{ "id": "e1f3eb53-6a36-4777-9616-54a03db71c1f", "created_at": "2026-04-06T00:19:03.026274Z", "updated_at": "2026-04-10T13:11:32.242491Z", "deleted_at": null, "sha1_hash": "fc22cc1f8ad5986e7b70a53d651a90f842cf7aad", "title": "Magniber ransomware: exclusively for South Koreans | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 452297, "plain_text": "Magniber ransomware: exclusively for South Koreans |\r\nMalwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-10-17 · Archived: 2026-04-05 20:01:38 UTC\r\nThe Magnitude exploit kit has been pretty consistent over the last few months, dropping the same payload—\r\nnamely, the Cerber ransomware—and targeting a few select countries in Asia. Strangely, Magnitude\r\nEK disappeared in late September, and for a while we wondered whether this was yet another casualty in the\r\nalready deflated exploit kit scene.\r\nHowever, a few days ago Magnitude EK resurfaced, this time with a new payload. The delivered malware is also a\r\nransomware, but of a family that was not known before. It has been named Magniber.\r\nThis Magniber ransomware is highly targeted, as it checks at several levels (external IP, the language installed,\r\netc.) to ensure that the attacked system is only South Korean. Targeting a single country is unusual on its own, but\r\nperforming multiple checks to be sure of the country and language of origin makes this a first for ransomware.\r\nAnalyzed samples\r\n9bb96afdce48fcf9ba9d6dda2e23c936c661212e8a74114e7813082841667508 – dropped by Magnitude EK\r\n8968c1b7a7aa95931fcd9b72cdde8416063da27565d5308c818fdaafddfa3b51 – unpacked payload\r\nOlder sample\r\nef70f414106ab23358c6734c434cb7dd – main sample (packed)\r\naa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30 – unpacked payload\r\nDistribution method\r\nSo far, we found this ransomware is dropped only by the Magnitude exploit kit:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 1 of 12\n\nNo other distribution method is known at the moment.\r\nBehavioral analysis\r\nIf the malware is executed on non-Korean systems, the only thing we can see is the operation of deleting itself,\r\ndelayed by running the ping command:\r\nIt only starts its malicious operations on systems with Korean language detected. The executable is pretty noisy,\r\nbecause it implements various tasks just by command line. Running it on the sandbox, we can see the following\r\ngraph of calls:\r\nThe malware copies itself in %TEMP% and deploys itself with the help of task scheduler:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 2 of 12\n\nIn the same folder, we can see also the ransom note and yet another file. Its name is the same as the part of the\r\ndomain that has been generated for the particular user, and its extension is the same as the extension of the\r\nencrypted files:\r\nTo each encrypted file is added an extension that is composed of small Latin characters and is constant for the\r\nparticular sample of Magniber.\r\nThe same plain-text makes the same cipher-text. This means each and every file is encrypted using exactly the\r\nsame key.\r\nBelow, we demonstrate a visualization of bytes of a sample BMP file before and after being encrypted by\r\nMagniber:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 3 of 12\n\n“\u003e\r\nAs you can see, there are no visible patterns in the encrypted version; it suggests that some strong algorithm has\r\nbeen used, probably AES in CBC mode.\r\nAt the beginning of each encrypted file, we find a 16-character long identifier that is constant for the particular\r\nsample of Magniber:\r\nAfter the encryption of all the found files is done, the ransomware runs notepad, displaying the dropped ransom\r\nnote:\r\nThe ransom note is in the TXT format and its structure is minimalistic. It gives four alternative addresses pointing\r\nto the page for the victim.\r\nPage for the victims\r\nThe page for the victims is in English only. Its template is very similar to the one used by the Cerber ransomware\r\n(this is the only similarity between those ransomware families—internally they are quite different):\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 4 of 12\n\nNetwork communication\r\nWe found Magniber connecting domains that are generated by the built-in algorithm. The same\r\ndomains that are used as CnC are later used for individual websites for the victim (only they are\r\ncalled with a different parameter). Examples of the called URLs:\r\nhttp://xat91h3evntk5zb66dr.bankme.date/new1 http://xat91h3evntk5zb66dr.bankme.date/end1\r\nCompare the URLs from the ransom note with the corresponding run:\r\nhttp://xat91h3evntk5zb66dr.bankme.date/EP866p5M93wDS513 http://xat91h3evntk5zb66dr.jobsn\r\nAt the beginning of the execution, the ransomware sends a request to the URL ending\r\nwith new1 (or new0). At the end of the execution, it requests end1 (or end0). The meaning of those\r\nURLs will be explained in detail in the next part of the article.\r\nWhat’s interesting is that the server gives a valid response if, and only if, the public IP of the victim was Korean.\r\nOtherwise, the response is empty. Example of the captured initial request and response (the request was made\r\nfrom the Korean IP):\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 5 of 12\n\nIn the response, we get a 16-character long, random string: ce2KPIak3cl6JKm6. The new random URL can be\r\nrequested only once. If we try to repeat the request, we will get an empty response.\r\nThe other request (the ending one) also gives a 16-character long, random string in response. But contrary to the\r\nfirst one, it responds on every request (a different random string each time). Example of the ending request and\r\nresponse:\r\nInside the code\r\nAs always, to understand what is really going on here, we will have to take a deeper dive inside the\r\ncode.