Recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.
A ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims.
Previously Magniber was primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.
"Some malware families, such as Vjw0rm and GootLoader, rely exclusively on JavaScript, but have done so for some time," Patrick Schläpfer, malware analyst at HP Wolf Security, told Infosecurity. "Currently, we are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction"
Notably, HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.
With the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.
Describing the ransomware campaign, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.
The user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.
For Magniber to access and block files, it needs to be executed on a Windows account with administrator privileges – a level of access which is much more commonplace in personal systems.
“Consumers can protect themselves by following ‘least-privilege’ principles – only logging on with their administrator account when strictly needed, and creating another account for everyday use,” explained Schläpfer. “Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach.”
The company noted that this ransomware does not fall into the category of Big Game Hunting but can still cause significant damage.
"This is not a shift away from big game hunting, but rather demonstrates that not only enterprises are the focus of ransomware groups, but home users as well," Schläpfer said.