A recent malicious campaign delivering Magniber ransomware targeted Windows home users with fake security updates.
A report from HP’s threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10, and Windows 11 builds.
In April 2022, Magniber was distributed as a Windows 10 update via a network of malicious websites.
In January, its operators used Chrome and Edge browser updates to push malicious Windows application package files (.APPX).
Magniber’s new infection chain
These files are obfuscated and use a variation of the “DotNetToJScript” technique to execute a .NET file in the system memory, lowering the risk of detection by antivirus products available on the host.
The .NET file decodes shellcode that uses its wrapper to make stealthy syscalls and injects it into a new process before terminating its own.
The shellcode deletes shadow copy files via WMI and disables backup and recovery features through “bcdedit” and “wbadmin.” This increases the chances of getting paid as victims have one less option to recover their files.
Magniber bypasses the User Account Control (UAC) feature in Windows to perform this action.
It relies on a mechanism that involves creating a new registry key that allows specifying a shell command. In a later step, the “fodhelper.exe” utility is executed to run a script for deleting the shadow copies.
Finally, Magniber encrypts the files on the host and drops the ransom notes containing instructions for the victim to restore their files.
While Magniber attempts to limit the encryption to specific file types, the pseudo hash it generates during the enumeration isn’t perfect, resulting in hash collisions and “collateral damage,” i.e., encrypting non-targeted file types as well.
Home users can defend against a ransomware attack by regular backups of their files and keeping them on an offline storage device. This allows recovery of the data onto a freshly installed operating system.
Before restoring the data, users should ensure that their backups are not infected.