Magniber ransomware now infects Windows users via JavaScript files

Magniber ransomware now infects Windows users via JavaScript files

A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates.

Threat actors created in September websites that promoted fake antivirus and security updates for Windows 10. The downloaded malicious files (ZIP archives) contained JavaScript that initiated an intricate infection with the file-encrypting malware.

A report from HP’s threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10 and Windows 11 builds.

Windows builds targeted by Magniber
Windows builds targeted by Magniber (HP)

In April 2022, Magniber was seen distributed as a Windows 10 update via a network of malicious websites.

In January, the its operators used Chrome and Edge browser updates to push malicious Windows application package files (.APPX).

Magniber’s new infection chain

In previous campaign, the threat actor used MSI and EXE files. For the recent on, it switched to JavaScript files that had the following names:

  • SYSTEM.Critical.Upgrade.Win10.0.ba45bd8ee89b1.js
  • SYSTEM.Security.Database.Upgrade.Win10.0.jse
  • Antivirus_Upgrade_Cloud.29229c7696d2d84.jse
  • ALERT.System.Software.Upgrade.392fdad9ebab262cc97f832c40e6ad2c.js

These files are obfuscated and use a variation of the “DotNetToJScript” technique to execute a .NET file in the system memory, lowering the risk of detection by antivirus products available on the host.

The .NET file decodes shellcode that uses its own wrapper to make stealthy syscalls, and injects it into a new process before terminating its own.

The shellcode deletes shadow copy files via WMI and disables backup and recovery features through “bcdedit” and “wbadmin.” This increases the chances of getting paid as victims have one less option to recover their files.

To perform this action, Magniber uses a bypass for the User Account Control (UAC) feature in Windows.

It relies on a mechanism that involves creating of a new registry key that allows specifying a shell command. In a later step, the “fodhelper.exe” utility is executed to run a script for deleting the shadow copies.

UAC bypass process
UAC bypass process (HP)
VBScript that deletes shadow copies
VBScript that deletes shadow copies and disables restore functions (HP)

Finally, Magniber encrypts the files on the host and drops the ransom notes containing instructions for the victim to restore their files.

Magniber's new infection chain
Magniber’s new infection chain (HP)

HP’s analysts noticed that while Magniber attempts to limit the encryption only to specific file types, the pseudohash it generates during the enumeration isn’t perfect, which results in hash collisions and “collateral damage”, i.e., encrypting non-targeted file types as well.

Home users can defend against a ransomware attack by making regular backups for their files and to keep them on an offline storage device. This allows recovery of the data onto a freshly installed operating system.

Before restoring the data, users should make sure tha their backups were not been infected.

Finally, the ransomware tells the victim about what happened and how they can decrypt their data by dropping an HTML ransom note in every directory that contains an encrypted file. To make sure the user sees the demand, Magniber also opens the note in a web browser.

Figure 10 – Magniber ransom note

HOW TO PROTECT YOURSELF

Home users can protect themselves from ransomware campaigns like this one by following this simple advice:

  • Follow the principle of least privilege by only using administrator accounts if you really need to. Many home users have administrator privileges but rarely need them.
  • Download software updates from trusted sources. The campaign depends on tricking people into opening fake software updates. Only download updates from trustworthy sources such as Windows Update and official software vendor websites.
  • Back up your data regularly. Backing up your data will give you peace of mind should the worst happen.

CONCLUSION

Even though Magniber does not fall into the category of Big Game Hunting, it can still cause significant damage. Home users were the likely target of this malware based on the supported operating system versions and UAC bypass. The attackers used clever techniques to evade protection and detection mechanisms. Most of the infection chain is “fileless”, meaning the malware only resides in memory, reducing the chances of it being detected. Magniber also bypasses detection techniques that rely on user-mode hooks because it uses syscalls instead of standard Windows API libraries. With the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

INDICATORS OF COMPROMISE (IOCS)

Reference Magniber JavaScript sample used for our analysis:
934cfeb5ee3d2ba49831d76dffb1a2658326e1cd90b50779d6670eb2fbdc7ed1

