{ "id": "f50bf844-c03b-43b2-9733-9887eb6cebf7", "created_at": "2026-04-06T00:20:13.400631Z", "updated_at": "2026-04-10T03:24:39.71578Z", "deleted_at": null, "sha1_hash": "e8b0716c12b9c9826e0c495007121cfa4a0e20c9", "title": "Magniber ransomware improves, expands within Asia | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 750199, "plain_text": "Magniber ransomware improves, expands within Asia |\r\nMalwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2018-07-15 · Archived: 2026-04-05 19:43:07 UTC\r\nThis blog post was authored by @hasherezade and Jérôme Segura.\r\nThe Magnitude exploit kit is one of the longest-serving browser exploitation toolkits among those still in use.\r\nAfter its inception in 2013, it enjoyed worldwide distribution with a liking for ransomware. Eventually, it became\r\na private operation that had a narrow geographic focus.\r\nDuring 2017, Magnitude delivered Cerber ransomware via a filtering gate known as Magnigate, only to a select\r\nfew Asian countries. In October 2017, the exploit kit operator began to distribute its own breed of ransomware,\r\nMagniber. That change came with an interesting twist—the malware authors went to great lengths to limit\r\ninfections to South Korea. In addition to traffic filtering via country-specific malvertising chains, Magniber would\r\nonly install if a specific country code was returned, otherwise it would delete itself.\r\nIn April 2018, Magnitude unexpectedly started pushing the ever-growing GandCrab ransomware, shortly after\r\nhaving adopted a fresh Flash zero-day (CVE-2018-4878). What may have been a test campaign did not last long,\r\nand shortly after, Magniber was back again. In our recent captures of Magnitude, we now see the latest Internet\r\nExplorer exploit (CVE-2018-8174) being used primarily, which it integrated after a week-long traffic interruption.\r\nIn this post, we take a look at some notable changes with Magniber. Its source code is now more refined,\r\nleveraging various obfuscation techniques and no longer dependent on a Command and Control server or\r\nhardcoded key for its encryption routine. In addition, while Magniber previously only targeted South Korea, it has\r\nnow expanded its reach to other Asia Pacific countries.\r\nExtracting the payload\r\n72fce87a976667a8c09ed844564adc75 – loader DLL\r\n19599cad1bbca18ac6473e64710443b7 – Magniber’s core DLL\r\nThere are several stages before the final payload is downloaded and executed. After Magnigate’s 302 redirection\r\n(Step 1), we see a Base64 obfuscated JavaScript (Step 2) used to launch Magnitude’s landing page, along with a\r\nBase64 encoded VBScript. (Both original versions of the scripts are available at the end of this post in the IOCs.)\r\nAfter CVE-2018-8174’s exploitation, the XOR-encrypted Magniber is retrieved.\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 1 of 15\n\nFigure 1. Traffic view of a Magniber infection, via Magnigate redirection and Magnitude EK\r\nFigure 2. Decoded Javascript shows redirection to Magnitude’s landing page\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 2 of 15\n\nFigure 3. VBScript code snippet showing part of CVE-2018-8174\r\nOnce exploitation of the Use After Free vulnerability in Internet Explorer (CVE-2018-8174) is successful, the\r\nVBScript will execute the following shellcode:\r\nFigure 4. Byte array (shellcode)\r\nFunctionality-wise, this shellcode is a simple downloader. It downloads the obfuscated payload, decodes it by\r\nXOR with a key, and then deploys it:\r\nFigure 5. Downloading the final payload via InternetOpenUrlw API\r\nThe downloaded payload (72fce87a976667a8c09ed844564adc75) is, however, still not the Magniber core, but a\r\nnext stage loader. This loader unpacks the Magniber’s core DLL (19599cad1bbca18ac6473e64710443b7) and\r\ninjects it into a process.\r\nBoth elements, the loader and Magniber core, are DLLs with Reflective Loader stub, that load themselves into a\r\ncurrent process using the Reflective DLL injection technique.\r\nBehavioral analysis\r\nThe actions performed by Magniber haven’t changed much; it encrypts files and at the end drops a ransom note\r\nnamed README.txt.\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 3 of 15\n\nFigure 6. Ransom note left on the infected machine\r\nThe given links lead to an onion page that is unique per victim and similar to many other ransomware pages:\r\nFigure 7. Magniber’s payment page\r\nThe files encrypted by this version of Magniber can be identified by their extension: \r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 4 of 15\n\n.dyaaghemy\r\n. While in the past each file was encrypted with the same AES key, this time each file is encrypted with a unique\r\nkey—the same plaintext gives a different ciphertext. The encrypted content has no patterns visible. That suggests\r\nthat a stream cipher or a cipher with chained blocks was used (probably AES in CBC mode). Below you can see a\r\nBMP file before and after being encrypted by Magniber:\r\nFigure 8. Visualizing a file before and after encryption“\u003e\r\nCode changes\r\nMagniber is constantly evolving with big portions of its code fully rewritten over time. Below you can see a code\r\ncomparison between the current Magniber DLL and an earlier version (8a0244eedee8a26139bea287a7e419d9),\r\ncreated with the help of BinDiff:\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 5 of 15\n\nFigure 9. Comparing an older Magniber with the newer one\r\nObfuscation\r\nThe authors put a lot of effort in improving obfuscation. The first version we described was not obfuscated at all.