Malwarebytes researchers have detected the Magniber ransomware displaying notable improvements as its attack begin to expand within Asia after previously limiting its activity to South Korea. The Magniber ransomware has expanded to China, Taiwan, Hong Kong, Macau, Singapore, Brunei, and Malaysia so far and is targeting Malay language settings.
The Magnitude exploit kit is one of the longest-serving browser exploitation toolkits among those still in use. After its inception in 2013, it enjoyed worldwide distribution with a liking for ransomware. Eventually, it became a private operation that had a narrow geographic focus.
During 2017, Magnitude delivered Cerber ransomware via a filtering gate known as Magnigate, only to a select few Asian countries. In October 2017, the exploit kit operator began to distribute its own breed of ransomware, Magniber. That change came with an interesting twist—the malware authors went to great lengths to limit infections to South Korea. In addition to traffic filtering via country-specific malvertising chains, Magniber would only install if a specific country code was returned, otherwise, it would delete itself.
In April 2018, the exploit kit unexpectedly started pushing the ever-growing GandCrab ransomware, shortly after having adopted a fresh Flash zero-day (CVE-2018-4878) in what researchers believe may have been a brief test campaign before Magniber was launched again. In recent captures of Magnitude, it is seen the latest Internet Explorer exploit (CVE-2018-8174) is being used primarily, which it integrated after a week-long traffic interruption.
“In early July, we noted exploit attempts happening outside of the typical area we had become used to, for instance in Malaysia,” researchers said in the blog. “At about the same time, a tweet from MalwareHunterTeam mentioned infections in Taiwan and Hong Kong.”
The ransomware carries out its operation with surgical precision, said, researchers. “Criminals know exactly which countries they want to target, and they put their efforts to minimize noise and reduce collateral damage,” wrote researchers at Malwarebytes, adding that its source code is now more refined.