Magniber ransomware: exclusively for South Koreans |
Malwarebytes Labs
By Malwarebytes Labs
Published: 2017-10-17 · Archived: 2026-04-05 20:01:38 UTC
The Magnitude exploit kit has been pretty consistent over the last few months, dropping the same payload—
namely, the Cerber ransomware—and targeting a few select countries in Asia. Strangely, Magnitude
EK disappeared in late September, and for a while we wondered whether this was yet another casualty in the
already deflated exploit kit scene.
However, a few days ago Magnitude EK resurfaced, this time with a new payload. The delivered malware is also a
ransomware, but of a family that was not known before. It has been named Magniber.
This Magniber ransomware is highly targeted, as it checks at several levels (external IP, the language installed,
etc.) to ensure that the attacked system is only South Korean. Targeting a single country is unusual on its own, but
performing multiple checks to be sure of the country and language of origin makes this a first for ransomware.
Analyzed samples
9bb96afdce48fcf9ba9d6dda2e23c936c661212e8a74114e7813082841667508 – dropped by Magnitude EK
8968c1b7a7aa95931fcd9b72cdde8416063da27565d5308c818fdaafddfa3b51 – unpacked payload
Older sample
ef70f414106ab23358c6734c434cb7dd – main sample (packed)
aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30 – unpacked payload
Distribution method
So far, we found this ransomware is dropped only by the Magnitude exploit kit:
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 1 of 12

No other distribution method is known at the moment.
Behavioral analysis
If the malware is executed on non-Korean systems, the only thing we can see is the operation of deleting itself,
delayed by running the ping command:
It only starts its malicious operations on systems with Korean language detected. The executable is pretty noisy,
because it implements various tasks just by command line. Running it on the sandbox, we can see the following
graph of calls:
The malware copies itself in %TEMP% and deploys itself with the help of task scheduler:
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 2 of 12

In the same folder, we can see also the ransom note and yet another file. Its name is the same as the part of the
domain that has been generated for the particular user, and its extension is the same as the extension of the
encrypted files:
To each encrypted file is added an extension that is composed of small Latin characters and is constant for the
particular sample of Magniber.
The same plain-text makes the same cipher-text. This means each and every file is encrypted using exactly the
same key.
Below, we demonstrate a visualization of bytes of a sample BMP file before and after being encrypted by
Magniber:
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 3 of 12

“>
As you can see, there are no visible patterns in the encrypted version; it suggests that some strong algorithm has
been used, probably AES in CBC mode.
At the beginning of each encrypted file, we find a 16-character long identifier that is constant for the particular
sample of Magniber:
After the encryption of all the found files is done, the ransomware runs notepad, displaying the dropped ransom
note:
The ransom note is in the TXT format and its structure is minimalistic. It gives four alternative addresses pointing
to the page for the victim.
Page for the victims
The page for the victims is in English only. Its template is very similar to the one used by the Cerber ransomware
(this is the only similarity between those ransomware families—internally they are quite different):
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 4 of 12

Network communication
We found Magniber connecting domains that are generated by the built-in algorithm. The same
domains that are used as CnC are later used for individual websites for the victim (only they are
called with a different parameter). Examples of the called URLs:
http://xat91h3evntk5zb66dr.bankme.date/new1 http://xat91h3evntk5zb66dr.bankme.date/end1
Compare the URLs from the ransom note with the corresponding run:
http://xat91h3evntk5zb66dr.bankme.date/EP866p5M93wDS513 http://xat91h3evntk5zb66dr.jobsn
At the beginning of the execution, the ransomware sends a request to the URL ending
with new1 (or new0). At the end of the execution, it requests end1 (or end0). The meaning of those
URLs will be explained in detail in the next part of the article.
What’s interesting is that the server gives a valid response if, and only if, the public IP of the victim was Korean.
Otherwise, the response is empty. Example of the captured initial request and response (the request was made
from the Korean IP):
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 5 of 12

In the response, we get a 16-character long, random string: ce2KPIak3cl6JKm6. The new random URL can be
requested only once. If we try to repeat the request, we will get an empty response.
The other request (the ending one) also gives a 16-character long, random string in response. But contrary to the
first one, it responds on every request (a different random string each time). Example of the ending request and
response:
Inside the code
As always, to understand what is really going on here, we will have to take a deeper dive inside the
code.
Magniber is delivered packed by various crypters, and the unpacking method will depend on the crypter’s
features. You can see the process of unpacking the current sample in the video below.
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 6 of 12

