By Motolani Oseni
A new report has shown that Magniber Ransomware, a type of ransomware that infects individual computers, rather than fleets of devices, has been targeting individuals’ computer by masquerading as software updates.
In recent years, ‘big game hunting’ ransomware attacks against enterprises have dominated media headlines because of their high-profile victims and substantial ransom demands.
Yet single-client ransomware can still cause significant damage to individuals and organisations.
An analysis of a ransomware campaign isolated by HP Wolf Security in September 2022, revealed that Magniber, a single-client ransomware family is known to demand $2,500 from victims.
Notably, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries, the report showed.
The infection chain starts with a web download from an attacker-controlled website, the report stated, adding that, the user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.
“Previously Magniber was primarily spread through MSI and EXE files, but in September 2022 we started seeing campaigns distributing the ransomware in JavaScript files. The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk.
“This technique bypasses detection and prevention tools that monitor files written to disk and reduces artefacts left on an infected system. The .NET code decodes the shellcode and injects it into another process. The ransomware code runs from this process – first deleting shadow copy files and disabling Windows’ backup and recovery features, before encrypting the victim’s files.
“Magniber requires administrator privileges to disable the victim’s ability to recover their data, so the malware uses a User Account Control (UAC) bypass to run commands without alerting the user. For this to work, however, the logged-in user must be part of the Administrators group. For the encryption task, the malware enumerates files and checks its file extension against a list.
“If the extension is in the list, the file is encrypted. Finally, the malware places a ransom note in each directory with an encrypted file and shows it to the victim by opening the note in a web browser,” HP explained further.
Leave a Comment
You must be logged in to post a comment.