Researchers identified a new ransomware family called Magniber that uniquely targets only users in South Korea and the Asia-Pacific regions. The ransomware is primarily being distributed by the Magnitude exploit kit, a primary distribution vehicle in the past for Cerber ransomware.
Because of Magniber’s close affiliation to both the Magnitude EK and and Cerber, researchers are calling the new ransomware Magniber, a mashup of both names.
“Magnitude EK activity fell off the radar until Oct. 15, 2017, when it came back and began focusing solely on South Korea. Previously it had been distributing Cerber ransomware, but Cerber distribution has declined and now it is distributing ransomware known as Magniber,” wrote FireEye in a report released Thursday on the new ransomware strain.
Over the past few days other researchers have also spotted similar Magniber activity. Trend Micro noted Magnitude EK activity had vanished briefly two week prior to the Oct. 15 Magniber attacks. Researchers there also said that while ransomware Cerber, SLocker and Locky often were used in focused attacks they had never targeted assaults on specific geographic regions.
As for the malware’s payload, Magniber ransomware will not execute if the system language is not Korean, according to FireEye researchers Muhammad Umair, Zain Gardezi and Shahzad Ahmad who co-authored the report.
“The malware calls GetSystemDefaultUILanguage, and if the system language is not Korean, it exits,” FireEye said.
Magniber encrypts user data using AES128, researchers at FireEye said, noting its Magniber sample differed from that found by other researchers.
“The malware contains a binary payload in its resource section encrypted in reverse using RC4. It starts unpacking it from the end of the buffer to its start. Reverse RC4 decryption keys are 30 bytes long and also contain non-ASCII characters,” researchers said.
After unpacking in memory, the malware starts executing the contents of the payload. Part of that process includes using a 19-character long pseudorandom string to constructs 4 URLs for callbacks used to identify and avoid executing the ransomware on a virtual machine.
If the Magniber ransomware is executed, the malware then starts to encrypt user files on the system, renaming them by adding a “.ihsdj” extension to the end. Once it’s accomplished this task, the malware then issues a command to delete itself.
According to Trend Micro, hackers are using the Magnitude EK in conjunction with malvertising campaigns and exploiting a memory corruption vulnerability (CVE-2016-0189) in Internet Explorer (9 through 11), patched last year.
“While the current threat landscape suggests a large portion of attacks are coming from emails, exploit kits continue to put users at risk – especially those running old software versions and not using ad blockers,” FireEye researchers noted.