Magniber ransomware: exclusively for South Koreans

The Magnitude exploit kit has been pretty consistent over the last few months, dropping the same payload—namely, the Cerber ransomware—and targeting a few select countries in Asia. Strangely, Magnitude EK disappeared in late September, and for a while we wondered whether this was yet another casualty in the already deflated exploit kit scene.

However, a few days ago Magnitude EK resurfaced, this time with a new payload. The delivered malware is also a ransomware, but of a family that was not known before. It has been named Magniber.

This Magniber ransomware is highly targeted, as it checks at several levels (external IP, the language installed, etc.) to ensure that the attacked system is only South Korean. Targeting a single country is unusual on its own, but performing multiple checks to be sure of the country and language of origin makes this a first for ransomware.

Analyzed samples

Older sample

Distribution method

So far, we found this ransomware is dropped only by the Magnitude exploit kit:

No other distribution method is known at the moment.

Behavioral analysis

If the malware is executed on non-Korean systems, the only thing we can see is the operation of deleting itself, delayed by running the ping command:

It only starts its malicious operations on systems with Korean language detected. The executable is pretty noisy, because it implements various tasks just by command line. Running it on the sandbox, we can see the following graph of calls:

The malware copies itself in %TEMP% and deploys itself with the help of task scheduler:

In the same folder, we can see also the ransom note and yet another file. Its name is the same as the part of the domain that has been generated for the particular user, and its extension is the same as the extension of the encrypted files:

To each encrypted file is added an extension that is composed of small Latin characters and is constant for the particular sample of Magniber.

The same plain-text makes the same cipher-text. This means each and every file is encrypted using exactly the same key.

Below, we demonstrate a visualization of bytes of a sample BMP file before and after being encrypted by Magniber:

As you can see, there are no visible patterns in the encrypted version; it suggests that some strong algorithm has been used, probably AES in CBC mode.

At the beginning of each encrypted file, we find a 16-character long identifier that is constant for the particular sample of Magniber:

After the encryption of all the found files is done, the ransomware runs notepad, displaying the dropped ransom note:

The ransom note is in the TXT format and its structure is minimalistic. It gives four alternative addresses pointing to the page for the victim.

Page for the victims

The page for the victims is in English only. Its template is very similar to the one used by the Cerber ransomware (this is the only similarity between those ransomware families—internally they are quite different):

Network communication

We found Magniber connecting domains that are generated by the built-in algorithm. The same domains that are used as CnC are later used for individual websites for the victim (only they are called with a different parameter). Examples of the called URLs:

http://xat91h3evntk5zb66dr.bankme.date/new1
http://xat91h3evntk5zb66dr.bankme.date/end1

Compare the URLs from the ransom note with the corresponding run:

http://xat91h3evntk5zb66dr.bankme.date/EP866p5M93wDS513
http://xat91h3evntk5zb66dr.jobsnot.services/EP866p5M93wDS513
http://xat91h3evntk5zb66dr.carefit.agency/EP866p5M93wDS513
http://xat91h3evntk5zb66dr.hotdisk.world/EP866p5M93wDS513

At the beginning of the execution, the ransomware sends a request to the URL ending with new1 (or new0). At the end of the execution, it requests end1 (or end0). The meaning of those URLs will be explained in detail in the next part of the article.

What’s interesting is that the server gives a valid response if, and only if, the public IP of the victim was Korean. Otherwise, the response is empty. Example of the captured initial request and response (the request was made from the Korean IP):

In the response, we get a 16-character long, random string: ce2KPIak3cl6JKm6. The new random URL can be requested only once. If we try to repeat the request, we will get an empty response.

The other request (the ending one) also gives a 16-character long, random string in response. But contrary to the first one, it responds on every request (a different random string each time). Example of the ending request and response:

Inside the code

As always, to understand what is really going on here, we will have to take a deeper dive inside the code.

Magniber is delivered packed by various crypters, and the unpacking method will depend on the crypter’s features. You can see the process of unpacking the current sample in the video below.

