A recent malicious campaign on Windows devices is being reported by security researchers worldwide. The ransomware known as “Magniber” is being spread through fake JavaScript security updates.

The perpetrators used rogue websites to spread the malware by disguising them as legitimate updates for antivirus software or critical operating system patches. Website visitors were prompted to download a ZIP file that, upon extraction, revealed a JavaScript document posing as an important Windows or antivirus software update.

Threat actors previously used MSI and EXE files to spread Magnibear ransomware but appear to have switched to JavaScript files since September.

“The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk,” says HP’s Threat Research team. “This technique bypasses detection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system.”

After launch, the script injects malicious code into another process and uses it as a host to run further commands, such as deleting shadow copy files, disabling Windows’ backup and recovery features, and ultimately encrypting victims’ files.

Magniber cunningly bypasses User Account Control (UAC) to gain elevated privileges and run commands without alerting the victim. For this to work, the user must have an Administrator account or be a part of the Administrators group.

Once the malware gains admin privileges, it enumerates files on the compromised device, uses a list to cross-check their extensions, and encrypts matching documents. Once the encryption is finished, Magniber plants a ransom note in each directory that holds an encrypted file and displays it for the victim in a web browser.

To mitigate Magniber attacks, users should refrain from downloading software updates from unknown sources, perform regular data backups (offline or cold backups are even better), and avoid using administrator accounts if they’re not needed.

___

If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of marketing materials provided by our partners/vendors.

Follow us to learn more

CONTACT US

Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

11 + 13 =