\r\nThe current, in contrast, is obfuscated using a few different techniques. First of all, API functions are now\r\ndynamically retrieved by their checksums. For example:\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 6 of 15\n\nFigure 10. Calling API functions via checksum\r\nComparing the new and the old version, we can see some overlapping fragments of code:\r\nFigure 11. Old version with normal import calls vs. new version with dynamically retrieved functions\r\nThe function pointer is retrieved by searching through export tables of the DLLs that are currently loaded. This\r\ntechnique requires that the DLL from which we want to retrieve the function to be already loaded. This algorithm\r\nof retrieving function was added to Magniber a few months ago, for example in the sample\r\n60af42293d2dbd0cc8bf1a008e06f394.\r\nIn addition, some of the parameters for the calls are dynamically calculated and junk code is added in between the\r\noperations. A string that is supposed to be loaded is scattered through several variables.\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 7 of 15\n\nFigure 12. Adding junk code to make analysis more tricky\r\nFile encryption\r\nWe can also observe some changes at the functionality level. The early versions relied on the AES key\r\ndownloaded from the CnC server (and in case if it was not available, falling back to the hardcoded one, making\r\ndecryption trivial in such case). This time, Magniber comes with a public RSA key of the attackers that makes it\r\nfully independent from the Internet connection during the encryption process. This key is used for protecting the\r\nunique AES keys used to encrypt files.\r\nThe attacker’s RSA key is hardcoded in the sample in obfuscated form. This is how it looks after deobfuscation:\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 8 of 15\n\nFigure 13. Deobfuscated RSA key\r\nEach time a new file is going to be encrypted, two 16-byte long strings are generated. One will be used as an AES\r\nkey, and another as an initialization vector (IV). Below you can see the fragment of code responsible for\r\ngenerating those pseudo-random strings.\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 9 of 15\n\nFigure 14. Generating pseudo-random strings\r\nThe interesting fact is what they use as a random generator—a weak source of randomness may create a\r\nvulnerability. We can see that under the hood GetTickCount is called:\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 10 of 15\n\nFigure 15. Random generator using GetTickCount\r\nThe full reconstruction of the code generating the key and IV is available in the following snippet:\r\nhttps://gist.github.com/hasherezade/7fb69fbd045315b42d7f962a83fdc300\r\nBefore the ransomware proceeds to encrypt the file, the RSA key is imported and used to encrypt the generated\r\ndata (key+IV):\r\nFigure 16. RSA key import right before file encryption begins\r\nIt produces an encrypted block of 256 bytes that is passed to the encrypting function, and later appended at the end\r\nof the encrypted file. Apart from those changes, files are encrypted similar to before, with the help of Windows’\r\nCrypto API.\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 11 of 15\n\nFigure 16. Setting the AES key and initialization vector\r\nFigure 17. Encrypting and writing to a file\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 12 of 15\n\nGeographic expansion\r\nIn early July, we noted exploit attempts happening outside of the typical area we had become used to, for instance\r\nin Malaysia. At about the same time, a tweet from MalwareHunterTeam mentioned infections in Taiwan and Hong\r\nKong.\r\nFollowing the changes in the distribution scope, the code of Magniber got updated to whitelist more languages.\r\nNow the list expanded, adding other Asian languages, such as Chinese (Macau, China, Singapore) and Malay\r\n(Malysia, Brunei).\r\nFigure 17. Expanded language checks\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 13 of 15\n\nContinuing evolution\r\nWhile Magniber was not impressive at first, having simple code and no obfuscation, it is actively developed and\r\nits quality continuously improves. Their authors appear professional, even though they commit some mistakes.\r\nThis ransomware operation is carried with surgical precision, from a careful distribution to a matching whitelist of\r\nlanguages. Criminals know exactly which countries they want to target, and they put their efforts to minimize\r\nnoise and reduce collateral damage.\r\nMalwarebytes users are protected against this threat thanks to our anti-exploit module, which blocks Magnitude\r\nEK’s attempt to exploit CVE-2018-8174 (VBScript engine vulnerability):\r\nThanks to David Ledbetter for his help with deobfuscating the VBScript.\r\nIndicators of compromise (IOCs)\r\n178.32.62[.]130,bluehuge[.]expert,Magnigate (Step 1) 94.23.165[.]192,69a5010hbjdd722q.feedrun[.]onlin\r\nCode snippets\r\nJavascript\r\nVBScript\r\nMagniber (original)\r\n6e57159209611f2531104449f4bb86a7621fb9fbc2e90add2ecdfbe293aa9dfc\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 14 of 15\n\nMagniber (core DLL)\r\nfb6c80ae783c1881487f2376f5cace7532c5eadfc170b39e06e17492652581c2\r\nSource: https://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nhttps://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia\r\nPage 15 of 15\n\n https://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia \nFigure 16. Setting the AES key and initialization vector\nFigure 17. Encrypting and writing to a file \n Page 12 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia" ], "report_names": [ "magniber-ransomware-improves-expands-within-asia" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434813, "ts_updated_at": 1775791479, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e8b0716c12b9c9826e0c495007121cfa4a0e20c9.pdf", "text": "https://archive.orkl.eu/e8b0716c12b9c9826e0c495007121cfa4a0e20c9.txt", "img": "https://archive.orkl.eu/e8b0716c12b9c9826e0c495007121cfa4a0e20c9.jpg" } }