Security personnel found that the infection of the new extortion virus increased sharply, mainly through the advertising space of pornographic websites

Time:2022-7-31

Magniber is a file free extortion virus that exploits ie vulnerabilities. It has previously caused serious damage to many Korean users. If the relevant security departments cannot find and block the vulnerability at the initial stage, it is difficult to prevent its further infection, which makes it difficult for security software to detect.

Magniber blackmail software has been distributed using cve-2021-26411 vulnerability since March 15, 2021. Until recently, it was found to be changed to cve-2021-40444 vulnerability.

It is worth mentioning that this is the latest vulnerability after Microsoft pushed a security patch on September 14. At present, most users are at risk of infection. (only in win10/win11 environment, cve-2021-26411 is still being used in other environments).

Existing security personnel found that the recent attacks of magniber blackmail virus occurred frequently, and netizens in many places across the country were affected.

360 security personnel revealed that the blackmail virus uses cve-2021-40444 vulnerability to spread, and also uses printnightare vulnerability to claim rights, which is more harmful than before. According to the analysis, the virus is mainly spread through the advertising space of pornographic websites.

Since November 5, they have received a large number of help from people infected with magniber blackmail virus, and detected that the interception volume of cve-2021-40444 vulnerability attacks has increased significantly. After analysis and tracking, it is found that this is a hanging horse attack group. From the technology and attack methods used, it can be seen that this is also a technically sophisticated hacker organization. At the same time, because the hanging horse website is mainly aimed at China, it has a significant impact on ordinary Internet users.

Security personnel said that the hacker Gang mainly put advertisements with attack codes on the advertising spaces of pornographic websites (there are also a few other websites). When users visit the advertising page, they may be recruited and infected with blackmail virus.

It is reported that when the vulnerability occurs, the blackmail virus will create a file named calc.inf in the path below. Magniber ransomware was subsequently created by a software called control Exe normal windows process load.

2021/09/16:%SystemDrive%:\Users\%UserName%\AppData\Local\Temp\Low\calc.inf

2021/09/17:%SystemDrive%:\Users\%UserName%\AppData\Local\Temp\Low\winsta.inf

The following figure shows iexplore.exe->control The calling process in the form of exe and the operation process of calc.inf file.

Security personnel found that the infection of the new extortion virus increased sharply, mainly through the advertising space of pornographic websites

The following figure shows that the distribution of magniber with the file name calc.inf began after 09:00 on September 16, 2021. There are about 300 cases in the V3 detection log.

Affected operating system

Windows 8.1、RT 8.1

Windows 10:1607、1809、1909、2004、20H2、21H1

Windows Server 2008 SP 2、2008 R2 SP 1

Windows Server 2012、2012 R2

Windows Server 2016、2019、2022

Windows Server Version 2004, 20h2

Recommended Today

JS generate guid method

JS generate guid method https://blog.csdn.net/Alive_tree/article/details/87942348 Globally unique identification(GUID) is an algorithm generatedBinaryCount Reg128 bitsNumber ofidentifier , GUID is mainly used in networks or systems with multiple nodes and computers. Ideally, any computational geometry computer cluster will not generate two identical guids, and the total number of guids is2^128In theory, it is difficult to make two […]