Mgniber ransomware using signed APPX files to infect systems

Magniber ransomware uses signed APPX files to infect systems

Magniber ransomware has been spotted using Windows application package files (.APPX) signed with valid certificates to remove malware claiming to be updates to Chrome and Edge web browsers.

This distribution method marks a departure from previous approaches seen with this threat actor, which typically relies on exploiting vulnerabilities in Internet Explorer.

Browser update notification

The infection begins with a visit to a payload removal website, note researchers at Korean cybersecurity company AhnLab in a report. report released today.

How victims access the website remains unclear. The bait can be delivered via phishing emails, links sent via social media instant messages, or other distribution methods.

Two of the URLs distributing the payload are “hxxp: //b5305c364336bqd.bytesoh.cam” and “hxxp: //hadhill.quest/376s53290a9n2j”, but they may not be the only ones.

Visitors to these sites receive an alert to update their Edge / Chrome browser manually and are offered an APPX file to complete the action.

Alert to download APPX file
Alert to download fake Edge update
Source: ASEC

APPX files are Windows application package files created for easy distribution and installation, and have been abused by various malware distribution threats in the past.

In the case of Magniber ransomware, the disguised APPX file is digitally signed with a valid certificate so that Windows considers them to be trusted files that do not trigger a warning.

The threat actor’s choice to use APPX files is most likely driven by the need to reach a wider audience, as Internet Explorer’s market share is shrinking.

Release the payload

Accepting the malicious APPX file results in the creation of two files in the “C: Program Files WindowsApps” directory, namely the “wjoiyyxzllm.exe” and the “wjoiyyxzllm.dll”.

Part of the DLL code responsible for downloading and decoding the payload
Part of the DLL code responsible for downloading and decoding the payload
Source: ASEC

These files perform a function that retrieves the payload of the Magniber ransomware, decodes it, and then executes it.

After encrypting the data on the system, the threat creates the following ransom note:

Mgniber's ransom demand fell on victims
Mgniber ransom note deposited on encrypted systems
Source: ASEC

Although the note is in English, it should be noted that Magniber ransomware exclusively targets Asian users these days.

At the moment, there is no possibility to decrypt files locked by this malware for free.

Unlike most ransomware operations, Magniber has not adopted the double extortion tactic, so it does not steal files before encrypting systems.

Backing up data regularly is a good solution to recover from attacks with low-level ransomware like Magniber.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Trending this Week