Latest evaluation exhibits that Magniber ransomware has been concentrating on house customers by masquerading as software program updates.
A ransomware marketing campaign remoted by HP Wolf Security in September 2022 noticed Magniber ransomware unfold. The malware is called a single-client ransomware household that calls for $2,500 from victims.
Beforehand Magniber was primarily unfold via MSI and EXE recordsdata, however in September 2022 HP Wolf Safety started seeing campaigns distributing the ransomware in JavaScript recordsdata.
“Some malware households, reminiscent of Vjw0rm and GootLoader, rely solely on JavaScript, however have completed so for a while,” Patrick Schläpfer, malware analyst at HP Wolf Safety, instructed Infosecurity. “At present, we’re additionally seeing extra HTML smuggling, reminiscent of with Qakbot and IcedID. This system additionally makes use of JavaScript to decode malicious content material. The one distinction is that the HTML file is executed within the context of the browser and due to this fact often requires additional consumer interplay”
Notably, HP Wolf Safety mentioned, the attackers used intelligent strategies to evade detection, reminiscent of working the ransomware in reminiscence, bypassing Consumer Account Management (UAC) in Home windows, and bypassing detection strategies that monitor user-mode hooks by utilizing syscalls as a substitute of normal Home windows API libraries.
With the UAC bypass, the malware deletes the contaminated system’s shadow copy recordsdata and disables backup and restoration options, stopping the sufferer from recovering their knowledge utilizing Home windows instruments.
Describing the ransomware marketing campaign, HP Wolf famous that the an infection chain begins with an online obtain from an attacker-controlled web site.
The consumer is requested to obtain a ZIP file containing a JavaScript file that purports to be an necessary anti-virus or Home windows 10 software program replace.
For Magniber to entry and block recordsdata, it must be executed on a Home windows account with administrator privileges – a degree of entry which is rather more commonplace in private methods.
“Shoppers can shield themselves by following ‘least-privilege’ rules – solely logging on with their administrator account when strictly wanted, and creating one other account for on a regular basis use,” defined Schläpfer. “Customers may scale back threat by ensuring updates are solely put in from trusted sources, checking URLs to make sure official vendor web sites are used, and backing up knowledge recurrently to reduce the influence of a possible knowledge breach.”
The corporate famous that this ransomware doesn’t fall into the class of Massive Sport Looking however can nonetheless trigger vital injury.
“This isn’t a shift away from huge recreation looking, however reasonably demonstrates that not solely enterprises are the main focus of ransomware teams, however house customers as effectively,” Schläpfer mentioned.
