The ransomware installer arrives as a fake windows update in the form of an optical disc image or ISO.
Within the iso are two files that can use the following filenames:
- 5G offer.LNK
- 5G-installer. MSI
The LNK file is a windows shortcut file that serves as a pointer to load the MSI file using msiexe.exe
The windows installer file (MSI) uses the following file properties.
And once executed displays the following installation progress window. Note that the Knowledge base code (KB5023921) referenced is nonexistent and completely made up.
Upon execution, the first thing it does is to delete the Volume Shadow copies via the following command and then proceeds to encryption.
vssadmin.exe Delete Shadows /all /quiet
It changes the desktop background upon successful infection.
A readme.html present in all directories that have encrypted files show instructions on how to retrieve the victim’s files.
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Magniber.RSM_1 (Trojan)
- GAV: Magniber.RSM_2 (Trojan)
- GAV: Magniber.RSM_3 (Trojan)
This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.