Magniber ransomware targets Windows users via fake security updates

Share post:

Magniber ransomware is targeting Windows home users via fake security updates promoted on malicious websites. The security update contains a malicious file that contains JavaScript, which can trigger a complicated infection with the file-encrypting malware.

Researchers found that ransomware operators in January used Chrome and Edge browser updates to push malicious Windows application package files (.APPX).

According to HP’s Threat Intelligence team, the ransomware strain focuses explicitly on Windows 10 and 11 builds. Researchers also stated that the ransomware operators charge up to $2,500 to release decryptors to home user.

On its infection chain, the ransomware switched from the use of MSI and EXE files to JavaScript files. These files are obfuscated and use a variation of the “DotNetToJScript” technique to execute a .NET file in the system memory. Doing this reduces the risk of detection by antivirus products.

The attackers use the .NET file to decrypt shellcode, which uses its own wrapper to make stealthy syscalls, and inject it into a new process before terminating its own.

To increase the chances of getting paid after the shellcode deletes shadow copy files via WMI and disables backup and recovery features through “bcdedit” and “wbadmin.”

Home users can protect themselves by making regular backups of their files and keeping an offline storage device.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways