Hackers Use Magnitude EK for Distributing Magniber Ransomware

PC users in South Korea are seriously threatened by the Magniber ransomware which hackers distribute via the Magnitude Exploit Kit.

Security experts from FireEye said that the Magnitude EK has been missing since last September, when it was targeting victims in Taiwan. However, last week, the EK showed up again and it’s currently targeting users in South Korea. Besides, the Magnitude EK switched up its payloads as previously it was distributing Cerber ransomware.

In the latest campaign, the Magnitude EK appeared as a malvertising redirection. According to the analysis of Trend Micro, these malvertisements filter victims use the geolocation of the client IP address and system language. This is a staple technique used by the Magnitude EK and some other spam campaigns in order to evade detection and hide their activities from the security experts.

Nevertheless, the malware analysis shows that the Magniber ransomware payload only seems to target Korean systems, since they won’t execute if the system language is not Korean, which makes Magniber one of the few country or language-specific ransomwares out there.

“While many ransomware families like Cerber, SLocker and Locky are increasingly pinpointing their targets, they’re still distributed globally,” Trend Micro stated. “They typically integrate multi-language checklists and functionalities in their codes, such as when serving ransom notes and redirecting victims to their payment pages. Some borrow a publicly available source code and just customize it depending on their target. Last year, for instance, we saw KaoTear, a Korean language-specific ransomware based on Hidden Tear.”

The Magniber ransomware is in the experimental stages yet and most probably, under the auspices of the Magnitude’s creators.

“Indeed, we’re bound to see more developments in both Magnitude and Magniber as their capabilities and tactics are fine-tuned,” the security experts said.

Currently, the Magnitude EK exploits one vulnerability to retrieve and execute the payload: CVE-2016-0189 (patched in May 2016). This is a memory corruption flaw which is used by other exploit kits like Disdain, Sundown-Pirate, Sundown, Bizarro Sundown, etc.

Considering the above-mentioned, patching the older vulnerabilities is the first thing that should be done.

“Ransomware is a significant threat to enterprises,” FireEye researchers said. “While the current threat landscape suggests a large portion of attacks are coming from emails, exploit kits continue to put users at risk—especially those running old software versions and not using ad blockers. Enterprises need to make sure their network nodes are fully patched.”

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.