The Magniber ransomware has been discovered dropping malware disguised as Chrome and Edge web browser updates using Windows application package files (.APPX) certified with authentic certificates. This dissemination technique differs from past tactics used by this threat actor, which generally exploit Internet Explorer flaws.
According to a report from Korea’s AhnLab cybersecurity firm researchers, the infection starts with a visit to a payload-dropping website. It’s unknown how victims got to the website. Phishing emails, URLs shared through social network IMs, and other ways of distribution might all be used to deliver the bait.
“hxxp://b5305c364336bqd.bytesoh.cam” and “hxxp://hadhill.quest/376s53290a9n2j” are two of the URLs spreading the payload, although they may not be the only ones. Visitors to these sites are prompted to manually upgrade their Edge/Chrome browsers and are given an APPX file to do so.
APPX files are Windows application package files designed for easy distribution and installation, and they’ve been exploited in the past to spread malware by a variety of threats. Windows treats it as trustworthy and does not provide a warning because the disguised APPX file in the Magniber ransomware is digitally signed with a genuine certificate. The threat actor’s decision to employ APPX files is most likely motivated by a desire to reach a larger audience because Internet Explorer’s market share is falling.
Accepting the malicious APPX file results in the creation of two files, “wjoiyyxzllm.exe” and “wjoiyyxzllm.dll,” in the “C:\ProgramFiles\WindowsApps” directory. These files run a program that downloads, decodes, and executes the Magniber ransomware payload. There is currently no free way to decrypt data that this malware has encrypted.
Magniber, unlike other ransomware, does not use the twofold extortion strategy, which means it does not take files before encrypting systems. Regularly backing up data is an excellent way to recover from cyberattacks like Magniber’s low-tier ransomware.