{
	"id": "b270d0f1-88fd-4d76-a3df-7335b41b257c",
	"created_at": "2026-04-06T00:12:30.28839Z",
	"updated_at": "2026-04-10T13:11:47.955925Z",
	"deleted_at": null,
	"sha1_hash": "5a05d62b09062fa99fa6ee49d2c1e39cdeae9813",
	"title": "Magniber Ransomware Wants to Infect Only the Right People | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1342407,
	"plain_text": "Magniber Ransomware Wants to Infect Only the Right People |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2017-10-19 · Archived: 2026-04-05 14:01:02 UTC\r\nWritten by: Muhammad Umair\r\nExploit kit (EK) use has been on the decline since late 2016; however, certain activity remains consistent. The\r\nMagnitude Exploit Kit is one such example that continues to affect users, particularly in the APAC region.\r\nIn Figure 1, which is based on data gathered in March 2017, we can see the regions affected by Magnitude EK\r\nactivity during the last three months of 2016 and the first three months of 2017.\r\nFigure 1: Magnitude EK distribution as seen in March 2017\r\nThis trend continued until late September 2017, when we saw Magnitude EK focus primarily on the APAC region,\r\nwith a large chunk targeting South Korea. Magnitude EK activity then fell off the radar until Oct. 15, 2017, when\r\nit came back and began focusing solely on South Korea.Previously it had been distributing Cerber ransomware,\r\nbut Cerber distribution has declined (we have also seen a decline of Cerber being distributed via email) and now it\r\nis distributing ransomware known as Magniber.\r\nInfection\r\nhttps://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people\r\nPage 1 of 8\n\nThe first reappearance of Magnitude EK on Oct. 15 came as a malvertising redirection from the domain:\r\nfastprofit[.]loan. The infection chain is shown in Figure 2.\r\nFigure 2: Infection chain\r\nThe Magnitude EK landing page consisted of CVE-2016-0189, which was first reported as being used inNeutrino\r\nExploit Kitafter it was patched. Figure 3 shows the landing page and CVE usage.\r\nFigure 3: Magnitude EK landing page\r\nAs seen previously with Magnitude EK, the payload is downloaded as a plain EXE (see Figure 4) and domain\r\ninfrastructure is hosted on the following server:\r\n'Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6\"\r\nhttps://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people\r\nPage 2 of 8\n\nFigure 4: Magnitude payload header and plain MZ response\r\nPayload\r\nIn the initial reportpublished by our colleagues at Trend Micro, the ransomware being distributed is referred to as\r\nMagniber. These ransomware payloads only seem to target Korean systems, since they won't execute if the system\r\nlanguage is not Korean.\r\nMagniber encrypts user data using the AES128. The sample used (dc2a2b84da359881b9df1ec31d03c715) for this\r\nanalysis was pulled from our system when the campaign was active. Of note, this sample differs from the hash\r\nshared publically by Trend Micro, but the two exhibit the same behavior and share the infection vector, and both\r\nwere distributed around the same time.\r\nThe malware contains a binary payload in its resource section encrypted in reverse using RC4. It starts unpacking\r\nit from the end of the buffer to its start. Reverse RC4 decryption keys are 30 bytes long and also contain non-ASCII characters. They are as follows:\r\ndc2a2b84da359881b9df1ec31d03c715 RC4 key:\r\n{ 0x6b, 0xfe, 0xc4, 0x23, 0xac, 0x50, 0xd7, 0x91, 0xac, 0x06, 0xb0, 0xa6, 0x65, 0x89, 0x6a, 0xcc,\r\n0x05, 0xba, 0xd7, 0x83, 0x04, 0x90, 0x2a, 0x93, 0x8d, 0x2d, 0x5c, 0xc7, 0xf7, 0x3f }\r\nThe malware callsGetSystemDefaultUILanguage, and if the system language is not Korean, it exits (instructions\r\ncan be seen in Figure 5). After unpacking in memory, the malware starts executing the unpacked payload.\r\nhttps://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people\r\nPage 3 of 8\n\nFigure 5: Language check targeted at Korea\r\nA mutex with name \"ihsdj\" is created to prevent multiple executions. The payload then generates a pseudorandom\r\n19-character string based on the CPU clock from multipleGetTickCountcalls. The string is then used to create a\r\nfile in the user's %TEMP% directory (e.g. \"xxxxxxxxxxxxxxxxxxx.ihsdj\"), which contains the IV (Initialization\r\nVector) for the AES128 encryption and a copy of the malware itself with the name \"ihsdj.exe\".