The Magniber group of online extortionists has returned to Europe. Security researchers have detected a wave of attacks on Twitter.
Magniber uses a wide range of threats to achieve its goals, but its favorite tactic is malvertising. This time, the ransomware was detected on Twitter. At the moment, users in France, Italy, and Denmark have become victims of the ransomware. The instructions instruct users to find the READM.html file on their device, which will indicate the ways to unlock their files. Of course, by paying a ransom for the decryption key.
The malicious advertisement prompts the user to download a ZIP file with a fake Microsoft Software Installer (MSI) that masquerades as an important security update. This is very similar to the malvertising attack technique documented by the BlackBerry Research and Intelligence Team in a 2021 report.
The Magniber PrintNightmare infection process begins when a victim clicks on a malicious advertisement, allowing the DLL loader to be pushed to the target machine.
The downloader decompresses itself and drops a malicious payload that injects itself into legitimate Windows processes, such as taskhost.exe (the host process for EXE and DLL files) and dwm.exe (which includes visual effects on the desktop). In 2021, Magniber attacked South Korea and other countries in the Asia-Pacific region using Windows Print Queue Manager vulnerabilities.
After the threat was discovered, BlackBerry’s lead researcher Dmitry Bestuzhev tested the malware with Cylance’s AI-based security tools. According to him, the machine learning-based security tool effectively dealt with the threat.
“When working on a threat model and ransomware, never focus solely on the final payload. The idea is to detect attackers in their early stages, such as during initial access and network reconnaissance.”
BlackBerry customers can use CylancePROTECT, an AI-powered endpoint security product, as well as CylanceGUARD, a managed detection and response (MDR) platform that mitigates risks posed by attackers such as those behind Magniber ransomware. The company recommends adding contextual ad blockers as a simple method to help reduce the risk of malware infection.