{
	"id": "6267a906-a2d9-4e68-8cbf-9dc0d46d894e",
	"created_at": "2026-04-06T00:09:18.751459Z",
	"updated_at": "2026-04-10T13:12:27.215461Z",
	"deleted_at": null,
	"sha1_hash": "c443f6ca6a7f3844e512799b605146e2385fb112",
	"title": "Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -\u003e CVE-2020-0968) and Attempted to Bypass Behavior Detection - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1224995,
	"plain_text": "Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -\u003e\r\nCVE-2020-0968) and Attempted to Bypass Behavior Detection -\r\nASEC\r\nBy ATCP\r\nPublished: 2020-12-16 · Archived: 2026-04-05 15:31:34 UTC\r\nAt the beginning of this year, ASEC analysis team published the change of vulnerability which is used by the\r\ndeveloper of Magniber to distribute the ransomware.\r\nSince September 23, 2019, CVE-2019-1367 vulnerability, which the developer of Magniber used for distribution,\r\nstopped operating in the systems with emergency security patch (Version 1903) applied. In response, the\r\ndeveloper changed the latest vulnerability to CVE-2020-0968, expanding the infection target range. On top of this\r\noccurrence, CVE-2020-0968 security patch (distributed on April 15, 2020) cannot be applied to Windows 7 as it is\r\nno longer supported as of January 14, 2020. For better understanding of the changes, see figures below which are\r\nthe comparisons between the codes before the change (including POC) and the those after the change.\r\nhttps://asec.ahnlab.com/en/19273/\r\nPage 1 of 5\n\nFigure 1. POC code of CVE-2019-1367\r\nFigure 2. Code of vulnerability (CVE-2019-1367) used for Magniber (before change)\r\nFigure 3. Part of UAF code of CVE-2020-0968 vulnerability\r\nhttps://asec.ahnlab.com/en/19273/\r\nPage 2 of 5\n\nFigure 4. Changed Magniber code (orange box displays POC code in Figure 3.)\r\nUpon comparing POC code and the vulnerability script that is being distributed, there are convolutions in variable\r\nnames, but changes in the code are not found. The two vulnerabilities are similar in that they both use the UAF\r\nvulnerability of jscript.dll, but there is a difference in the method of how regular expression object pointer is\r\nleaked. The steps that follow after the pointer is leaked are not different from those of CVE-2019-1367. V3 detects\r\nthese two vulnerabilities that use vulnerable jscript.dll via behavior-based detection, and this detection feature has\r\nbeen distributed to all users of V3 as of December 17, 2020.\r\nThe developer of Magniber is not only attempting to change the vulnerability of the distribution script but also\r\nattempting to apply various changes to bypass behavior-based detection of V3. The table below shows the flow of\r\nchanges for the API call sequence that the developer of Magniber used to inject Magniber ransomware.\r\nhttps://asec.ahnlab.com/en/19273/\r\nPage 3 of 5\n\nDate API Used for Injection\r\nMarch 9th OpenProcess -\u003e WriteProcessMemory -\u003e SetThreadContext -\u003e ResumeThread\r\nApril 10th\r\nZwCreateSection -\u003e ZwMapViewOfSection -\u003e RtlMoveMemory -\u003e\r\nZwMapViewOfSection -\u003e ZwUnMapViewOfSection -\u003e ZwCreateThreadEx -\u003e\r\nGetThreadContext -\u003e SetThreadContext -\u003e ZwResumeThread\r\nApril 29th\r\nZwCreateSection -\u003e ZwMapViewOfSection -\u003e RtlMoveMemory -\u003e\r\nZwMapViewOfSection -\u003e ZwCreateThreadEx\r\nMay 6th\r\nNtCreateSection -\u003e NtMapViewOfSection -\u003e RtlMoveMemory -\u003e\r\nRtlCreateUserThread\r\nMay 7th\r\nOpenProcess -\u003e VirtualAllocEx -\u003e WriteProcessMemory -\u003e NtCreateThreadEx -\r\n\u003e GetThreadContext -\u003e SetThreadContext -\u003e NtResumeThread\r\nMay 19th\r\nNtCreateSection -\u003e NtMapViewOfSection -\u003e RtlMoveMemory -\u003e\r\nNtMapViewOfSection -\u003e NtCreateThreadEx -\u003e GetThreadContext -\u003e\r\nSetThreadContext -\u003e NtResumeThread\r\nJune 9th\r\nOpenProcess -\u003e DuplicateHandle -\u003e VirtualAllocEx -\u003e WriteProcessMemory -\u003e\r\nRtlCreateUserThread\r\nJune 10th Distribution ceased (until June 25th)\r\nJune 26th\r\n– present\r\nNtCreateSection -\u003e NtMapViewOfSection -\u003e NtMapViewOfSection -\u003e\r\nNtCreateThreadEx -\u003e NtGetContextThread -\u003e NtSetContextThread -\r\n\u003eNtResumeThread\r\nThe developer did not change API call sequence since late June, but when calling injection API, they applied a\r\ntechnique called ‘Heaven’s Gate.’ The Heaven’s Gate technique is a method that malware uses to bypass user\r\nhooking of anti-malware software. For example, if the attacker allocates SysCall index which is Call, and calls\r\nKiFastSystemCall directly instead of proceeding through normal API Call to bypass a specific API that anti-malware software is hooking, this case can be seen as a Heaven’s Gate attack.\r\nMagniber is currently being distributed via Internet Explorer, and many normal users are using x64 environment.\r\nThe steps Magniber shellcode takes to call NtOpenProcess API via Heaven’s Gate technique in Internet Explorer\r\n32-bit process that runs with WOW64 mode are described below.\r\nInstead of calling NtOpenProcess API in a normal way, Magniber shellcode sends SysCall index (0x23) directly to\r\nargument and calls fs:[C0] area (Reserved for Wow64). When 32-bit process of WOW64 environment calls fs:\r\n[C0] area, X86SwitchTo64BitMode of wow64cpu.dll is called. Because Magniber shellcode uses Heaven’s Gate\r\ntechnique to call 64-bit API directly from the 32-bit process (Internet Explorer), it is difficult to detect API call via\r\ncommon hooking.\r\nhttps://asec.ahnlab.com/en/19273/\r\nPage 4 of 5\n\nFigure 5. Heaven’s Gate operation flow\r\nFigure 6. NtOpenProcess SysCall index\r\nV3 uses TrueEyes, Ahnlab’s in-house fileless detection module, to detect vulnerability as well as Heaven’s\r\nGate. The two detection features are distributed to all V3 users as of today (December 17, 2020), and the\r\nvulnerability, as well as the injection technique Magniber uses to bypass hooking, can be pre-detected and blocked\r\nbefore encryption via V3’s behavior engine.\r\n[Behavior Detection]\r\n– Malware/MDP.Exploit.M3036\r\n– Malware/MDP.Exploit.M3417\r\n– Malware/MDP.Exploit.M3431\r\n[Video-1] Magniber infection in an environment without V3 installation\r\n[Video-2] Magniber block in an environment with V3 installation\r\nSource: https://asec.ahnlab.com/en/19273/\r\nhttps://asec.ahnlab.com/en/19273/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/19273/"
	],
	"report_names": [
		"19273"
	],
	"threat_actors": [],
	"ts_created_at": 1775434158,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c443f6ca6a7f3844e512799b605146e2385fb112.pdf",
		"text": "https://archive.orkl.eu/c443f6ca6a7f3844e512799b605146e2385fb112.txt",
		"img": "https://archive.orkl.eu/c443f6ca6a7f3844e512799b605146e2385fb112.jpg"
	}
}