\r\nNext, the malware constructs 4 URLs for callback. It uses the 19-character long pseudorandom string it generated,\r\nand the following domains to create the URLs:\r\nbankme.date\r\njobsnot.services\r\ncarefit.agency\r\nhotdisk.world\r\nIn order to evade sandbox systems, the malware checks to see if it's running inside a VM and appends the result to\r\nthe URL callback. It does this by sandwiching and executing CPUID instructions (shown in Figure 6) between\r\nRDTSC calls, forcing VMEXIT.\r\nhttps://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people\r\nPage 4 of 8\n\nFigure 6: CPUID instruction to detect VM presence\r\nThe aforementioned VM check is done multiple times to gather the average execution time of the CPUID, and if\r\nthe average execution time is greater than 1000, it considers the system to be a VM. In case the test fails and the\r\nmalware thinks the system is a VM, a \"1\" is appended at the end of the URL (see Figure 7); otherwise, \"0\" is\r\nappended. The format of the URL is as follows:\r\nhttp://[19 character pseudorandom string].[callback domain]/new[0 or 1]\r\nExamples of this would be:\r\nhttp://7o12813k90oggw10277.bankme[.]date/new1\r\nhttps://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people\r\nPage 5 of 8\n\nhttp://4bg8l9095z0287fm1j5.bankme[.]date/new0\r\nFigure 7: Command and control communication\r\nIf the malware is executed a second time after encryption, the callback URL ends in \"end0\" or \"end1\" instead of\r\n\"new\". An example of this would be:\r\nhxxp://j2a3y50mi0a487230v1.bankme[.]date/end1\r\nThe malware then starts to encrypt user files on the system, renaming them by adding a \".ihsdj\" extension to the\r\nend.The AES128 Key and IV for the sample analyzed are listed:\r\nIV: EP866p5M93wDS513\r\nAES128 Key: S25943n9Gt099y4K\r\nA text file \"READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt\" is created in the user's %TEMP%\r\ndirectory and shown to the user. The ransom message is shown in Figure 8.\r\nhttps://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people\r\nPage 6 of 8\n\nFigure 8: Ransom message for the infected user\r\nThe malware also adds scheduled tasks to run its copy from %TEMP% with compatibility assistant, and loads the\r\nuser message as follows:\r\nschtasks /create /SC MINUTE /MO 15 /tn ihsdj /TR \"pcalua.exe -a %TEMP%\\ihsdj.exe\r\nschtasks /create /SC MINUTE /MO 15 /tn xxxxxxxxxxxxxxxxxxx /TR\r\n%TEMP%\\READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt\r\nThe malware then issues a command to delete itself after exiting, using the following local ping to provide delay\r\nfor the deletion:\r\ncmd /c ping localhost -n 3 \u003e nul \u0026 del C:\\PATH\\MALWARE.EXE)\r\nFigure 9 contains the Python code for unpacking the malware payload, which is encrypted using RC4 in reverse.\r\nFigure 9: Python script for unpacking malware payload\r\nConclusion\r\nRansomware is a significant threat to enterprises. While the current threat landscape suggests a large portion of\r\nattacks are coming from emails, exploit kits continue to put users at risk — especially those running old software\r\nversions and not using ad blockers. Enterprises need to make sure their network nodes are fully patched.\r\nhttps://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people\r\nPage 7 of 8\n\nIndicators of Compromise\r\nMalware Sample Hash\r\ndc2a2b84da359881b9df1ec31d03c715 (decryption key shared)\r\nMalverstiser Domains\r\nfastprofit[.]loan\r\nfastprofit[.]me\r\nEK Domain Examples\r\n3e37i982wb90j.fileice[.]services\r\na3co5a8iab2x24g90.helpraw[.]schule\r\n2i1f3aadm8k.putback[.]space\r\nCommand and Control Domains\r\n3ee9fuop6ta4d6d60bt.bankme.date\r\n3ee9fuop6ta4d6d60bt.jobsnot.services\r\n3ee9fuop6ta4d6d60bt.carefit.agency\r\n3ee9fuop6ta4d6d60bt.hotdisk.world\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people\r\nhttps://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people\r\nPage 8 of 8\n\nAs seen previously infrastructure with Magnitude is hosted on the following EK, the payload server: is downloaded as a plain EXE (see Figure 4) and domain\n'Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6\" \n   Page 2 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/blog/magniber-ransomware-infects-only-the-right-people"
	],
	"report_names": [
		"magniber-ransomware-infects-only-the-right-people"
	],
	"threat_actors": [],
	"ts_created_at": 1775434350,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a05d62b09062fa99fa6ee49d2c1e39cdeae9813.pdf",
		"text": "https://archive.orkl.eu/5a05d62b09062fa99fa6ee49d2c1e39cdeae9813.txt",
		"img": "https://archive.orkl.eu/5a05d62b09062fa99fa6ee49d2c1e39cdeae9813.jpg"
	}
}