Magniber Ransomware

Magniber Ransomware Wants to Infect Only the Right People






Exploit kit (EK) utilize has been on the decay since late 2016; in any case, certain action stays steady. The Magnitude Exploit Kit is one such case that keeps on influencing clients, especially in the APAC locale.

In Figure 1, which depends on FireEye Dynamic danger Intelligence (DTI) reports partook in March 2017, we can see the locales influenced by Magnitude EK action amid the most recent three months of 2016 and the initial three months of 2017.
This pattern proceeded until late September 2017, when we saw Magnitude EK concentrate basically on the APAC district, with an extensive lump focusing on South Korea. Extent EK action at that point tumbled off the radar until Oct. 15, 2017, when it returned and started concentrating exclusively on South Korea. Already it had been conveying Cerber ransomware, however Cerber circulation has declined (we have additionally observed a decrease of Cerber being appropriated by means of email) and now it is dispersing ransomware known as Magniber.



Infection


The main return of Magnitude EK on Oct. 15 came as a malvertising redirection from the area: fastprofit[.]loan. The contamination chain is appeared in the following figure.

Infection chain
The Magnitude EK presentation page comprised of CVE-2016-0189, which was first revealed by FireEye as being utilized as a part of Neutrino Exploit Kit after it was fixed. Figure 3 demonstrates the point of arrival and CVE use.

Magnitude EK landing page
As observed beforehand with Magnitude EK, the payload is downloaded as a plain EXE (see following figure) and space foundation is facilitated on the accompanying server: 

"Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"

 Magnitude payload header and plain MZ response

Payload

In the underlying report distributed by our partners at Trend Micro, the ransomware being appropriated is alluded to as Magniber. These ransomware payloads just appear to target Korean frameworks, since they won't execute if the framework dialect isn't Korean.

Magniber scrambles client information utilizing the AES128. The specimen utilized (dc2a2b84da359881b9df1ec31d03c715) for this examination was pulled from our DTI framework when the crusade was dynamic. Of note, this specimen varies from the hash shared publically by Trend Micro, however the two display a similar conduct and offer the disease vector, and both were appropriated around a similar time.

The malware contains a twofold payload in its asset segment encoded backward utilizing RC4. It begins unloading it from the finish of the cushion to its begin. Turn around RC4 decoding keys are 30 bytes in length and furthermore contain non-ASCII characters. They are as per the following:

dc2a2b84da359881b9df1ec31d03c715 RC4 key:

{ 0x6b, 0xfe, 0xc4, 0x23, 0xac, 0x50, 0xd7, 0x91, 0xac, 0x06, 0xb0, 0xa6, 0x65, 0x89, 0x6a, 0xcc, 0x05, 0xba, 0xd7, 0x83, 0x04, 0x90, 0x2a, 0x93, 0x8d, 0x2d, 0x5c, 0xc7, 0xf7, 0x3f }



Comments

Post a Comment

Popular posts from this blog

Fake WAP

Image
Fake WAP There are a horde of things out there that goes under the general name 'hacking.' But what precisely are these demonstrations and what is the completely most effortless one for programmers to finish? This is a stealth assault, similar to a lethal ninja, known as a phony remote access point (Fake WAP). You may likewise know it as a 'man in the center' assault. Programmers can do this effectively enough, taking your information covertly with the goal that you're unaware. More regrettable yet, you'll HELP them do it! A VPN is your vital component to ensuring this doesn't transpire, regardless of the possibility that you do fall into their trap. As a reward, I get the chance to add pictures of ninjas to this post and it absolutely bodes well. What is a fake wireless access point This is the point at which a programmer utilizes a basic bit of programming and a remote system get to card. They will utilize these and go out into the general
Read more

The Secure Socket Tunneling Protocol

Image
The Secure Socket Tunneling Protocol This segment depends on a prerelease adaptation of Windows Server 2008. All data in this is liable to change. Virtual private system (VPN) bolster in Windows XP and Windows Server 2003 enables you to interface with your private intranet over the Internet, similarly as though your PC was connected to a neighborhood Ethernet port. Nonetheless, the VPN conventions in Windows XP and Windows Server 2003 don't work for some firewall arrangements what's more, for some circuitous arrangements, for example, when your PC is behind a Network Address Translator (NAT) or Web intermediary server—in which the movement for VPN associations is being blocked. To determine these challenges, Windows Server® 2008 and Windows Vista Service Pack 1 incorporate help for the new Secure Socket Tunneling Protocol (SSTP). VPN Access Problems In Windows® XP and Windows Server 2003, the VPN conventions that empower remote access associations with an intranet
Read more

Shift cipher

Image
Shift cipher Modular Math and the Shift Cipher The Caesar Cipher is a type of  shift cipher . Shift Ciphers work by using the modulo operator to encrypt and decrypt messages. The Shift Cipher has a  key K , which is an  integer from 0 to 25 . We will only share this key with people that we want to see our message. How to Encrypt: For every letter in the message  M  : 1.  Convert the letter into the number that matches its order in the alphabet starting from 0, and call this number  X . ( A=0, B=1, C=2, ...,Y=24, Z=25) 2.  Calculate:  Y  =  (X + K)  mod  26 3.  Convert the number  Y  into a letter that matches its order in the alphabet starting from 0. (A=0, B=1, C=2, ...,Y=24, Z=25) For Example:  We agree with our friend to use the Shift Cipher with  key K=19 for our message.  We encrypt the message  "KHAN",  as follows:​ So, after applying the Shift Cipher with key K=19 our message t
Read more