Malwarebytes has taken a look at the Magnitude Exploit Kit (EK) and identified new tricks. Magnitude is one of the most adaptable EK in the market. It spreads through infected sites often taking advantage of malvertising. It also filters its traffic to keep focus on its target audience. Proofpoint calls the filter or gate, Magnigate as highlighted in an article by its researchers earlier this year.
The primary payload for Magnitude is the Cerber ransomware. The details uncovered by Malwarebytes researchers could herald the start of a new infection campaign.
Big is beautiful
The Malwarebytes blog by Jérôme Segura, a security researcher at Malwarebytes, details what was found. Part of this latest evolution of Magnitude has occurred in the Magnigate code. It appears that Magnigate is testing a new attack using a number of different components. Segura identifies them as:
- A redirect loop inside the gate. – Segura claims that this does not happen every time suggesting that it is either a new development or a feature under test.
- Using Microsoft IIS rather than Apache for the server infrastructure. – It could be that this is just the test server for distributing this attack.
- Using an IP address located in South Korea (126.96.36.199). – This address puts the attack in the port city of Busan.
Segura looked at what this new Loop 0 was doing. It appears to be a pre-step test carrying out a number of fingerprinting tests on the remote device. It is looking for the IP address and video driver. This fingerprinting technique is used by a number of security companies. If the connection comes from a honeypot or virtual machine, these tests help to expose that.
Changing the file size to defeat security scanners
July saw other changes in the way Magnitude operated.
- Payload now launched from the Desktop rather than the %temp% folder.
- A new script to call the payload. It has shifted to a new rundll32.rxr command line rather than using regsvr32.exe.
- The new script pads data to the Cerber payload taking it from 345kb to as much as 95MB. Segura claims that this move is designed to stop security scanners inspecting the file. He says that most security scanners have hard limits of between 30MB – 50MB encoded into them. Files larger than the limit are not scanned.
- Once downloaded the Cerber ransomware infects the machine in seconds and displays the ransom note
What does this mean?
Malware writers work hard to keep changing up their attacks. If they get predictable they get stopped and that means no pay day. While Magnitude EK focused on Asia and in particular South Korea and Taiwan last year, that does not mean it won’t target other countries. It is relatively simple to change the parameters to focus a new set of attacks.
Of more concern are the changes to the way Magnitude now works. The change to where the payload is launched from and the new script can be dismissed as a normal evolution. The more worrying change is the use of file size padding. If this is indeed getting past many security scanner as Segura suggests this is a big problem. Once one malware finds a successful attack vector other will copy it.