{
	"id": "c14a9277-d2de-40f5-9099-5c84d406a2f2",
	"created_at": "2026-04-06T00:09:53.285582Z",
	"updated_at": "2026-04-10T03:20:45.901406Z",
	"deleted_at": null,
	"sha1_hash": "aa209de7be1948a6209aee88adec13aa55c75df9",
	"title": "Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1276344,
	"plain_text": "Magniber Ransomware Attempts to Bypass MOTW (Mark of the\r\nWeb)\r\nBy ATCP\r\nPublished: 2022-11-06 · Archived: 2026-04-05 20:45:53 UTC\r\nThe ASEC analysis team uploaded a post on October 25th to inform the users of the changes that have been made to\r\nthe Magniber ransomware. Magniber, which is still actively being distributed, has undergone many changes to evade\r\nthe detection of anti-malware software. Out of these changes, this blog will cover the script format found from\r\nSeptember 8th to September 29th, 2022, which bypassed Mark of the Web (MOTW), a feature offered by Microsoft\r\nthat identifies the source of files.\r\nDate Extension\r\nExecution\r\nProcess\r\nEncryption\r\nProcess\r\nRecovery\r\nEnvironment\r\nDeactivation\r\nProcess\r\nRecovery Environment\r\nDeactivation\r\n(UAC Bypassing)\r\n2022-05-\r\n07\r\nmsi msiexec.exe msiexec.exe regsvr32.exe\r\nModifies reference registry\r\nupon execution of\r\nfodhelper.exe\r\n(HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command)\r\nhttps://asec.ahnlab.com/en/41889/\r\nPage 1 of 5\n\n6/14/2022 msi msiexec.exe\r\nRunning\r\nProcess\r\nregsvr32.exe\r\nModifies reference registry\r\nupon execution of\r\nfodhelper.exe\r\n(HKCU:\\Software\\Classes\\\r\n(custom\r\nprogID)\\shell\\open\\command)\r\n7/20/2022 cpl rundll32.exe rundll32.exe X X\r\n8/8/2022 cpl rundll32.exe\r\nRunning\r\nProcess\r\nwscript.exe\r\nModifies reference registry\r\nupon execution of\r\nfodhelper.exe\r\n(HKCU:\\Software\\Classes\\\r\n(custom\r\nprogID)\\shell\\open\\command)\r\n9/8/2022 jse wscript.exe\r\nRunning\r\nProcess\r\nwscript.exe\r\nModifies reference registry\r\nupon execution of\r\nfodhelper.exe\r\n(HKCU:\\Software\\Classes\\\r\n(custom\r\nprogID)\\shell\\open\\command)\r\n9/16/2022 js wscript.exe\r\nRunning\r\nProcess\r\nwscript.exe\r\nModifies reference registry\r\nupon execution of\r\nfodhelper.exe\r\n(HKCU:\\Software\\Classes\\\r\n(custom\r\nprogID)\\shell\\open\\command)\r\n9/28/2022 wsf wscript.exe\r\nRunning\r\nProcess\r\nwscript.exe\r\nModifies reference registry\r\nupon execution of\r\nfodhelper.exe\r\n(HKCU:\\Software\\Classes\\\r\n(custom\r\nprogID)\\shell\\open\\command)\r\n9/30/2022 msi msiexec.exe\r\nRunning\r\nProcess\r\nwscript.exe\r\nModifies reference registry\r\nupon execution of\r\nfodhelper.exe\r\n(HKCU:\\Software\\Classes\\\r\n(custom\r\nprogID)\\shell\\open\\command)\r\nTable 1. Major characteristics of Magniber ransomware by date (https://asec.ahnlab.com/en/40422/)\r\nhttps://asec.ahnlab.com/en/41889/\r\nPage 2 of 5\n\nTable 1 shows the content of the ASEC blog post which covers the evolution of the Magniber ransomware. Among\r\nthese changes, the threat operator used scripts as the distribution method during the period from September 8th to\r\nSeptember 29th, 2022. Magniber was downloaded through the typosquatting method, which exploits typos made by\r\nthe user when accessing domains (See Figure 1).\r\nThe downloaded file is identified to be from an external source by the Windows Mark of the Web (MOTW) feature.\r\n[2]\r\n MOTW operates on New Technology File System (NTFS). The download URL is recorded in a stream in\r\nWindows of NTFS.[3] The stream where the URL is saved is created in the file path in the format of “File\r\nName:Zone.Identifier:$DATA” and can be easily viewed with Notepad. When the downloaded files identified by\r\nMOTW are executed, a warning message is displayed.\r\nIn order to bypass such execution blocks by MOTW, Magniber used a digital signature at the end of the script during\r\nthe period between September 8th and September 29th, 2022. Through signing after the script is compiled, a digital\r\nsignature on the script[4] guarantees that the script has not been modified, and provides a way to identify the author\r\nof the script. According to a post published on Bleeping Computer,\r\n[1]\r\n the digital signature at the end of the Magniber\r\nransomware script is added to bypass MOTW.\r\nhttps://asec.ahnlab.com/en/41889/\r\nPage 3 of 5\n\nCurrently, Magniber is being distributed with an MSI file extension instead of a script format. However, user\r\nvigilance is still required as it goes through frequent changes in its technique to bypass detection. Additionally, users\r\nmust be careful when executing files downloaded from untrusted websites.\r\nCurrently, AhnLab is responding to the Magniber ransomware with not only file detection but also with various\r\ndetection methods. Thus, it is recommended that users activate the Process Memory Scan and the Malicious Script\r\nDetection (AMSI) options in [V3 Preferences] – [PC Scan Settings].\r\nScript File Detection\r\nRansomware/JS.Magniber (2022.09.08.02)\r\nRansomware/WSF.Magniber (2022.09.28.02)\r\nProcess Memory Detection\r\nRansomware/Win.Magniber.XM153 (2022.09.15.03)\r\nAMSI Detection (.NET DLL)\r\nRansomware/Win.Magniber.R519329 (2022.09.15.02)\r\nReference\r\n[1]Exploited Windows zero-day lets JavaScript files bypass security warnings\r\n[2]Macros from the internet will be blocked by default in Office\r\n[3]5.1 NTFS Streams\r\n[4]Digitally Signing Scripts\r\nMD5\r\n2da51943a0ea7699b01436eaa01f7a59\r\nb8e94ffbfc560d56e28c10073b911d50\r\nba7a32f15227c5d30b648ba407e73c80\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the\r\nbanner below.\r\nhttps://asec.ahnlab.com/en/41889/\r\nPage 4 of 5\n\nSource: https://asec.ahnlab.com/en/41889/\r\nhttps://asec.ahnlab.com/en/41889/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/41889/"
	],
	"report_names": [
		"41889"
	],
	"threat_actors": [],
	"ts_created_at": 1775434193,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa209de7be1948a6209aee88adec13aa55c75df9.pdf",
		"text": "https://archive.orkl.eu/aa209de7be1948a6209aee88adec13aa55c75df9.txt",
		"img": "https://archive.orkl.eu/aa209de7be1948a6209aee88adec13aa55c75df9.jpg"
	}
}