After defeating the first layer, we obtain the second PE file: the malicious core. The core does not contain any
advanced obfuscation. The authors made the strings just slightly difficult to follow by loading them into memory
character by character:
Execution flow
Looking inside the unpacked payload, we can clearly see why it doesn’t run on most systems. At the
beginning, there is a language check (using the API function 
The only accepted UI language is Korean (code 1042). In case of any other detected, the sample just deletes itself
and causes no harm. This language check has been added in the recent Magniber samples and was not found in the
earlier versions, such as aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30.
After the check is passed, Magniber follows with a typical ransomware functionality. Overview of the performed
steps:
1. Creates mutex
2. Checks in the temp folder if the marker file has been dropped
3. Drops the copy of itself in %TEMP% and adds the scheduled task
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 7 of 12

4. Queries the generated subdomains to retrieve the AES key (if retrieving the key failed, loads the hardcoded
one)
5. Enumerates and encrypts files with the selected extensions
6. Reports finishing the task to the CnC
7. Executes the notepad displaying the ransom note
8. Deletes itself
What is attacked?
The list of extensions attacked by Magniber is really long. It includes documents, source code files, and many
others. The complete list is below:
docx xls xlsx ppt pptx pst ost msg em vsd vsdx csv rtf 123 wks wk1 pdf dwg onetoc2 snt docb docm dot
The list loads at the beginning of the file encrypting function:
As usual, some of the directories are exempted:
:documents and settingsall users :documents and settingsdefault user :documents and settingslocalse
How does the encryption work?
Magniber encrypts files with AES 128 bit in CBC mode. It is implemented with the help of Windows Crypto API.
 The DGA and the victim ID
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 8 of 12

In the usual scenario, the malware tries to retrieve the AES key from the CnC by querying pseudo-random
subdomains:
The pseudo-random part is used to uniquely identify the victim. It is generated by the following simple algorithm:
Each character is based on the tick count, converted to the given charset:
The number 0 or 1 is appended to the URL depending if the sample is running in the controlled environment or
not (detected using time check).
Four domains are being queried for the key:
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 9 of 12

If any of them give a 16-byte long response, that means the valid key is copied to the buffer and used further.
Otherwise, it falls back to the hardcoded key.
The default AES key and IV
The interesting thing is that each sample comes with the AES key hardcoded. However, it is used only as a backup
if downloading the key from the CnC was for some reason impossible (that occurs also in the case if the public IP
was not from Korea). The key is unique per each sample. In the currently analyzed sample, it
is S25943n9Gt099y4K:
If any of them gives 16  byte long response, that means the valid key, it is copied to the buffer and used further.
Otherwise, it falls back to the hardcoded key.
Similarly, the initialization vector is always hardcoded in the sample (but not downloaded). The same 16-character
long string was also saved at the file beginning. In the currently analyzed sample it is EP866p5M93wDS513:
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 10 of 12

The algorithm
First, the crypto context is initialized. The malware imports the key and initialization vector with the help of
functions CryptImportKey, CryptSetKeyParam:
Encrypting the file:
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 11 of 12

The first write stores the 16-byte long string at the beginning of the file. Then, the file is read chunk by chunk and
encrypted using Windows Crypto API.
Conclusion
Magniber ransomware is being distributed instead of Cerber from the same exploit kit, approaching the same
targets. However, internally it has nothing in common with the Cerber and is much simpler. The only feature that
makes it unique is being so picky about the targeted country. For the first time, we are seeing country checks being
performed at various levels of execution.
This ransomware family appeared recently and probably is still under active development. We will keep an eye on
its evolution and keep you informed.
The users of Malwarebytes for Windows (with real-time, anti-ransomware technology deployed) are protected
against Magniber.
Appendix
https://www.checkmal.com/page/resource/video/?detail=read&idx=676&p=1&pc=20
https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/
https://gist.github.com/evilsocket/b89df665e6d52446e3e353fc1cc44711 (magniber_decryptor.exe) – decryptor by
@evilsocket (works only for the cases when the AES key is known – i.e. the default one from the sample was
used, or the random one can be extracted from the captured traffic)
This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest
in InfoSec. She loves going in details about malware and sharing threat information with the community. Check
her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.
Source: https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
Page 12 of 12