Magniber JavaScript files:
6155453a58b0ba360fd18a32d838c4452fec374c364824b50447500c8fd12e80
5b2a5ac50977f41ac27590395bb89c1afd553e58f2979b680d545bff1530a17b
79590d91e9131918df458221e8fcb9c5e33d0200f05f9704dcf88167a5515b3f
7064eab88837bc68b8c5076300170cd73dbea046c9594b588779082396dbfe4c
a292ff42e0e1b58b13c867d2c94da2a5d34caa2e9c30b63610f7e12be5e7d3d9
dfa32d8ed7c429b020c0581148a55bc752c35834d7a2b1bae886f2b436285c94
c1d1402226179c66570d66290dff2238b6a9f918c81267a61d58f4807f0d911c
56fb0d5e2e216f2b4d9846517d9ed23b69fba4f19f2bad71cdce47d9081642eb
92ec900b0aa0f8a335cf63d4f313729da2831ffc7d15985adf2d98f2c85c3783
c7729a7817a3d63f71d6c9066bd87192d07992ae57fc3d3e6d0e67c5ab9fb213
9d665f87440c22e3ae209308e3712a83a67932643be019e18b1ae00dc4ab8cbd
b12461bdd88bb2a7f56d11324272ae2a766d560371b2725be6f9d3175fb32f8c
abeec5267f6eb9fc9f01f4688a53e83c87898845767b8cd8599c75dbce1766a8
aeee31c3649724686cb9ad17fe1ee2b70b1ad1b6cd77cb8b1997aa6e75d49cc5
1eba630a870ce1aa840219d77e280cfd05d3d5e5cdea6f382c1c2b8b14ddf04d
54a5b06060639a483a8f6c80c8f095fb41e3eb5e7c02c3ad4ba29ee3a9ed7aab
76c012f134e81138fb37ac3638488f309662efcc9bb4011ff8e54869f26bb119
56d301fe7a6b1a9e21898162b0dada9ff12878c539591052919fabcc36d28541
4936cf896d0e76d6336d07cc14fbe8a99fbe10ad3e682dbc12fdfe7070fd1b24
6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c
05cf26eaea577417804075a2458ac63f58a56b7612653d3a4c2ce8fa752bd418
266f930572d3006c36ba7e97b4ffed107827decd7738a58c218e1ae5450fbe95
9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6
98d96f56deaec6f0324126fcdd79fd8854d52ac2996d223d0cb0ab4cff13ff7c
0c5956b7f252408db7e7b0195bb5419ad3b8daa45ec1944c44e3ec1cca51920f
c4f9dbff435d873b4e8ecbab8c1b7d2dbdb969ac75af4b1d325e06eb4e51b3ad
5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34
d0375fc9cbb564fb18e0afea926c7faf50464b9afb329913dd5486c7cbb36e2e
ad89fb8819f98e38cddf6135004e1d93e8c8e4cba681ba16d408c4d69317eb47
99f0e7f06831c6283f5f4dc261a7bcbe4109b4a6717b534c816ca65cd2f05dc4
b81f76bd5c6e66b9b3a4f2828e58d557091475bed656c9a8d13c8c0e4b7f3936
c6f1da2490fe78b1f281a98c32d6fa88d675598e658d4e660274047e36f1b189
dd30688a0e5ac08fc547f44b60f13ef664654c9a8977f7a5f8f619b08c09620b
c0bf9153ce1641791b357fdb5c2c596fbbf15991a86f510cc444bdb477574d44
bf50794c33eebc9dc2ce3902fe29f683a37da50de3654a2775baa74d0bbd1188
b8e76ad7c7857d9985b15dcd064664d198db7201cb9eb6a0e53d81b6002f7d29
cc1ce8c687450b082dd19a6c5d868f5798e52422172f91ee4b70cb5ffd9f6fcd
a587172f1bbe665cdfc0cbcec54e72d8b9048c77f344ba5076a17fbf620597de
c4560eee4b02dc0ef087e48848cc83b270068d167f613f04d43a64025e72c09f
82fcea3c48509a1724c0a6ded9e3d3cab775a86588119c35b79355105bd828c4
e993e4ddd05007e62e6e2d00e70927933446ff4bcae2b559bb6be3bc5e4ad2d8
5b513dfd8f94f9b6e962eb691caa56d52ab4453369108ae3b572e2ee7f9b555d
d2d3fbfa73dfeb73a6f5c59fefab8dd99dcff58cefeb0d3b3b1c1a8854178933
d80d90ef631bb60b773bf1211f3c53c1cac043674c85eb65dbc457656ba5d4cc
757cd5b65155cd115b71021685fcc52a42ee80aca247ea68f41aa0d82dc20fc0
bba85d79db69db1b638e24e0a426ccccdc5c95875b8c3a26aa959cce3f6c8575
beb5e1c5ba835f29e272b2942b27b63f6f15647f3da51754fcf53c277e0eccf7
f41ec94f9d0c7480df2196b3fc5493599d50de222d2c903b173db3e7caff8747
397aa7bcc4a574dc30f0a491e03be15da55fa898624c7b15d0197e72802d048d
6b18a287aa2c170605409a4675fd600d0597623d174445aaea5a2279bee0c145
46d8d6230083254fa324299fc609125ee404e4bbdd3936ddc0235ae21479b655
e8663c5c28d8591f06eb7995e0f22b7ae7909f9431786f8557f2c081e0e79fad
d3f626d3e533f3b4aa0599c231210d53f709c46f0cfc3d28f0303df544a39b1b
814061567356daf6306eb673cfb97cab264c798320bf1b432d396b66393adf83
2c93879d024238d23270fab734a5ba530bfba2d35b44d265c8be3c93ff8cf463
3055baf30466f1c0f4cd5b78d05fe32ef7fd406dead3ecfcbdef464fdee551b8
568e1e3d55a6146f0f899159c3a5183362b8b13304109b49f7394a9fe8c69ea7
932d2330dc3c1366a8e956183858246c4052027cae1590d2211186be648fdcf4
dfabd6462ab2ecb9fb0cea7caa257841a751c1e91118168ef5a082cf8a25210f
fbd69303e6255aae830daba957c8ef62eb6d23340274eb8058826a08e82773db
123d7744a407af376b4ee4402ff8bee588b40540bcfba22fb64768d1de8c1861

