version CodeNameRelease Date
17134Windows 10, Version 1803April 30, 2018
17763Windows 10, Version 1809November 13, 2018
18362Windows 10, Version 1903May 21, 2019
18363Windows 10, Version 1909November 12, 2019
19041Windows 10, Version 2004May 27, 2020
19042Windows 10, Version 20H2October 20, 2020
19043Windows 10, Version 21H1May 18, 2021
19044Windows 10, Version 21H2November 16, 2021
20348Windows Server 2022, Version 21H2August 18, 2021
22000Windows 11, Version 21H2October 4, 2021
22610Windows 11 Insider PreviewApril 29, 2022
22621Windows 11, Version 22H2September 20, 2022
25115Windows 11 Insider PreviewMay 11, 2022
25145Windows 11 Insider PreviewJune 22, 2022
25163Windows 11 Insider PreviewJuly 20, 2022

Infection Chain

It is important to note that the threat actor used MSI and EXE files in their previous campaign. While the most recent version was based on JavaScript files named as follows:-

  • SYSTEM.Critical.Upgrade.Win10.0.ba45bd8ee89b1.js
  • SYSTEM.Security.Database.Upgrade.Win10.0.jse
  • Antivirus_Upgrade_Cloud.29229c7696d2d84.jse
  • ALERT.System.Software.Upgrade.392fdad9ebab262cc97f832c40e6ad2c.js

The files that are used in this attack are obfuscated and they execute a .NET file in system memory using a variation of the “DotNetToJScript” technique. Consequently, the host’s anti-virus products are less likely to detect this attack.

Before terminating its own process, the .NET file injects the shellcode it decodes into a new script that makes stealthy syscalls using its own wrapper.

Using a bypass for the Windows User Account Control feature, Magniber can take advantage of this option to perform this action. In order to perform this, a registry key has to be created to allow the user to specify the shell command that should be executed. 

Then a VBScript script is executed later in the process to delete the shadow copies as is the “fodhelper.exe” utility in a subsequent step.

Once everything is in place, the Magniber ransomware starts encrypting the files, and then it drops the ransom note on the host. However, it has been found that Magniber encrypts specific file types only.

Recommendation

Here below we have mentioned all the recommendations:-

  • Make use of administrator accounts only when you need them.
  • The most reliable way to update your software is to download it from an authoritative source.
  • Make sure you are backing up your data on a regular basis.

Also Read: Ransomware Attack Response and Mitigation Checklist

Website

Latest articles

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients'...

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a...

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a...

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident...

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers...

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread...

Critical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

A new critical vulnerability has been discovered in Fluent Bit's built-in HTTP server, which...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles