Magniber ransomware seen distributed via ISO disc image files


This week, the Sonicwall Capture Labs Research team analyzed a ransomware called Magniber.  This ransomware has been around since 2017 as a successor to Cerber and initially only targeted a specific country when we first covered it in the past. It has since widened its target and adopted many forms from javascript to archive files and more recently to Microsoft software installer (msi) files and ISO image. What has not changed is that it still purports to be a software security update to lure victims to installing it.

Infection Cycle:

The ransomware installer arrives as a fake windows update in the form of an optical disc image or ISO.

Within the iso are two files that can use the following filenames:

  • 5G offer.LNK
  • 5G-installer. MSI

The LNK file is a windows shortcut file that serves as a pointer to load the MSI file using msiexe.exe

The windows installer file (MSI) uses the following file properties.

And once executed displays the following installation progress window. Note that the Knowledge base code (KB5023921) referenced is nonexistent and completely made up.

Upon execution, the first thing it does is to delete the Volume Shadow copies via the following command and then proceeds to encryption.

vssadmin.exe Delete Shadows /all /quiet

It changes the desktop background upon successful infection.

A readme.html present in all directories that have encrypted files show instructions on how to retrieve the victim’s files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Magniber.RSM_1 (Trojan)
  • GAV: Magniber.RSM_2 (Trojan)
  • GAV: Magniber.RSM_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.