Magniber encrypts files with these extensions:
{
“1”: [“c”, “h”, “j”, “p”, “x”],

“2”: [“ai”, “ca”, “cd”, “cf”, “cs”, “ct”, “db”, “dd”, “dt”, “dv”, “dx”, “em”, “ep”, “eq”, “fa”, “fb”, “fi”, “fo”, “gv”, “hp”, “hs”, “hz”, “ib”, “ii”, “js”, “jw”, “ma”, “mb”, “me”, “mm”, “mx”, “my”, “of”, “pa”, “pm”, “pu”, “px”, “qd”, “rb”, “rd”, “rs”, “rt”, “rw”, “sh”, “sq”, “st”, “te”, “tm”, “vb”, “vm”, “vw”, “wn”, “wp”, “xd”, “ya”, “ym”, “zw”],

“3”: [“hpi”, “icn”, “idc”, “idx”, “igt”, “igx”, “ihx”, “iiq”, “ocr”, “abm”, “abs”, “abw”, “act”, “adn”, “adp”, “aes”, “aft”, “afx”, “agp”, “ahd”, “aic”, “aim”, “alf”, “ans”, “apd”, “apm”, “aps”, “apt”, “apx”, “art”, “arw”, “asc”, “ase”, “ask”, “asm”, “asp”, “asw”, “asy”, “aty”, “awp”, “awt”, “aww”, “azz”, “bad”, “bay”, “bbs”, “bdb”, “bdp”, “bdr”, “bib”, “bmx”, “bna”, “bnd”, “boc”, “bok”, “brd”, “brk”, “brn”, “brt”, “bss”, “btd”, “bti”, “btr”, “can”, “cdb”, “cdc”, “cdg”, “cdr”, “cdt”, “cfu”, “cgm”, “cin”, “cit”, “ckp”, “cma”, “cmx”, “cnm”, “cnv”, “cpc”, “cpd”, “cpg”, “cpp”, “cps”, “cpx”, “crd”, “crt”, “crw”, “csr”, “csv”, “csy”, “cvg”, “cvi”, “cvs”, “cvx”, “cwt”, “cxf”, “cyi”, “dad”, “daf”, “dbc”, “dbf”, “dbk”, “dbs”, “dbt”, “dbv”, “dbx”, “dca”, “dcb”, “dch”, “dcr”, “dcs”, “dct”, “dcx”, “dds”, “ded”, “der”, “dgn”, “dgs”, “dgt”, “dhs”, “dib”, “dif”, “dip”, “diz”, “djv”, “dmi”, “dmo”, “dnc”, “dne”, “doc”, “dot”, “dpp”, “dpx”, “dqy”, “drw”, “drz”, “dsk”, “dsn”, “dsv”, “dta”, “dtw”, “dvi”, “dwg”, “dxb”, “dxf”, “eco”, “ecw”, “ecx”, “edb”, “efd”, “egc”, “eio”, “eip”, “eit”, “emd”, “emf”, “epf”, “epp”, “eps”, “erf”, “err”, “etf”, “etx”, “euc”, “exr”, “faq”, “fax”, “fbx”, “fcd”, “fcf”, “fdf”, “fdr”, “fds”, “fdt”, “fdx”, “fes”, “fft”, “fic”, “fid”, “fif”, “fig”, “flr”, “fmv”, “fpt”, “fpx”, “frm”, “frt”, “frx”, “ftn”, “fxc”, “fxg”, “fzb”, “fzv”, “gdb”, “gem”, “geo”, “gfb”, “ggr”, “gih”, “gim”, “gio”, “gpd”, “gpg”, “gpn”, “gro”, “grs”, “gsd”, “gtp”, “gwi”, “hbk”, “hdb”, “hdp”, “hdr”, “hht”, “his”, “hpg”, “htc”, “hwp”, “ibd”, “imd”, “ink”, “ipf”, “ipx”, “itw”, “iwi”, “jar”, “jas”, “jbr”, “jia”, “jis”, “jng”, “joe”, “jpe”, “jps”, “jpx”, “jsp”, “jtf”, “jtx”, “jxr”, “kdb”, “kdc”, “kdi”, “kdk”, “kes”, “key”, “kic”, “klg”, “knt”, “kon”, “kpg”, “kwd”, “lay”, “lbm”, “lbt”, “ldf”, “lgc”, “lis”, “lit”, “ljp”, “lmk”, “lnt”, “lrc”, “lst”, “ltr”, “ltx”, “lue”, “luf”, “lwo”, “lwp”, “lws”, “lyt”, “lyx”, “lzf”, “mac”, “man”, “map”, “maq”, “mat”, “max”, “mbm”, “mdb”, “mdf”, “mdn”, “mdt”, “mef”, “mel”, “mft”, “min”, “mnr”, “mnt”, “mos”, “mpf”, “mpo”, “mrg”, “msg”, “mud”, “mwb”, “mwp”, “myd”, “myi”, “ncr”, “nct”, “ndf”, “nef”, “nfo”, “njx”, “nlm”, “now”, “nrw”, “nsf”, “nyf”, “nzb”, “obj”, “oce”, “oci”, “odb”, “odg”, “odm”, “odo”, “odp”, “ods”, “odt”, “oft”, “omf”, “oqy”, “ora”, “orf”, “ort”, “orx”, “ost”, “ota”, “otg”, “oti”, “otp”, “ots”, “ott”, “ovp”, “ovr”, “owc”, “owg”, “oyx”, “ozb”, “ozj”, “ozt”, “pan”, “pap”, “pas”, “pbm”, “pcd”, “pcs”, “pdb”, “pdd”, “pdf”, “pdm”, “pds”, “pdt”, “pef”, “pem”, “pff”, “pfi”, “pfs”, “pfv”, “pfx”, “pgf”, “pgm”, “phm”, “php”, “pic”, “pix”, “pjt”, “plt”, “pmg”, “pni”, “pnm”, “pnz”, “pop”, “pot”, “ppm”, “pps”, “ppt”, “prt”, “prw”, “psd”, “pse”, “psp”, “pst”, “psw”, “ptg”, “pth”, “ptx”, “pvj”, “pvm”, “pvr”, “pwa”, “pwi”, “pwr”, “pxr”, “pza”, “pzp”, “pzs”, “qmg”, “qpx”, “qry”, “qvd”, “rad”, “ras”, “raw”, “rcu”, “rdb”, “rft”, “rgb”, “rgf”, “rib”, “ric”, “ris”, “rix”, “rle”, “rli”, “rng”, “rpd”, “rpf”, “rpt”, “rri”, “rsb”, “rsd”, “rsr”, “rst”, “rtd”, “rtf”, “rtx”, “run”, “rzk”, “rzn”, “saf”, “sam”, “sbf”, “scc”, “sch”, “sci”, “scm”, “sct”, “scv”, “scw”, “sdb”, “sdf”, “sdm”, “sdw”, “sep”, “sfc”, “sfw”, “sgm”, “sig”, “skm”, “sla”, “sld”, “slk”, “sln”, “sls”, “smf”, “sms”, “snt”, “sob”, “spa”, “spe”, “sph”, “spj”, “spp”, “spq”, “spr”, “sqb”, “srw”, “ssa”, “ssk”, “stc”, “std”, “sti”, “stm”, “stn”, “stp”, “str”, “stw”, “sty”, “sub”, “suo”, “svf”, “svg”, “sxc”, “sxd”, “sxg”, “sxi”, “sxm”, “sxw”, “tab”, “tcx”, “tdf”, “tdt”, “tex”, “thp”, “tlb”, “tlc”, “tmd”, “tmv”, “tmx”, “tne”, “tpc”, “trm”, “tvj”, “udb”, “ufr”, “unx”, “uof”, “uop”, “uot”, “upd”, “usr”, “vbr”, “vbs”, “vct”, “vdb”, “vdi”, “vec”, “vmx”, “vnt”, “vpd”, “vrm”, “vrp”, “vsd”, “vsm”, “vue”, “wbk”, “wcf”, “wdb”, “wgz”, “wks”, “wpa”, “wpd”, “wpg”, “wps”, “wpt”, “wpw”, “wri”, “wsc”, “wsd”, “wsh”, “wtx”, “xar”, “xdb”, “xlc”, “xld”, “xlf”, “xlm”, “xls”, “xlt”, “xlw”, “xps”, “xwp”, “xyp”, “xyw”, “ybk”, “zdb”, “zdc”],