\r\nMagniber is delivered packed by various crypters, and the unpacking method will depend on the crypter’s\r\nfeatures. You can see the process of unpacking the current sample in the video below.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 6 of 12\n\nAfter defeating the first layer, we obtain the second PE file: the malicious core. The core does not contain any\r\nadvanced obfuscation. The authors made the strings just slightly difficult to follow by loading them into memory\r\ncharacter by character:\r\nExecution flow\r\nLooking inside the unpacked payload, we can clearly see why it doesn’t run on most systems. At the\r\nbeginning, there is a language check (using the API function \r\nThe only accepted UI language is Korean (code 1042). In case of any other detected, the sample just deletes itself\r\nand causes no harm. This language check has been added in the recent Magniber samples and was not found in the\r\nearlier versions, such as aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30.\r\nAfter the check is passed, Magniber follows with a typical ransomware functionality. Overview of the performed\r\nsteps:\r\n1. Creates mutex\r\n2. Checks in the temp folder if the marker file has been dropped\r\n3. Drops the copy of itself in %TEMP% and adds the scheduled task\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 7 of 12\n\n4. Queries the generated subdomains to retrieve the AES key (if retrieving the key failed, loads the hardcoded\r\none)\r\n5. Enumerates and encrypts files with the selected extensions\r\n6. Reports finishing the task to the CnC\r\n7. Executes the notepad displaying the ransom note\r\n8. Deletes itself\r\nWhat is attacked?\r\nThe list of extensions attacked by Magniber is really long. It includes documents, source code files, and many\r\nothers. The complete list is below:\r\ndocx xls xlsx ppt pptx pst ost msg em vsd vsdx csv rtf 123 wks wk1 pdf dwg onetoc2 snt docb docm dot\r\nThe list loads at the beginning of the file encrypting function:\r\nAs usual, some of the directories are exempted:\r\n:documents and settingsall users :documents and settingsdefault user :documents and settingslocalse\r\nHow does the encryption work?\r\nMagniber encrypts files with AES 128 bit in CBC mode. It is implemented with the help of Windows Crypto API.\r\n The DGA and the victim ID\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 8 of 12\n\nIn the usual scenario, the malware tries to retrieve the AES key from the CnC by querying pseudo-random\r\nsubdomains:\r\nThe pseudo-random part is used to uniquely identify the victim. It is generated by the following simple algorithm:\r\nEach character is based on the tick count, converted to the given charset:\r\nThe number 0 or 1 is appended to the URL depending if the sample is running in the controlled environment or\r\nnot (detected using time check).\r\nFour domains are being queried for the key:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 9 of 12\n\nIf any of them give a 16-byte long response, that means the valid key is copied to the buffer and used further.\r\nOtherwise, it falls back to the hardcoded key.\r\nThe default AES key and IV\r\nThe interesting thing is that each sample comes with the AES key hardcoded. However, it is used only as a backup\r\nif downloading the key from the CnC was for some reason impossible (that occurs also in the case if the public IP\r\nwas not from Korea). The key is unique per each sample. In the currently analyzed sample, it\r\nis S25943n9Gt099y4K:\r\nIf any of them gives 16  byte long response, that means the valid key, it is copied to the buffer and used further.\r\nOtherwise, it falls back to the hardcoded key.\r\nSimilarly, the initialization vector is always hardcoded in the sample (but not downloaded). The same 16-character\r\nlong string was also saved at the file beginning. In the currently analyzed sample it is EP866p5M93wDS513:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 10 of 12\n\nThe algorithm\r\nFirst, the crypto context is initialized. The malware imports the key and initialization vector with the help of\r\nfunctions CryptImportKey, CryptSetKeyParam:\r\nEncrypting the file:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 11 of 12\n\nThe first write stores the 16-byte long string at the beginning of the file. Then, the file is read chunk by chunk and\r\nencrypted using Windows Crypto API.\r\nConclusion\r\nMagniber ransomware is being distributed instead of Cerber from the same exploit kit, approaching the same\r\ntargets. However, internally it has nothing in common with the Cerber and is much simpler. The only feature that\r\nmakes it unique is being so picky about the targeted country. For the first time, we are seeing country checks being\r\nperformed at various levels of execution.\r\nThis ransomware family appeared recently and probably is still under active development. We will keep an eye on\r\nits evolution and keep you informed.\r\nThe users of Malwarebytes for Windows (with real-time, anti-ransomware technology deployed) are protected\r\nagainst Magniber.\r\nAppendix\r\nhttps://www.checkmal.com/page/resource/video/?detail=read\u0026idx=676\u0026p=1\u0026pc=20\r\nhttps://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/\r\nhttps://gist.github.com/evilsocket/b89df665e6d52446e3e353fc1cc44711 (magniber_decryptor.exe) – decryptor by\r\n@evilsocket (works only for the cases when the AES key is known – i.e. the default one from the sample was\r\nused, or the random one can be extracted from the captured traffic)\r\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/" ], "report_names": [ "magniber-ransomware-exclusively-for-south-koreans" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434743, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc22cc1f8ad5986e7b70a53d651a90f842cf7aad.pdf", "text": "https://archive.orkl.eu/fc22cc1f8ad5986e7b70a53d651a90f842cf7aad.txt", "img": "https://archive.orkl.eu/fc22cc1f8ad5986e7b70a53d651a90f842cf7aad.jpg" } }