After spending nine months targeting only South Korean users, the Magniber ransomware has expanded its targeting spectrum and is now also capable of infecting users who also feature a Chinese (Macau, China, Singapore) and Malay (Malaysia, Brunei) PC language setting.
The change was first spotted on July 5 by independent security researcher MalwareHunter. Bleeping Computer along with several other security researchers have kept an eye on this issue.
After long time targeting only South Korea, Magniber ransomware is now a global threat.
In past days we seen multiple victims from both Taiwan and Hong Kong, and a few from some other countries.
— MalwareHunterTeam (@malwrhunterteam) July 5, 2018
The Magniber ransomware has historically encrypted files only for users located in South Korea and with a PC language setting specific to that zone. But often, South Korean users were infected while traveling abroad or using proxies with a South Korean IP.
There have been such false alarms in the past when security researchers saw a few victims and jumped to the conclusion that Magniber has expanded to other countries.
Expansion outside South Korea confirmed
But this time, it appears to be true. The research team from Malwarebytes has recently discovered important changes in the delivery and the binary of this ransomware.
The US-based antivirus maker says it confirmed changes in the Magniber code consistent with a new targeting system that goes after other users besides South Koreans.
Furthermore, the entire source code is now of a higher quality, two Malwarebytes researchers wrote today in a technical analysis.
“Its source code is now more refined, leveraging various obfuscation techniques and no longer dependent on a Command and Control server or hardcoded key for its encryption routine,” the two said.
Magnitude EK has also changed
The reasons for these changes are unknown, but they also affected the Magnitude exploit kit, which has been the only source of Magniber infections in the past nine months. The “magni” in Magniber comes from Magnitude due to their close connection.
Prior to Magniber, this same exploit kit has been infecting users with the Cerber ransomware, a strain that targeted users all over the world.
Magnitude delivering a new and improved Magniber version shows that the ransomware is now at the same level of “quality” as previous Cerber versions, and we may slowly see it expand to more and more countries.
New Magniber campaign uses former IE zero-day
According to Malwarebytes, the recent Magnitude exploit kit campaigns that have been seen deploying this new and improved Magniber version have utilized an Internet Explorer zero-day discovered in April, patched in May, and also adopted by other exploit kits by June.
As we’ve previously explained in a previous story, exploit kits are rather unsuccessful against modern browsers, meaning that users employing an up-to-date non-Microsoft browser should be safe from attacks.
Users who had files encrypted by this recent Magniber version can identify it by the “.dyaaghemy” file extension added at the end of locked files. There’s no known method to recover files encrypted by the Magniber ransomware at the time of writing.