INSECURE SECURITY UPDATE : Launching Counter Attacks with Cyber Awareness Campaigns Magniber Ransomware New Delivery Technique
The continuous pursuit of improving and innovation across every aspect of human life can be seen and proven that even threat actors search for a newer way to distribute their crafts. Magniber Ransomware is one of the malware families that was seen evolving every now and then. It was first seen in 2017 that used Magnitude Exploit Kit as a delivering platform, that often used by other ransomware families such as Cerber, Locky and Cryptowall[1]. Fast forward to this year, 2022, Magniber Ransomware has been seen lurking around again but this time, it chose to have a different entrance.
Nowadays, cyber security professionals are raising security awareness, campaigning and urging people to regularly update their software so that they can lower the risk of being exposed and attacked caused by leveraging known vulnerabilities of outdated systems. Now here comes a Windows Update that should be good in all aspect, however unbeknownst to most, malicious actor crafted a Fake Windows Update and bundled it with Magniber Ransomware. Although this is not the first of fake application being used to deliver malicious content, this is the first for a ransomware to have MSI as the chosen gate for attack.
This research focuses on the new attack vector used by Magniber Ransomware. Unveiling how malware actors was able to use MSI as a package for Magniber ransomware by leveraging a MSI feature coupled with a malicious component. This research will also showcase a tool known as Orca, a Microsoft database table editor that can be used to understand how Magniber was executed without being noticed. Furthermore, this research will also explore how can MSI be used in other ways as a distribution technique. Finally, seeing Magniber pioneered a new distribution technique for ransomwares, this research will also explore and monitor if other ransomware families will follow its steps. As the approach of finding new ways to attack and enter the environment evolves, the need to update our current cyber awareness campaigns to secure and strengthen our gates is a way to counter this attack.
John Karlo De Mesa Agon
Karlo has been in the Threat Analysis and Reverse Engineering area of Information Security for almost 8 years. His experience in creating pro-active detections through correlation of file metadata was critical in identifying malwares and even prevented an outbreak of ransomware. Coupling these technical skills, with fun and outgoing character, he not only works well with the team but he guides them in working out solutions as a seasoned Virus Analyst. He enjoys watching movies and anime with his wife and has recently been blessed with to be father to a healthy baby boy.
Lovely Jovellee Lyn Bruiz Antonio
With more than 9 years in the Information Security Industry, Lovely’s experience includes research, analysis and creating detection and remediation signatures for malicious software. She is also well-versed in website analysis for false positive checking and blocking. Lovely has been part of malware research projects and has been fortunate to have presented to previous AVAR conference. She recently got married to another virus researcher and is looking forward to building a family of her own.