Malwarebytes researchers have detected the Magniber ransomware displaying notable improvements as its attack begin to expand within Asia after previously limiting its activity to South Korea.
The malware has been active since its inception in 2013 and has been distributed worldwide but eventually became a private operation that narrowed its focus on a select few Asian countries, according to a July 16 blog post.
In 2017, researchers spotted the Magnitude exploit kit used to deliver Cerber ransomware via a filtering gate known as Magnigate and later that year the exploit kit operator began to distribute its own breed of ransomware dubbed Magniber.
Since this, the malware's authors made significant changes to limit the malware's infections to South Korea and Magniber would only install if a specific country code was returned, otherwise it would delete itself.
Earlier this year the exploit kit unexpectedly started pushing the ever-growing GandCrab ransomware, shortly after having adopted a fresh Flash zero-day (CVE-2018-4878) in what researchers believe may have been a brief test campaign before Magniber was launched again.
“In early July, we noted exploit attempts happening outside of the typical area we had become used to, for instance in Malaysia,” researchers said in the blog. “At about the same time, a tweet from MalwareHunterTeam mentioned infections in Taiwan and Hong Kong.”
The malware's code had been updated to whitelist more languages and had expanded to include other Asian languages, such as Chinese (Macau, China, Singapore) and Malay (Malysia, Brunei), researchers added.
The malware also only installs itself if a specific country code is returned and will otherwise delete itself.
Researchers said the changes suggest the authors are professionals despite some mistakes and noted that the exploit kit is one of the longest-serving browser exploitation toolkits among those still in use.
Notably the malware authors put a lot of effort into its obfuscation techniques and are constantly evolving their product.
Researchers also noted some of the more technical advancements of the malware on a functionality level.
“The early versions relied on the AES key downloaded from the CnC server (and in case if it was not available, falling back to the hardcoded one, making decryption trivial in such case),” researchers said. “This time, Magniber comes with a public RSA key of the attackers that makes it fully independent from the Internet connection during the encryption process.”
Resaerchers went on to say that this key is used for protecting the unique AES keys used to encrypt files.