After defeating the first layer, we obtain the second PE file: the malicious core. The core does not contain any advanced obfuscation. The authors made the strings just slightly difficult to follow by loading them into memory character by character:

Execution flow

Looking inside the unpacked payload, we can clearly see why it doesn’t run on most systems. At the beginning, there is a language check (using the API function GetSystemDefaultUILanguage):

The only accepted UI language is Korean (code 1042). In case of any other detected, the sample just deletes itself and causes no harm. This language check has been added in the recent Magniber samples and was not found in the earlier versions, such as aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30.

After the check is passed, Magniber follows with a typical ransomware functionality. Overview of the performed steps:

  1. Creates mutex
  2. Checks in the temp folder if the marker file has been dropped
  3. Drops the copy of itself in %TEMP% and adds the scheduled task
  4. Queries the generated subdomains to retrieve the AES key (if retrieving the key failed, loads the hardcoded one)
  5. Enumerates and encrypts files with the selected extensions
  6. Reports finishing the task to the CnC
  7. Executes the notepad displaying the ransom note
  8. Deletes itself

What is attacked?

The list of extensions attacked by Magniber is really long. It includes documents, source code files, and many others. The complete list is below:

docx xls xlsx ppt pptx pst ost msg em vsd vsdx csv rtf 123 wks wk1 pdf dwg 
onetoc2 snt docb docm dot dotm dotx xlsm xlsb xlw xlt xlm xlc xltx xltm pptm 
pot pps ppsm ppsx ppam potx potm edb hwp 602 sxi sti sldx sldm vdi vmx gpg 
aes raw cgm nef psd ai svg djvu sh class jar java rb asp php jsp brd sch dch 
dip vb vbs ps1 js asm pas cpp cs suo sln ldf mdf ibd myi myd frm odb dbf db 
mdb accdb sq sqlitedb sqlite3 asc lay6 lay mm sxm otg odg uop std sxd otp 
odp wb2 slk dif stc sxc ots ods 3dm max 3ds uot stw sxw ott odt pem p12 csr 
crt key pfx der 1cd cd arw jpe eq adp odm dbc frx db2 dbs pds pdt dt cf cfu 
mx epf kdbx erf vrp grs geo st pff mft efd rib ma lwo lws m3d mb obj x3d c4d 
fbx dgn 4db 4d 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr 
cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx dd df1 dmo dnc 
dp1 dqy dsk dsn dta dtsx dx eco ecx emd fcd fic fid fi fm5 fo fp3 fp4 fp5 
fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt 
mrg mud mwb s3m ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96 
p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq 
sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb 
zdc cdr cdr3 abw act aim ans apt ase aty awp awt aww bad bbs bdp bdr bean 
bna boc btd cnm crw cyi dca dgs diz dne docz dsv dvi dx eio eit emlx epp err 
etf etx euc faq fb2 fb fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt 
fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hz idx ii ipf jis joe jp1 jrtf
kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man 
map mbox me mel min mnt mwp nfo njx now nzb ocr odo of oft ort p7s pfs pjt prt 
psw pu pvj pvm pwi pwr qd rad rft ris rng rpt rst rt rtd rtx run rzk rzn saf 
sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa sty sub sxg tab 
tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof upd utf8 utxt vct vnt 
vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wp wps wpt wpw wri wsc wsd wsh wtx
xd xlf xps xwp xy3 xyp xyw ybk ym zabw zw abm afx agif agp aic albm apd apm 
apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 ca cals can cd5 cdc 
cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv dm3 
dmi vue dpx wire drz dt2 dtw dv ecw eip exr fa fax fpos fpx g3 gcdp gfb gfie 
ggr gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx 
itc2 iwi j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jw 
jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs my ncr nct 
nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cmx cnv csy 
cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf 
fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg
 gem glox hpg hpg hp idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx 
mmat mat ovp ovr pcs pfv plt vrm pobj psid rd scv sk1 sk2 ssk stn svf svgz 
tlc tne ufr vbr vec vm vsdm vstm stm vstx wpg vsm xar ya orf ota oti ozb 
ozj ozt pa pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3 
pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg 
ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli
 rpf rri rs rsb rsr rw2 rw s2mv sci sep sfc sfw skm sld sob spa spe sph spj 
spp sr2 srw wallet jpeg jpg vmdk arc paq bz2 tbk bak tar tgz gz 7z rar zip 
backup iso vcd bmp png gif tif tiff m4u m3u mid wma flv 3g2 mkv 3gp mp4 mov
avi asf mpeg vob mpg wmv fla swf wav mp3 

