Magnitude EK Targets South Korea with Language-Specific Ransomware

Written by

Residents of Asia Pac, and in particular South Korea, are in the crosshairs of a resurgence in the Magnitude Exploit Kit, which is being used to distribute the Magniber ransomware.

According to FireEye, the Magnitude EK has been quiet since last September, when it was seen to mostly be targeting Taiwan victims. However, it roared back into action last week, now seen focusing solely on South Korea. It also switched up its payloads—previously it had been distributing Cerber ransomware.

The first reappearance of the EK in this latest campaign came as a malvertising redirection. Trend Micro, in a separate analysis, found that these malvertisements filter victims using the geolocation of the client IP address and system language. It’s a staple technique used by EKs and other cyber-criminal campaigns to evade detection and hide their activities from security researchers.

However, the analysis shows that the Magniber ransomware payload only seems to target Korean systems, since they won’t execute if the system language is not Korean; this makes Magniber one of the few country- or language-specific ransomwares out there.

“While many ransomware families like Cerber, SLocker and Locky are increasingly pinpointing their targets, they’re still distributed globally,” Trend Micro researchers said in a blog. “They typically integrate multi-language checklists and functionalities in their codes, such as when serving ransom notes and redirecting victims to their payment pages. Some borrow a publicly available source code and just customize it depending on their target. Last year, for instance, we saw KaoTear, a Korean language-specific ransomware based on Hidden Tear.”

Magniber is still in the experimental stages—perhaps under the auspices of Magnitude’s developers.

“Indeed, we’re bound to see more developments in both Magnitude and Magniber as their capabilities and tactics are fine-tuned,” said the researchers noted.

For now, Magnitude only exploits one vulnerability to retrieve and execute the payload: CVE-2016-0189 (patched last May 2016), a memory corruption vulnerability in Internet Explorer. It’s a flaw also used by other exploit kits like Disdain, Sundown-Pirate, Sundown and Bizarro Sundown, as well as by other threat actors.

As always, patching these older vulnerabilities is a first line of defense.

“Ransomware is a significant threat to enterprises,” said FireEye researchers, in its analysis. “While the current threat landscape suggests a large portion of attacks are coming from emails, exploit kits continue to put users at risk—especially those running old software versions and not using ad blockers. Enterprises need to make sure their network nodes are fully patched.”

What’s hot on Infosecurity Magazine?