New ransomware Magniber sets its target on South Korea
The Magnitude Exploit Kit is known for delivering the infamous Ransomware Cerber. The last version of the Cerber ransomware was also dropped by the Magnitude Exploit Kit in September 2017 but now the Magnitude Exploit Kit is also delivering a ransomware that has never been seen before.
The SonicWall Capture Labs Threat Research team recently became aware of Magniber and analyzed it. The name Magniber is derived from the names "Magnitude" and "Cerber". The Magniber ransomware is different from the Cerber ransomware. The strange thing is that this ransomware is targeting a specific country as it performs encryption only in South Korea.
Before performing infection it checks the default UI language of the operating system using the kernel32 API GetSystemDefaultUILanguage as shown in the figure below. If the default UI language of the OS is Korean then it performs the infection otherwise it deletes itself and terminates the process.
After checking the UI language, it checks if the machine is already infected. To verify this, it checks for the mutex. The name of the mutex is the same as extension it uses for encrypted files. If this mutex is present, it deletes itself and terminates the process. Otherwise it creates this mutex to prevent the multiple execution. It also enumerates the %temp% folder to search for a file name with a length of 19 characters. If the file is found, it reads the file and compares the content with the Initial Vector (IV) of AES-128 encryption. If the contents of the file match with the IV, it assumes that the machine is already infected. Otherwise, it creates the file and writes the AES-IV to it. The IV is created at the beginning along with the AES key and extension that it uses for the encrypted file. It creates the AES-Key, File Encryption extension and AES-IV by moving a single byte as shown in the figure below:
Ransomware generates the 19 characters for file name of this temp file using multiple calls of API GetTickCount as shown in the figure below:
After performing all of the checks, it starts the infection process. It copies itself into a temp folder with the same name as the encrypted file extension and creates a task schedule for executing the sample every 15 minutes. It creates a task schedule in a hidden state by passing the Command line parameter to WinExec API as seen below.
"schtasks /create /SC MINUTE /MO 15 /tn ymdmf /TR "pcalua.exe -a %Temp%ymdmf.exe""
Finally it starts the encryption process. It enumerates all drives and creates a dedicated thread for encrypting each drive using API CreateThread by passing the thread parameter of drive letter. It uses the AES-128 algorithm for encrypting the file. The First 16 bytes of the encrypted file is the AES-IV that it uses for marker, after which, the encrypted data is stored. An Encrypted file is shown in figure below:
It skips all directories that contain the following path:
And encrypts the files with the following extension:
After encrypting the directory it drops a ransom note in each directory. In the ransom note, it drops the following URL from where the victim can find out how to decrypt the files:
The following is the ransom note:
On the payment site, the ransomware asks the victim to pay via bitcoin and explains how to do so. The Ransomware also promotes a discount to buy the decryption tool if bought within 5 days. The payment site of the ransomware is:
Finally it deletes itself after completing its execution and performing the all activities.
However the good news is, the decryption of encrypted files is possible without paying any ransom. Both, AES-Key and IV is present in payload file that is dropped in temp folder.
Sonicwall Capture Labs detects this threat via the following signature:
- GAV: Magniber.A (Trojan)