HP’s Wolf Security team is reporting that Magniber ransomware is infecting home users and demanding payments of up to $2,500 for the decryption tool. Masquading as a Windows 10/11 update, attackers get users to download a Zip file containing the malware. Magniber has been primarily spread through MSI and EXE files, but since September has been using this Zip file approach to install the malware.

Excerpts:

  • The infection chain starts with a web download from an attacker-controlled website. The user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.
  • Notably, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.
Subscribe
Notify of
guest

2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
October 17, 2022 11:08 am

Magniber differs from other high-profile ransomware by being more targeted at home users than enterprise ones. It requires administrative privileges on Windows. Home users usually have administrative privileges on their devices, but that’s far less common in corporate environments. The ransom demand is also relatively small. 

Although Magniber is sophisticated, it still requires human interaction to infect a device. Victims must be tricked into visiting a malicious website and downloading a compressed file containing the ransomware. The attack is fairly easily avoided; don’t click on links or attachments in unsolicited emails and messages. Be on the lookout for fake Windows and antivirus updates. You shouldn’t need to visit a website to update either of these.

Last edited 1 month ago by Paul Bischoff
Melissa.bischoping
Melissa.bischoping , Endpoint Security Research Specialist
InfoSec Expert
October 17, 2022 10:10 am

While enterprises often have tool stacks to detect and prevent malicious activity on the endpoint, home users are far less protected. Since most home users are the administrative account on their systems, effective social engineering provides a quick way to execute in a high-privileged capacity, and can bypass common protections like User Account Control. The use of “fileless” techniques such as those used in Magiber are popular in evading detection solutions. These techniques are not novel, but because home users lack dedicated teams with the tools to investigate, detect, and prevent execution, they have a greater likelihood of success.  

While the threat actors may not be able to demand millions in ransom from each victim, they are likely hoping to leverage a large quantity, versus the frequently seen “big game hunting” where attackers go after high-value targets more likely to pay huge sums.

Home users should take security seriously and have their own prevention and recovery plan for themselves and their family. 

Some tips and best practices:
 

  • Only download updates and software from official sources and trusted organizations. For example, go directly to the Windows Update app on your PC, not to a third-party website, to get official patches.
  • Educate yourself on common phishing techniques.
  • Be mindful that patches are released regularly, and ensure you have automatic patching enabled in your operating system.
  • Use a trusted cloud storage solution for backups of your essential documents and data. In the event that your system is compromised with ransomware, this can be a reliable way to recover that data. 
  • Put together an “incident response plan” for your home – this doesn’t need to be elaborate, but should include a list of key accounts to change passwords on (such as bank accounts), and instructions on how to wipe and re-image your computer or the contact information of a local tech support provider who can assist.
Last edited 1 month ago by melissa.bischoping
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x