A cybersecurity firm revealed that several cybercriminals are attacking Microsoft users after they unleashed a Magniber ransomware that was masked as an update for web browsers such as Microsoft Edge and Google Chrome.
The said ransomware was first seen distributed through the vulnerabilities within the software company's old web browsing application, Internet Explorer, which they have exploited for years in order to deploy it towards PC users in South Korea and unsuspectedly get the private information within them.
How Does This Works
According to NotebookCheck.net, said cyberattackers disguised the Magniber ransomware as a legit application package file (.appx) for both Microsoft Edge and Google Chrome with a "valid" certificate that internally included.
#ThreatProtection #Magniber #ransomware spread through #APPX files, read more: https://t.co/KHEIOBgfRo pic.twitter.com/gclXjJnYqn
— Threat Intelligence (@threatintel) January 14, 2022
The said .appx file, according to Malwarebytes, can be picked up after a user visits an ad-heavy website, and later on picks up a malicious online ad.
READ ALSO: Microsoft Patch Tuesday for January 2022 Guide: Which Zero-days, Vulnerabilities are Fixed and More
The said virtual advertisement will redirect them to the "Magnigate," which runs IP address and browser checks to determine if the PC will be attacked.
If it fits the "criteria," Magnigate will redirect them to an exploit kit landing page, which it will choose an attack from its "collection," depending on what information that the "gate" collected. In this case, the said landing page will send in the disguised Magniber randsomware.
Once the said malware appears in the browser as a notification, the Windows Operating System will assume it as a legit and trusted application courtesy of the included certificate, prompting the target PC to download it automatically in order to "update" it.
Once the said .appx is successfully installed, it will create two files in a non-descript path within the WindowsApps folder within the Program Files in the PC's Local Disk - the wjoiyyxzllm.dll and the wjoiyyxzllm.exe.
The wjoiyyxzllm.exe, according to ASEC in a post in their website, loads the wjoiyyxzllm.dll file and executes a specific function mbenooj. The .dll file also downloads the ransomware's encoded payload, which it later decoded inside the PC's memory.
Afterwards, the malware, through the wjoiyyxzllm.exe, encrypts the files within the target PC, creating a ransom note in the process demanding its user to send money in exchange for restoring them.
This is not the first time that the said malware plagued the PCs of any unsuspected victims, especially in South Korea.
Last March of 2021, ASEC detected the distribution of the Magniber ransomware using the CVE-2021-26411 vulnerability that is within the Internet Explorer, which was later changed into the CVE-2021-40444 vulnerability.
When the said vulnerability occurs, a calc.inf file is created in the victim's System Drivers. Once the files are in the system, the malware will run through a control.exe file.
How to Avoid Them
The best prevention that PC users could do to avoid malware attacks, including those from the Magniber ransomware, according to Digital Information World, is to not click the "Download" button once a suspicious update installation prompt appears in their web browsers.
Also, according to Metacompliance, they will need install a firewall to prevent said attacks by blocking all unauthorized access to or from a private computer network, as well as an anti-virus software to detect and clean these malware programs.
In addition to installing them, they will also need to regularly update said anti-virus software in order to stop the attackers from gaining access to their system through vulnerabilities in older and outdated system.
Finally, they must back up their files on a regular basis to ensure that once a cyberattack happens, they can still retrieve all of their valuable data and files, as well as to mitigate any damage while ensuring that they will not be held victim to a ransomware attack.
READ ALSO: Telegram 2022 Update Guide: What Additions are Made in This Messaging App