The list loads at the beginning of the file encrypting function:

As usual, some of the directories are exempted:

:\documents and settings\all users\ 
:\documents and settings\default user\ 
:\documents and settings\localservice\ 
:\documents and settings\networkservice\ 
\appdata\local\ 
\appdata\locallow\ 
\appdata\roaming\ 
\local settings\ 
\public\music\sample music\ 
\public\pictures\sample pictures\ 
\public\videos\sample videos\ 
\tor browser\ 
\$recycle.bin 
\$windows.~bt 
\$windows.~ws 
\boot 
\intel 
\msocache 
\perflogs 
\program files (x86) 
\program files 
\programdata 
\recovery 
\recycled 
\recycler 
\system volume information 
\windows.old 
\windows10upgrade 
\windows 
\winnt

How does the encryption work?

Magniber encrypts files with AES 128 bit in CBC mode. It is implemented with the help of Windows Crypto API.

 The DGA and the victim ID

In the usual scenario, the malware tries to retrieve the AES key from the CnC by querying pseudo-random subdomains:

The pseudo-random part is used to uniquely identify the victim. It is generated by the following simple algorithm:

Each character is based on the tick count, converted to the given charset:

The number 0 or 1 is appended to the URL depending if the sample is running in the controlled environment or not (detected using time check).

Four domains are being queried for the key:

If any of them give a 16-byte long response, that means the valid key is copied to the buffer and used further. Otherwise, it falls back to the hardcoded key.

The default AES key and IV

The interesting thing is that each sample comes with the AES key hardcoded. However, it is used only as a backup if downloading the key from the CnC was for some reason impossible (that occurs also in the case if the public IP was not from Korea). The key is unique per each sample. In the currently analyzed sample, it is S25943n9Gt099y4K:

If any of them gives 16  byte long response, that means the valid key, it is copied to the buffer and used further. Otherwise, it falls back to the hardcoded key.

 

Similarly, the initialization vector is always hardcoded in the sample (but not downloaded). The same 16-character long string was also saved at the file beginning. In the currently analyzed sample it is EP866p5M93wDS513:

The algorithm

First, the crypto context is initialized. The malware imports the key and initialization vector with the help of functions CryptImportKey, CryptSetKeyParam:

Encrypting the file:

The first write stores the 16-byte long string at the beginning of the file. Then, the file is read chunk by chunk and encrypted using Windows Crypto API.

Conclusion

Magniber ransomware is being distributed instead of Cerber from the same exploit kit, approaching the same targets. However, internally it has nothing in common with the Cerber and is much simpler. The only feature that makes it unique is being so picky about the targeted country. For the first time, we are seeing country checks being performed at various levels of execution.

This ransomware family appeared recently and probably is still under active development. We will keep an eye on its evolution and keep you informed.

The users of Malwarebytes for Windows (with real-time, anti-ransomware technology deployed) are protected against Magniber.

Appendix

https://www.checkmal.com/page/resource/video/?detail=read&idx=676&p=1&pc=20

https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/

https://gist.github.com/evilsocket/b89df665e6d52446e3e353fc1cc44711 (magniber_decryptor.exe) – decryptor by @evilsocket (works only for the cases when the AES key is known – i.e. the default one from the sample was used, or the random one can be extracted from the captured traffic)


This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

COMMENTS