virus logo Threat Signal Report

Magniber Ransomware Gang Moved on to Internet Explorer Vulnerabilities from PrintNightmare

Description

FortiGuard Labs is aware of a report that the Magniber ransomware gang is now exploiting a couple of Internet Explorer vulnerabilities in order to deliver ransomware. The Internet Explorer vulnerabilities that were exploited are CVE-2021-40444 and CVE-2021-26411.


Why is this Significant?

This is significant because the Magniber gang now exploits different vulnerabilities from PrintNightmare they previously utilized. In addition to confirming another attack method for Magniber, this could also be a potential indicator that the patches for CVE-2021-40444 and CVE-2021-26411 have not been applied are applied to the same extent as they have been for PrintNightmare.


What are the New Vulnerabilities Exploited by Magniber Gang?

The Magniber gang now exploits CVE-2021-26411 and CVE-2021-40444.

  • CVE-2021-26411 is a memory corruption vulnerability in Internet Explorer and Microsoft Edge that was allegedly exploited as a zero-day by Lazarus (aka Zinc) group.
  • CVE-2021-40444 is a remote code execution vulnerability in Microsoft MSHTML affecting multiple Microsoft Windows platforms and was also exploited as a zero-day.


What is PrintNightmare?

PrintNightmare refers to CVE-2021-34527, which is a critical vulnerability in the Windows Print Spooler service. Successfully exploiting the vulnerability allows the attacker to execute arbitrary code with SYSTEM privileges.


FortiGuard Labs previously released a Threat Signal on PrintNightmare. See the Appendix for a link to "#PrintNightmare Zero Day Remote Code Execution Vulnerability".


Has the Vendor Released Patches for CVE-2021-26411 and CVE-2021-40444?

Yes. Microsoft released a patch for CVE-2021-26411 in March 2021. Patch for CVE-2021-40444 was released by Microsoft in September 2021.


What is Magniber?

Magniber ransomware is a malware that encrypts files on the compromised system and demands the victim to pay ransom in order to recover the encrypted files.


FortiGuard Labs previously posted a Threat Signal on Magniber ransomware. See the Appendix for a link to "Magniber Ransomware Delivered to South Korean Victims Through PrintNightmare Vulnerability".


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against recent variants of Magniber ransomware:

W64/Kryptik.FU!tr

W32/Injector.FU!tr


The following AV coverage is also available for known Magniber ransomware:

W32/Magniber.A!tr

W32/Filecoder_Magniber.A!tr

W32/Filecoder_Magniber.B!tr

W32/Filecoder.MAGNIBER!tr

W32/Filecoder_Magniber.E!tr

W32/Filecoder_Magniber.C!tr

W32/Magniber.E!tr.ransom

W32/Filecoder_Magniber.F!tr.ransom

W32/Magniber.DA5D!tr.ransom


Internet Explorer vulnerabilities (CVE-2021-40444 and CVE-2021-26411) exploited by the Magniber gang are detected by the following IPS coverage:

MS.Office.MSHTML.Remote.Code.Execution

MS.IE.CVE-2021-26411.Memory.Corruption

Appendix

Ransomware uses IE vulnerabilities to hang horses to spread (Tencent Security)

Microsoft MSHTML Remote Code Execution Vulnerability Exploited in the Wild (CVE-2021-40444) (Fortinet)

#PrintNightmare Zero Day Remote Code Execution Vulnerability (Fortinet)

Magniber Ransomware Delivered to South Korean Victims Through PrintNightmare Vulnerability (Fortinet)

CVE-2021-26411 (MITRE)

CVE-2021-40444 (MITRE)

CVE-2021-34527 (MITRE)

Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444) (Microsoft)

Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411) (Microsoft)




ID 70
Date Nov 15, 2021
Threat/
Vulnerability		 Ransomware
FortiGate Device Triggered N/A
Threat Actor Type CyberCrime
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services