Magniber Ransomware Spreads Through JavaScript Fake Security Updates

Security researchers noticed a recent malicious campaign using fake security updates to deploy Magniber ransomware on Windows devices.

The perpetrators used rogue websites to spread the malware by disguising them as legitimate updates for antivirus software or critical operating system patches. Website visitors were prompted to download a ZIP file that, upon extraction, revealed a JavaScript document posing as an important Windows or antivirus software update.

Threat actors previously used MSI and EXE files to spread Magnibear ransomware but appear to have switched to JavaScript files since September.

“The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk,” says HP’s Threat Research team. “This technique bypasses detection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system.”

After launch, the script injects malicious code into another process and uses it as a host to run further commands, such as deleting shadow copy files, disabling Windows’ backup and recovery features, and ultimately encrypting victims’ files.

Magniber cunningly bypasses User Account Control (UAC) to gain elevated privileges and run commands without alerting the victim. For this to work, the user must have an Administrator account or be a part of the Administrators group.

Once the malware gains admin privileges, it enumerates files on the compromised device, uses a list to cross-check their extensions, and encrypts matching documents. Once the encryption is finished, Magniber plants a ransom note in each directory that holds an encrypted file and displays it for the victim in a web browser.

To mitigate Magniber attacks, users should refrain from downloading software updates from unknown sources, perform regular data backups (offline or cold backups are even better), and avoid using administrator accounts if they’re not needed.

Specialized software solutions like Bitdefender Ultimate Security, with its extensive range of features, can protect you against ransomware and other types of cybernetic threats:

• All-around 24/7 data protection against worms, viruses, Trojans, ransomware, spyware, rootkits, zero-day exploits and other types of e-threats
• Multi-layer ransomware protection that keeps your documents safe against all kinds of ransomware attacks
• Advanced Threat Defense module that closely monitors active apps and takes instant action upon detecting suspicious activity