#Magniber #ransomware actors used a variant of #Microsoft #SmartScreen #bypass

Financially motivated threat actors used an unpatched security bypass to deliver ransomware without any security warnings

https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/

Proof of Concept: #Malware Delivery via #appx/#msix packages.
In our test case we needed administrative permissions to install the package with putty.exe as our test payload.

We did test it first with a #Wannacry #Ransomware binary, but Windows Defender caught the payload and that didn't look so nice on a screenshot 😅

Our .appx demo package is based off of a in-the-wild sample of #Magniber #Ransomware that was signed with a stolen signature (Jan 2022). With this change in Windows 11 it is now possible to install unsigned appx packages (given required perms).
https://twitter.com/f0wlsec/status/1481338661824307204

Detection opportunities:
- Execution out of C:\Program Files\WindowsApps\
- Looking for the special OID documented by Microsoft here: https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package

We are going to publish our #Yara rules for this tomorrow, stay tuned.

Picking up where we left off yesterday: We created two #Yara rules for the #Magniber #Ransomware delivery method. You can find them in our GitHub Repository and on @abuse_ch Yaraify ⬇️ Have a nice weekend and happy hunting 🔍

https://github.com/SIFalcon/Detection/tree/main/Yara/Malware

https://yaraify.abuse.ch/yarahub/rule/RANSOM_Magniber_ISO_Jan23/

https://yaraify.abuse.ch/yarahub/rule/RANSOM_Magniber_LNK_Jan23/

#Magniber #Ransomware is continuing to spread fake Windows Update installers (.msi), but since yesterday the threat actors are also distributing .iso archives instead of .zip files. You can find our brief analysis of the msi and the lnk file below ⬇️

AvastThreatLabs first reported about the .zip file distribution yesterday: https://twitter.com/AvastThreatLabs/status/1613248553626787842

IoC:
5G offer.lnk 5ab873527a526cd4ea2bead2b302b38a
5G-Installer 126f77e151529eeb3b2f42c49691e9c0
Binary.UpdateBinary 10ccc8f56a2894d18d71f9f32a923aa7
iso fedb6673626b89a9ee414a5eb642a9d9

We uploaded the samples mentioned above to @abuse_ch
Malware Bazaar, have fun :)

https://bazaar.abuse.ch/browse/tag/Magniber/

"Microsoft patches Windows zero-day used to drop ransomware"

#SmartScreen #0day #vulnerability #CVE-2022-44698
#exploit #Magniber #ransomware #malware

https://www.bleepingcomputer.com/news/security/microsoft-patches-windows-zero-day-used-to-drop-ransomware/

Something interesting with #Magniber ransomware delivery.

Seeing the previous #MagnitudeEK URI pattern again (sub domains).

#Malvertising #Magniber #Ransomware

halldie[.]fit
perwish[.]email
209.94.59[.]32

Gefährliche #Sicherheitsupdates: ein angebliches Sicherheitsupdate für Windows 10 beinhaltet die Ransomware #Magniber, welche in das System der Nutzer:innen durch die Installation eingeschleust wird.
Die Ransomware verschlüsselt die Nutzerdaten & fordert Lösegeld. Weitere Infos:

https://www.aixzellent.com/r/f9l

#PrintNightmare : l’impression insécuritaire perdure, malgré les récents patchs de #Microsoft !

https://blog.sosordi.net/2021/08/printnightmare-limpression-insecuritaire-perdure-malgre-les-recents-patchs-de-microsoft.html

#securite #ransomware #Magniber #patchtuesday #miseajour #PoC