Did you know that a Magniber ransomware infection can cost you a ransom of as much as US$2,500? The operators’ favored method of delivery? Fake Windows 10 updates, putting 80% of all Windows operating system (OS) users worldwide at risk. The campaign, believed to have begun in April this year, remains a threat. Are Windows 10 users the only ones at risk, though?

We used WHOIS, IP, and DNS intelligence to uncover additional web properties potentially related to the ongoing Magniber ransomware campaign and found:

• 82 domains containing the Windows-specific strings “windows + update,” “windows + patch,” and “windows + security,” two of which have been dubbed “malicious” by various malware engines
• 102 domains containing the generic software strings “software + update,” “software + patch,” and “software + security,” one of which has been confirmed as a malware host
• 48 subdomains containing the Windows-specific strings “windows + update,” “windows + patch,” and “windows + security,” two of which have been tagged “malicious” by various malware engines
• 215 subdomains containing the generic software strings “software + update,” “software + patch,” and “software + security,” 11 of which were confirmed malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What Web Properties Should Windows Users Be Wary Of?

The HP report referenced earlier warned Windows users to steer clear of these eight domains identified as indicators of compromise (IoCs) for the ongoing massive Magniber ransomware campaign:

• totwo[.]pw
• ittakes[.]fun
• catat[.]site
• tinpick[.]online
• pirlay[.]fun
• buyaims[.]online
• orhung[.]space
• actsred[.]site

Historical WHOIS searches for these domain names showed they were all newly created, as evidenced by their creation dates.

• Totwo[.]pw, ittakes[.]fun, catat[.]site, and tinpick[.]online were created on 7 September 2022.
• Pirlay[.]fun, buyaims[.]online, orhung[.]space, and actsred[.]site, meanwhile, were created a few days after, on 12 September 2022.

Our closer look also showed significant similarities among their name server and registrar details, namely:

• Each domain had two name servers each following the pattern “NS1[.]DOMAIN NAME[.]TLD EXTENSION.” The table below provides more details.
  
  

  Domains Identified as IoCs	Name Servers
  totwo[.]pw	NS1[.]TOTWO[.]PW NS2[.]TOTWO[.]PW
  ittakes[.]fun	NS1[.]ITTAKES[.]FUN NS2[.]ITTAKES[.]FUN
  catat[.]site	NS1[.]CATAT[.]SITE NS2[.]CATAT[.]SITE
  tinpick[.]online	NS1[.]TINPICK[.]ONLINE NS2[.]TINPICK[.]ONLINE
  pirlay[.]fun	NS1[.]PIRLAY[.]FUN NS2[.]PIRLAY[.]FUN
  buyaims[.]online	NS1[.]BUYAIMS[.]ONLINE NS2[.]BUYAIMS[.]ONLINE
  orhung[.]space	NS1[.]ORHUNG[.]SPACE NS2[.]ORHUNG[.]SPACE
  actsred[.]site	NS1[.]ACTSRED[.]SITE NS2[.]ACTSRED[.]SITE

• All of the domains indicated “PDR Ltd. d/b/a PublicDomainRegistry.com” as their registrar and had redacted WHOIS records.

We then sought to find additional artifacts using the Windows-specific strings “windows + update,” “windows + patch,” and “windows + security” for Domains & Subdomains Discovery searches and uncovered 82 domains and 213 subdomains. Bulk malware checks for these showed that two domains—windows-11-update[.]com and windowsupdates-microsoft[.]org—were malicious. In addition, two subdomains—windowsecuritywarm[.]xyz and windows-security-scan[.]com—were confirmed malware hosts.

Bulk screenshot lookups, meanwhile, showed that four of these—windowspatch[.]info, windowsupdates[.]cn, windowsupdated[.]ml, and windows-update[.]win—currently host live content. Windows-update[.]win was particularly interesting since it sported the Microsoft logo despite not being owned by the company.

Six subdomains—a-patch-for-windows-live-messenger-8-5[.]programmesetjeux[.]com, canon-drivers-update-utility-for-windows1[.]software[.]informer[.]com, security-update-for-windows-internet-exp53[.]software[.]informer[.]com, security-update-for-windows-xp-kb2079403[.]software[.]informer[.]com, security-update-for-windows-xp-kb923980[.]software[.]informer[.]com, and shutdownwindowssecuritythreat[.]blogspot[.]com—are currently live. None of them looked particularly sinister, though.

Are Windows Users the Only Ones at Risk?

To further expand the publicized list of IoCs, we sought to determine if users of other software were also at risk. We also deemed it worthwhile to identify the potential software targets.

Domains & Subdomains Discovery revealed 102 domains and 215 subdomains containing the generic strings “software + update,” “software + patch,” and “software + security,” indicating risks for users of other programs. Take a look at the word cloud below showing how many times related terms, including company names, appeared in the domains and subdomains.

One of the domains (i.e., bverestsystemsoftwareupdateb[.]xyz) and 10 of the subdomains (i.e., including updatesoftware[.]coolmethod2theupdate[.]life, softwareupdate[.]findmethod4upgrading[.]info)—containing the generic strings were confirmed malware hosts.

IoC expansion aided by WHOIS and DNS intelligence yet again led to the discovery of tons more artifacts that could have ties to an ongoing malware campaign or threat actors relying on similar techniques. The results of our in-depth analysis also revealed that Magniber ransomware attacks and similar threats could also put users of other software and hardware at great risk.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.