Home / Industry

Beware That Software Update, It Could Be Magniber in Disguise

Did you know that a Magniber ransomware infection can cost you a ransom of as much as US$2,500? The operators’ favored method of delivery? Fake Windows 10 updates, putting 80% of all Windows operating system (OS) users worldwide at risk. The campaign, believed to have begun in April this year, remains a threat. Are Windows 10 users the only ones at risk, though?

We used WHOIS, IP, and DNS intelligence to uncover additional web properties potentially related to the ongoing Magniber ransomware campaign and found:

  • 82 domains containing the Windows-specific strings “windows + update,” “windows + patch,” and “windows + security,” two of which have been dubbed “malicious” by various malware engines
  • 102 domains containing the generic software strings “software + update,” “software + patch,” and “software + security,” one of which has been confirmed as a malware host
  • 48 subdomains containing the Windows-specific strings “windows + update,” “windows + patch,” and “windows + security,” two of which have been tagged “malicious” by various malware engines
  • 215 subdomains containing the generic software strings “software + update,” “software + patch,” and “software + security,” 11 of which were confirmed malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What Web Properties Should Windows Users Be Wary Of?

The HP report referenced earlier warned Windows users to steer clear of these eight domains identified as indicators of compromise (IoCs) for the ongoing massive Magniber ransomware campaign:

  • totwo[.]pw
  • ittakes[.]fun
  • catat[.]site
  • tinpick[.]online
  • pirlay[.]fun
  • buyaims[.]online
  • orhung[.]space
  • actsred[.]site

Historical WHOIS searches for these domain names showed they were all newly created, as evidenced by their creation dates.

  • Totwo[.]pw, ittakes[.]fun, catat[.]site, and tinpick[.]online were created on 7 September 2022.
  • Pirlay[.]fun, buyaims[.]online, orhung[.]space, and actsred[.]site, meanwhile, were created a few days after, on 12 September 2022.

Our closer look also showed significant similarities among their name server and registrar details, namely:

  • Each domain had two name servers each following the pattern “NS1[.]DOMAIN NAME[.]TLD EXTENSION.” The table below provides more details.

    Domains Identified as IoCsName Servers
    totwo[.]pwNS1[.]TOTWO[.]PW
    NS2[.]TOTWO[.]PW
    ittakes[.]funNS1[.]ITTAKES[.]FUN
    NS2[.]ITTAKES[.]FUN
    catat[.]siteNS1[.]CATAT[.]SITE
    NS2[.]CATAT[.]SITE
    tinpick[.]onlineNS1[.]TINPICK[.]ONLINE
    NS2[.]TINPICK[.]ONLINE
    pirlay[.]funNS1[.]PIRLAY[.]FUN
    NS2[.]PIRLAY[.]FUN
    buyaims[.]onlineNS1[.]BUYAIMS[.]ONLINE
    NS2[.]BUYAIMS[.]ONLINE
    orhung[.]spaceNS1[.]ORHUNG[.]SPACE
    NS2[.]ORHUNG[.]SPACE
    actsred[.]siteNS1[.]ACTSRED[.]SITE
    NS2[.]ACTSRED[.]SITE
  • All of the domains indicated “PDR Ltd. d/b/a PublicDomainRegistry.com” as their registrar and had redacted WHOIS records.

We then sought to find additional artifacts using the Windows-specific strings “windows + update,” “windows + patch,” and “windows + security” for Domains & Subdomains Discovery searches and uncovered 82 domains and 213 subdomains. Bulk malware checks for these showed that two domains—windows-11-update[.]com and windowsupdates-microsoft[.]org—were malicious. In addition, two subdomains—windowsecuritywarm[.]xyz and windows-security-scan[.]com—were confirmed malware hosts.

Bulk screenshot lookups, meanwhile, showed that four of these—windowspatch[.]info, windowsupdates[.]cn, windowsupdated[.]ml, and windows-update[.]win—currently host live content. Windows-update[.]win was particularly interesting since it sported the Microsoft logo despite not being owned by the company.

Six subdomains—a-patch-for-windows-live-messenger-8-5[.]programmesetjeux[.]com, canon-drivers-update-utility-for-windows1[.]software[.]informer[.]com, security-update-for-windows-internet-exp53[.]software[.]informer[.]com, security-update-for-windows-xp-kb2079403[.]software[.]informer[.]com, security-update-for-windows-xp-kb923980[.]software[.]informer[.]com, and shutdownwindowssecuritythreat[.]blogspot[.]com—are currently live. None of them looked particularly sinister, though.

Are Windows Users the Only Ones at Risk?

To further expand the publicized list of IoCs, we sought to determine if users of other software were also at risk. We also deemed it worthwhile to identify the potential software targets.

Domains & Subdomains Discovery revealed 102 domains and 215 subdomains containing the generic strings “software + update,” “software + patch,” and “software + security,” indicating risks for users of other programs. Take a look at the word cloud below showing how many times related terms, including company names, appeared in the domains and subdomains.

One of the domains (i.e., bverestsystemsoftwareupdateb[.]xyz) and 10 of the subdomains (i.e., including updatesoftware[.]coolmethod2theupdate[.]life, softwareupdate[.]findmethod4upgrading[.]info)—containing the generic strings were confirmed malware hosts.


IoC expansion aided by WHOIS and DNS intelligence yet again led to the discovery of tons more artifacts that could have ties to an ongoing malware campaign or threat actors relying on similar techniques. The results of our in-depth analysis also revealed that Magniber ransomware attacks and similar threats could also put users of other software and hardware at great risk.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC