标题 | 简介 | 类型 | 公开时间 | ||||||||||
|
|||||||||||||
|
|||||||||||||
详情 | |||||||||||||
[SAFE-ID: JIWO-2024-881] 作者: 枫叶 发表于: [2017-10-20]
本文共 [298] 位读者顶过
A new ransomware is being distributed by the Magnitude exploit kit: Magniber (detected by Trend Micro as RANSOM_MAGNIBER.A and TROJ.Win32.TRX.XXPE002FF019), which we found targeting South Korea via malvertisements on attacker-owned domains/sites. The development in Magnitude’s activity is notable not only because it eschewed Cerber—its usual ransomware payload—in favor of Magniber. Magnitude now also appears to have become an exploit kit expressly targeting South Korean end users. The Magnitude exploit kit, which previously had a global reach, was offered as a service in the cybercriminal underground as early as 2013. It then left the market and became a private exploit kit that mainly distributed ransomware such as CryptoWall. At the start of the second half of 2016, Magnitude shifted focus to Asian countries, delivering various ransomware such as Locky and Cerber. More recently though, we noticed that Magnitude underwent a hiatus that began on September 23, 2017, and it then returned on October 15. With help from Kafeine and malc0de, we were able to uncover Magnitude’s new payload, Magniber.
Figure 1. Timeline of Magnitude exploit kit’s activity from August 1 to October 18, 2017, showing its decline in activity before resurfacing with Magniber as payload
Where has Magnitude gone?[出自:jiwo.org] Magnitude delivers its payload via malvertisements that filter victims using the geolocation of the client IP address and system language. It’s a staple technique used by exploit kits and other cybercriminal campaigns to evade detection and hide their activities from security researchers. For now, Magnitude only exploits one vulnerability to retrieve and execute the payload: CVE-2016-0189 (patched last May 2016), a memory corruption vulnerability in Internet Explorer. This flaw is also used by other exploit kits like Disdain, Sundown-Pirate, Sundown, and Bizarro Sundown, as well as by other threat actors.
Figure 2. Magnitude exploit kit’s infection chain (top) and CVE-2016-0189 exploited to run Magniber (bottom)
Magniber Ransomware
Figure 3. Code snippets of the file loaded in the memory (top), and a snapshot of Magniber’s infection routine once the system matches the UI langugae (bottom) It appears that Magniber may be one of the few country- or language-specific ransomware. While many ransomware families like Cerber, SLocker, and Locky are increasingly pinpointing their targets, they’re still distributed globally. They typically integrate multilanguage checklists and functionalities in their codes, such as when serving ransom notes and redirecting victims to their payment pages. Some borrow a publicly available source code and just customize it depending on their target. Last year, for instance, we saw KaoTear, a Korean language-specific ransomware based on Hidden Tear. And based on the code we’ve so far seen within Magniber, the ransomware can also be taken as still in experimental stages—perhaps under the auspices of Magnitude’s developers. Indeed, we’re bound to see more developments in both Magnitude and Magniber as their capabilities and tactics are fine-tuned. While Magnitude’s distribution of Magniber is still relatively muted, their ability to exploit security gaps in the system and encrypt its files makes their combination a credible threat. Apply best practices to mitigate damage. Minimize your system’s attack surface by keeping it and its applications updated and regularly backing up files. Enterprises should also secure their gateways, endpoints, networks, servers, and other parts of their IT infrastructure that manage business processes.
Trend Micro Ransomware Solutions For small businesses, Trend Micro™ Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware. For home users, Trend Micro™ Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat. Our machine learning capabilities, powered by XGen™ security, detect this threat even without the need of an update. Indicators of Compromise: Hash detected as RANSOM_MAGNIBER.A (SHA256):
C&C domain and IP address related to Magniber ransomware:
Malvertisement domains/IP addresses related to Magnitude exploit kit:
Domain/IP address related to Magnitude exploit kit:
With additional analysis by Edmark Dungca and Matthew Camacho We would like to acknowledge the contributions of Kafeine and @malc0de whom we worked with in this research. Updated as of October 18, 2017, 8:05PM PDT to include our machine learning-based detection and solution. |