“4”: [“agif”, “albm”, “apng”, “awdb”, “bean”, “cals”, “cdmm”, “cdmt”, “cdmz”, “cimg”, “clkw”, “colz”, “djvu”, “docb”, “docm”, “docx”, “docz”, “dotm”, “dotx”, “dtsx”, “emlx”, “epsf”, “fdxt”, “fodt”, “fpos”, “fwdn”, “gcdp”, “gdoc”, “gfie”, “glox”, “grob”, “gthr”, “icon”, “icpr”, “idea”, “info”, “itdb”, “java”, “jbig”, “jbmp”, “jfif”, “jrtf”, “kdbx”, “mbox”, “mgcb”, “mgmf”, “mgmt”, “mgmx”, “mgtx”, “mmat”, “mrxs”, “oplc”, “pano”, “pict”, “pjpg”, “pntg”, “pobj”, “potm”, “potx”, “ppam”, “ppsm”, “ppsx”, “pptm”, “pptx”, “psdx”, “psid”, “rctd”, “riff”, “scad”, “sdoc”, “sldm”, “sldx”, “svgz”, “text”, “utxt”, “vsdm”, “vsdx”, “vstm”, “vstx”, “wire”, “wmdb”, “xlgc”, “xlsb”, “xlsm”, “xlsx”, “xltm”, “xltx”, “zabw”],

“5”: [“accdb”, “class”]
}

Magniber domains:
totwo[.]pw
ittakes[.]fun
catat[.]site
tinpick[.]online
pirlay[.]fun
buyaims[.]online
orhung[.]space
actsred[.]site