Not too long ago, the safety researchers at HP’s risk intelligence group have found a malicious marketing campaign during which the risk actors are delivering Magniber ransomware and with the assistance of fraudulent safety updates focused Home windows Residence customers.
Quite a few faux web sites had been created by risk actors in September 2022. On these faux web sites, fraudulent antivirus and safety updates for Home windows 10 had been promoted and distributed by the risk actors.
A posh an infection chain begins with the deployment of the file-encrypting malware that will get downloaded as JavaScript.
In an effort to obtain a decryption instrument to have the ability to get well house customers’ recordsdata, Magniber ransomware’s operators demanded a fee of as much as $2,500 from the victims.
Focused Variations
This pressure focuses solely on Home windows 10 and Home windows 11 builds which might be at the moment accessible for obtain. Right here beneath we now have talked about all of the focused variations of Home windows 10 and Home windows 11:-
Model Code | Title | Launch Date |
17134 | Home windows 10, Model 1803 | April 30, 2018 |
17763 | Home windows 10, Model 1809 | November 13, 2018 |
18362 | Home windows 10, Model 1903 | Might 21, 2019 |
18363 | Home windows 10, Model 1909 | November 12, 2019 |
19041 | Home windows 10, Model 2004 | Might 27, 2020 |
19042 | Home windows 10, Model 20H2 | October 20, 2020 |
19043 | Home windows 10, Model 21H1 | Might 18, 2021 |
19044 | Home windows 10, Model 21H2 | November 16, 2021 |
20348 | Home windows Server 2022, Model 21H2 | August 18, 2021 |
22000 | Home windows 11, Model 21H2 | October 4, 2021 |
22610 | Home windows 11 Insider Preview | April 29, 2022 |
22621 | Home windows 11, Model 22H2 | September 20, 2022 |
25115 | Home windows 11 Insider Preview | Might 11, 2022 |
25145 | Home windows 11 Insider Preview | June 22, 2022 |
25163 | Home windows 11 Insider Preview | July 20, 2022 |
An infection Chain
You will need to notice that the risk actor used MSI and EXE recordsdata of their earlier marketing campaign. Whereas the newest model was based mostly on JavaScript recordsdata named as follows:-
- SYSTEM.Vital.Improve.Win10.0.ba45bd8ee89b1.js
- SYSTEM.Safety.Database.Improve.Win10.0.jse
- Antivirus_Upgrade_Cloud.29229c7696d2d84.jse
- ALERT.System.Software program.Improve.392fdad9ebab262cc97f832c40e6ad2c.js
The recordsdata which might be used on this assault are obfuscated they usually execute a .NET file in system reminiscence utilizing a variation of the “DotNetToJScript” method. Consequently, the host’s anti-virus merchandise are much less prone to detect this assault.
Earlier than terminating its personal course of, the .NET file injects the shellcode it decodes into a brand new script that makes stealthy syscalls utilizing its personal wrapper.
Utilizing a bypass for the Home windows Person Account Management function, Magniber can make the most of this feature to carry out this motion. In an effort to carry out this, a registry key must be created to permit the consumer to specify the shell command that must be executed.
Then a VBScript script is executed later within the course of to delete the shadow copies as is the “fodhelper.exe” utility in a subsequent step.
As soon as all the pieces is in place, the Magniber ransomware begins encrypting the recordsdata, after which it drops the ransom notice on the host. Nonetheless, it has been discovered that Magniber encrypts particular file sorts solely.
Suggestion
Right here beneath we now have talked about all of the suggestions:-
- Make use of administrator accounts solely whenever you want them.
- Probably the most dependable technique to replace your software program is to obtain it from an authoritative supply.
- Be sure you are backing up your knowledge regularly.
Additionally Learn: Ransomware Assault Response and Mitigation Guidelines