|
Did you know that a Magniber ransomware infection can cost you a ransom of as much as US$2,500? The operators’ favored method of delivery? Fake Windows 10 updates, putting 80% of all Windows operating system (OS) users worldwide at risk. The campaign, believed to have begun in April this year, remains a threat. Are Windows 10 users the only ones at risk, though?
We used WHOIS, IP, and DNS intelligence to uncover additional web properties potentially related to the ongoing Magniber ransomware campaign and found:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
The HP report referenced earlier warned Windows users to steer clear of these eight domains identified as indicators of compromise (IoCs) for the ongoing massive Magniber ransomware campaign:
Historical WHOIS searches for these domain names showed they were all newly created, as evidenced by their creation dates.
Our closer look also showed significant similarities among their name server and registrar details, namely:
Domains Identified as IoCs | Name Servers |
---|---|
totwo[.]pw | NS1[.]TOTWO[.]PW NS2[.]TOTWO[.]PW |
ittakes[.]fun | NS1[.]ITTAKES[.]FUN NS2[.]ITTAKES[.]FUN |
catat[.]site | NS1[.]CATAT[.]SITE NS2[.]CATAT[.]SITE |
tinpick[.]online | NS1[.]TINPICK[.]ONLINE NS2[.]TINPICK[.]ONLINE |
pirlay[.]fun | NS1[.]PIRLAY[.]FUN NS2[.]PIRLAY[.]FUN |
buyaims[.]online | NS1[.]BUYAIMS[.]ONLINE NS2[.]BUYAIMS[.]ONLINE |
orhung[.]space | NS1[.]ORHUNG[.]SPACE NS2[.]ORHUNG[.]SPACE |
actsred[.]site | NS1[.]ACTSRED[.]SITE NS2[.]ACTSRED[.]SITE |
We then sought to find additional artifacts using the Windows-specific strings “windows + update,” “windows + patch,” and “windows + security” for Domains & Subdomains Discovery searches and uncovered 82 domains and 213 subdomains. Bulk malware checks for these showed that two domains—windows-11-update[.]com and windowsupdates-microsoft[.]org—were malicious. In addition, two subdomains—windowsecuritywarm[.]xyz and windows-security-scan[.]com—were confirmed malware hosts.
Bulk screenshot lookups, meanwhile, showed that four of these—windowspatch[.]info, windowsupdates[.]cn, windowsupdated[.]ml, and windows-update[.]win—currently host live content. Windows-update[.]win was particularly interesting since it sported the Microsoft logo despite not being owned by the company.
Six subdomains—a-patch-for-windows-live-messenger-8-5[.]programmesetjeux[.]com, canon-drivers-update-utility-for-windows1[.]software[.]informer[.]com, security-update-for-windows-internet-exp53[.]software[.]informer[.]com, security-update-for-windows-xp-kb2079403[.]software[.]informer[.]com, security-update-for-windows-xp-kb923980[.]software[.]informer[.]com, and shutdownwindowssecuritythreat[.]blogspot[.]com—are currently live. None of them looked particularly sinister, though.
To further expand the publicized list of IoCs, we sought to determine if users of other software were also at risk. We also deemed it worthwhile to identify the potential software targets.
Domains & Subdomains Discovery revealed 102 domains and 215 subdomains containing the generic strings “software + update,” “software + patch,” and “software + security,” indicating risks for users of other programs. Take a look at the word cloud below showing how many times related terms, including company names, appeared in the domains and subdomains.
One of the domains (i.e., bverestsystemsoftwareupdateb[.]xyz) and 10 of the subdomains (i.e., including updatesoftware[.]coolmethod2theupdate[.]life, softwareupdate[.]findmethod4upgrading[.]info)—containing the generic strings were confirmed malware hosts.
IoC expansion aided by WHOIS and DNS intelligence yet again led to the discovery of tons more artifacts that could have ties to an ongoing malware campaign or threat actors relying on similar techniques. The results of our in-depth analysis also revealed that Magniber ransomware attacks and similar threats could also put users of other software and hardware at great risk.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byCSC