Analysts have now discovered that attackers behind the Magniber ransomware, who have been exploiting IE-based vulnerabilities so far, are now targeting PCs via modern browsers such as Edge and Chrome. The Magniber ransomware is disguised as a legit update package for Edge or Chrome and comes as a signed .appx file. Installing this “update” will encrypt all user data and demand money for decryption
Magnibar is a ransomware that has been distributed using known vulnerabilities in Internet Explorer for some time now. However, analysts at the South Korea-based AhnLab Security Emergency Response Center (ASEC) have now found that Magniber is also being distributed as a legitimate update package via Microsoft Edge and Google Chrome.
Magnibar ransomware infects vulnerable PCs running Edge and Chrome in the form of browser update packages. The malware is distributed as an .appx update package signed with a valid certificate. This means that Windows assumes that it is a legitimate app and proceeds with the installation. Once installed, the malicious .appx package creates two files – wjoiyyxzllm.dll and wjoiyyxzllm.exe – in a non-description path within C:\Progam Files\WindowsApps. As most users will know, this is actually a protected folder meant to contain only properly signed Microsoft Store apps.
wjoiyyxzllm.exe loads wjoiyyxzllm.dll and executes a strange function called “mbenooj”. The DLL file downloads and decodes the ransomware payload. Thereafter, Magnibar Ransomware gets executed from the memory of wjoiyyxzllm.exe and encrypts the user’s files. A ransom note is then shown demanding a money transfer to decrypt the data.
Although Magnibar is not known to have stolen any files, it is currently not possible to decrypt and restore functionality without paying a ransom (it is assumed that the decryption key is also provided upon first payment).
Hence, it goes without saying that users should be careful while downloading files from various sources. Signed .appx files can be potentially dangerous, even when obtained from unverified sources. Make sure your important data is always backed up and that your security software definitions are up to date.
You can also use Windows Defender’s Controlled Folder Access function to prevent unauthorized access to important files. For more information, check out our tutorial on how to enable Controlled Folder Access in Windows 10. Ransomware