Magniber Ransomware Improves, Expands Within Asia
(Jul 16, 2018)
The threat actors behind the “Magnitude” Exploit Kit (EK) have added some changes to the EK’s custom ransomware called “Magniber,” according to Malwarebytes Labs researchers. Magniber was first observed being distributed in the wild by Magnitude in October 2017. Researchers found that the actors incorporated an Adobe Flash vulnerability, registered as “CVE-2018-4878,” in April 2018 and most recently incorporated an Internet Explorer (IE) vulnerability, registered as “CVE-2018-8174.” In addition to the IE exploit, the Magniber ransomware has new obfuscation techniques and no longer requires a Command and Control server or hardcoded key for encryption. Furthermore, Magniber used to primarily target users in South Korea, but it has now been observed to target other, unnamed, Asia Pacific countries
Recommendation: Always keep your browser and operating system up to date, including any browser add-ons you may need (Flash, Java). Employ network as well as host based detection and prevention systems where possible. In the case of CrypMIC infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.