Threat Insights Report - Q3-2022 5
In recent years, “Big Game Hunting” ransomware attacks
against enterprises have dominated media headlines
because of their high-profile victims and substantial
ransom demands. Yet single-client ransomware – a type
of ransomware that infects individual computers, rather
than fleets of devices – can still cause significant
damage to individuals and organizations.
In September, HP Wolf Security isolated a ransomware
campaign masquerading as software updates that
targeted home users. The campaign spread Magniber, a
single-client ransomware family known to demand
$2,500 from victims. Notably, the attackers used clever
techniques to evade detection, such as running the
ransomware in memory, bypassing User Account
Control (UAC) and avoiding detection by using syscalls
instead of standard Windows API libraries.
Figure 4 - Magniber infection chain
Magniber and threat of single-
client ransomware
The infection chain starts with a web download from an
attacker-controlled website. The user is asked to
download a ZIP archive containing a JavaScript file
purporting to be an important anti-virus or Windows 10
software update. Previously Magniber was spread
through MSI and EXE files, but in September distribution
of the ransomware switched to JavaScript.
The attackers used a variation of the DotNetToJScript
technique, allowing a .NET executable to be loaded in
memory, meaning the ransomware is not saved to disk.
This technique bypasses security tools that monitor files
written to disk and reduces artifacts left on an infected
system.
The .NET code decodes shellcode and injects it into
another process. The ransomware code runs from this
process – first deleting shadow copy files and disabling
Windows’ backup and recovery features, before
encrypting the victim’s files.
Magniber requires administrator privileges to disable
the victim’s ability to recover their data, so the malware
uses a User Account Control (UAC) bypass using
fodhelper.exe to run commands without alerting the
user. For this to work, the logged-in user must be part of
the Administrators group.
Interestingly, the Magniber build in this campaign
campaign supports recent versions of Windows,
including Windows 11 and pre-release versions. This
suggests home users rather than enterprises were the
intended targets of the campaign, since enterprises
tend to use older operating systems.
For the encryption task, the malware enumerates files
and checks its file extension against a list. If the
extension is in the list, the file is encrypted. Finally, the
malware places a ransom note in each directory with an
encrypted file and shows it to the victim by opening the
demand in a web browser.