Notebookcheck Logo
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 

Magniber ransomware being spread in the guise of a legit Microsoft Edge and Google Chrome update

Magniber ransomware pretends to be a legit Edge or Chrome update package. (Image Source: Unsplash)
Magniber ransomware pretends to be a legit Edge or Chrome update package. (Image Source: Unsplash)
Analysts have now discovered that attackers behind the Magniber ransomware, who have been exploiting IE-based vulnerabilities so far, are now targeting PCs via modern browsers such as Edge and Chrome. The Magniber ransomware is disguised as a legit update package for Edge or Chrome and comes as a signed .appx file. Installing this "update" will encrypt all user data and demand money for decryption.

Magniber is a ransomware that is being distributed using vulnerabilities known in Internet Explorer for quite some time now. However, analysts at the South Korea-based AhnLab Security Emergency Response Center (ASEC) have now discovered that Magniber is also being distributed via Microsoft Edge and Google Chrome disguised as a legitimate update package.

The Magniber ransomware infects vulnerable PCs running Edge and Chrome in the form of a browser update package. The malware is distributed as a signed .appx update package with a valid certificate. This means that Windows assumes this is a valid app and proceeds with installation. Once installed, the malicious .appx package creates two files — wjoiyyxzllm.dll and wjoiyyxzllm.exe — in a non-descript path within C:\Progam Files\WindowsApps. As most users will know, this is actually a protected folder meant only to contain properly signed Microsoft Store apps.

wjoiyyxzllm.exe loads wjoiyyxzllm.dll and executes a strange function called "mbenooj". The DLL file downloads the ransomware payload and decodes it. After this, the Magniber ransomware gets executed from memory of wjoiyyxzllm.exe and encrypts the user's files. A ransom note is then shown demanding money transfer in order to decrypt the data.

Though Magniber is not known to steal any files, it is currently not possible to decrypt and restore functionality without paying the ransom (this is assuming that the decryption key is even provided upon payment in the first place).

Therefore, it goes without saying that users should be careful while downloading files from various sources. Even signed .appx files can be potentially dangerous when obtained from unverified sources. Ensure that your critical data is always backed up and your security software's definitions are up to date. 

You can also use Windows Defender's Controlled Folder Access function to prevent unauthorized access to critical files. For more information, check out our tutorial on how to enable Controlled Folder Access in Windows 10.

Magniber ransomware is disguised as a legit .appx update package for Edge and Chrome. (Image Source: ASEC)
Magniber ransomware is disguised as a legit .appx update package for Edge and Chrome. (Image Source: ASEC)
Magniber ransomware showing encryption message. (Image Source: ASEC)
Magniber ransomware showing encryption message. (Image Source: ASEC)

Source(s)

static version load dynamic
Loading Comments
Comment on this article
Vaidyanathan Subramaniam
Vaidyanathan Subramaniam - Managing Editor - 1595 articles published on Notebookcheck since 2012
Though a cell and molecular biologist by training, I have been drawn towards computers from a very young age ever since I got my first PC in 1998. My passion for technology grew quite exponentially with the times, and it has been an incredible experience from being a much solicited source for tech advice and troubleshooting among family and friends to joining Notebookcheck in 2017 as a professional tech journalist. Now, I am a Lead Editor at Notebookcheck covering news and reviews encompassing a wide gamut of the technology landscape for Indian and global audiences. When I am not hunting for the next big story or taking complex measurements for reviews, you can find me unwinding to a nice read, listening to some soulful music, or trying out a new game.
contact me via: @Geeky_Vaidy
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2022 01 > Magniber ransomware being spread in the guise of a legit Microsoft Edge and Google Chrome update
Vaidyanathan Subramaniam, 2022-01-16 (Update: 2022-01-16)