(Image by Pete Linforth/Pixabay)

One of the longest-running exploits called Magnitude has been upgraded to target more countries in the Asia-Pacific, according to the blog post of Malwarebytes. Magniber, the breed of the exploit kit, initially spread panic in South Korea in 2017 and was, for a time, a private operation limiting itself in only a few countries.

A recent discovery by the researchers of Malwarebytes shows that the ransomware how evolved and the malware code now includes Chinese ((China, Macau, and Singapore) and Malay (Brunei and Malaysia).

Magniber first made an appearance in October 2017 when it was distributed by an exploit kit operator through a filtering gate (Magnigate) to a few Asian countries. Interestingly, the malware authors specifically targeted South Korea with malvertising chains.

“Magniber would only install if a specific country code was returned, otherwise it would delete itself,” the researchers wrote on their blog post.

Magnitude tested briefly the “ever-growing” GandCrab ransomware in April 2019 when it “adopted a fresh Flash zero-day (CVE-2018-4878).” Then they brought back a recharged Magniber using the latest Internet Explorer exploit (CVE-2018-8174).

Payloads in batches

The researchers explained that the payloads are downloaded and executed in batches.

“After Magnigate’s 302 redirection, we see a Base64 obfuscated JavaScript used to launch Magnitude’s landing page, along with a Base64 encoded VBScript. (Both original versions of the scripts are available at the end of this post in the IOCs.) After CVE-2018-8174’s exploitation, the XOR-encrypted Magniber is retrieved,” the Malwarebytes researchers wrote.

They also noted that Magniber’s actions are predictable in that “it encrypts files and at the end drops a ransom note named README.txt.” However, in terms of source code, it is now “more refined” compared to the first time “leveraging various obfuscation techniques and no longer dependent on a Command and Control server or hardcoded key for its encryption routine.”

The researchers were able to determine Magniber through the file extension .dyaaghemy. They noticed that at the latest version, each file uses a unique key compared to the previous one that is encrypted with the same AES key while the encrypted content does not show any patterns.

“That suggests that a stream cipher or a cipher with chained blocks was used (probably AES in CBC mode). Below you can see a BMP file before and after being encrypted by Magniber,” the researchers wrote.

It’s now complicated

The authors of the malware made it a lot more complicated or in Malwarebytes’ words “improved obfuscation” compared to the first one. They made it a little harder to determine this time using “a few different techniques” where the “API functions are now dynamically retrieved by their checksums.”

The researchers called the authors “professionals” as the versions of malware evolves into a better version of its previous self.

“This ransomware operation is carried with surgical precision, from a careful distribution to a matching whitelist of languages,” the researchers wrote. “Criminals know exactly which countries they want to target, and they put their efforts to minimize noise and reduce collateral damage.”