Magniber Ransomware Switches To Javascript, Targeting Home Users With Fake Software Updates

0
Magniber Ransomware Switches To Javascript, Targeting Home Users With Fake Software Updates

Introduction

In recent years, “Big Game Hunting” ransomware attacks against enterprises have dominated media headlines because of their high-profile victims and substantial ransom demands. Yet single-client ransomware – a type of ransomware that infects individual computers, rather than fleets of devices – can still cause significant damage to individuals and organizations. In this article, we share our analysis of a ransomware campaign isolated by HP Wolf Security in September 2022 that targeted home users by masquerading as software updates. The campaign spread Magniber, a single-client ransomware family known to demand $2,500 from victims. Notably, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.

Campaign Overview

The infection chain starts with a web download from an attacker-controlled website. The user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.

  • Critical.Upgrade.Win10.0.ba45bd8ee89b1.js
  • Security.Database.Upgrade.Win10.0.jse
  • 29229c7696d2d84.jse
  • System.Software.Upgrade.392fdad9ebab262cc97f832c40e6ad2c.js

Figure 1 – Magniber ransomware isolated by HP Sure Click Enterprise

Previously Magniber was primarily spread through MSI and EXE files, but in September 2022 we started seeing campaigns distributing the ransomware in JavaScript files.

The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. This technique bypasses detection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system. The .NET code decodes shellcode and injects it into another process. The ransomware code runs from this process – first deleting shadow copy files and disabling Windows’ backup and recovery features, before encrypting the victim’s files (Figure 2).

Magniber requires administrator privileges to disable the victim’s ability to recover their data, so the malware uses a User Account Control (UAC) bypass to runs commands without alerting the user. For this to work, however, the logged-in user must be part of the Administrators group. For the encryption task, the malware enumerates files and checks its file extension against a list. If the extension is in the list, the file is encrypted. Finally, the malware places a ransom note in each directory with an encrypted file and shows it to the victim by opening the note in a web browser.

 

Figure 2 – Magniber infection chain

Campaign Technical Analysis

The attackers behind the campaign used several interesting techniques to circumvent detection and prevention mechanisms, described in more detail below.

Phase 1: JavaScript Loader

As mentioned in the overview, the campaigns start with a JavaScript file compressed in a ZIP archive. We’ve seen both JS and JSE files used. JSE files are encoded JavaScript files. In both cases, the scripts are obfuscated (Figure 3).

Figure 3 – Obfuscated JavaScript

After decoding the script, we see it instantiates several MemoryStream type ActiveXObjects. Next, it decrypts an integer array and writes it into one of the MemoryStreams. Once this is done, the MemoryStream is deserialized, giving us an executable .NET file.

Figure 4 – Deobfuscated JavaScript

At this point we enter the second phase, the .NET phase.

Phase 2: .NET Binary

The .NET binary has a very simple structure since it only contains a few functions and an integer array, similar to the JavaScript file. When run, the code sets the memory protection of the array to “PAGE_EXECUTE_READWRITE” and decodes an array in a similar way to the encoded JavaScript in the previous phase. The decoded array is shellcode which is run using the “EnumUILanguages” function, which takes a pointer to a callback function as its first argument.

Figure 5 – Main function inside .NET binary

Phase 3: Stage 1 Shellcode

The first shellcode stage decrypts a second stage, injects it into another process and finally runs it. To evade detection, both shellcode stages use syscalls instead of calling standard libraries.

Figure 6 – Syscall wrapper inside shellcode

The shellcode contains its own wrapper functions that are responsible for making syscalls. To make a syscall, an identifier is written to the EAX register and then the syscall function corresponding to that identifier is executed. However, these identifiers can vary depending on the operating system version, so the malware must account for this to support multiple versions. Magniber queries the operating system version and, for certain syscalls, runs through a switch-case statement before executing it. One example where this happens is “NtCreateThreadEx”. This syscall is used to create a new thread, in this case in another process, where shellcode is injected.

Figure 7 – Syscall identifiers for NtCreateThreadEx

Figure 7 shows the NtCreateThreadEx identifiers for different version of Windows. The code must use the correct identifier based on the operating system version. Using the Switch-Case statements, it is possible to infer which operating systems the malware supports.

Version Code Name Release Date
17134 Windows 10, Version 1803 April 30, 2018
17763 Windows 10, Version 1809 November 13, 2018
18362 Windows 10, Version 1903 May 21, 2019
18363 Windows 10, Version 1909 November 12, 2019
19041 Windows 10, Version 2004 May 27, 2020
19042 Windows 10, Version 20H2 October 20, 2020
19043 Windows 10, Version 21H1 May 18, 2021
19044 Windows 10, Version 21H2 November 16, 2021
20348 Windows Server 2022, Version 21H2 August 18, 2021
22000 Windows 11, Version 21H2 October 4, 2021
22610 Windows 11 Insider Preview April 29, 2022
22621 Windows 11, Version 22H2 September 20, 2022
25115 Windows 11 Insider Preview May 11, 2022
25145 Windows 11 Insider Preview June 22, 2022
25163 Windows 11 Insider Preview July 20, 2022

 

Interestingly, the Magniber sample we analyzed in September support different versions of Windows 11, including pre-release versions. This suggests that end users rather than enterprises were the intended targets of the campaign, since enterprises tend to use older operating systems.

With the help of syscalls, the shellcode injects decrypted shellcode into a new process and executes it, then terminates its own process.

Phase 4: Stage 2 Shellcode

This shellcode now runs in the context of another process, which is why the process chain is interrupted. The purpose of this code can be divided into two parts. The first part deletes shadow copy files and disables backup and recovery features. The second part recursively enumerates all the files on the filesystem and encrypts them based on their file extension. This part of the shellcode also works purely with syscalls and does not use standard libraries.

Phase 4.1:  Delete Shadow Copy Files and Disable Backup and Recovery

To delete the shadow copy files and disable Windows recovery features, Magniber requires administrator privileges, e.g. the user must be in the Administrators group. Most employees in enterprise environments don’t need such privileges, so this is another indication that the attackers behind the campaign intended to target individuals rather than enterprises. However, even if the user is in the Administrators group, the malware must first bypass User Account Control, which allows a process to run with elevated privileges. Magniber uses a UAC bypass that is triggered with the following steps:

  1. The malware creates the registry key:
    1. HKCU\SOFTWARE\Classes\AppX04g0mbrz4mkc6e879rpf6qk6te730jfv\Shell\open\command

In our case, this key is linked from the “ms-settings” key and allows the attacker to specify a shell command.

  1. As a value, the malware sets:
    1. “wscript.exe /B / E:VBScript.Encode ../../Users/Public/hnzpfrdt.tex”

 

  1. The malware writes an encoded VBScript into this directory containing commands that delete shadow copy files and disable backup and recovery features in Windows.

 

  1. The malware starts “fodhelper.exe”, a utility for managing optional features in Windows, which then triggers the UAC bypass. This process accesses the newly created registry key and runs the command stored in it, causing the VBScript to execute with elevated privileges and without user confirmation.

 

If you look at the UAC bypass process tree, it looks like this:

Figure 8 – Process tree executing fodhelper.exe

 

One way to prevent the “fodhelper.exe” UAC bypass is to increase the UAC security level to “Always notify”, which stops it from working on Windows 10.

Read Also:  Eco-Tech Growth Across Africa Relies On Good Governance & Sound Policy

The VBScript deletes shadow copy files using Windows Management Instrumentation (WMI), deactivates the Windows recovery feature using the “bcdedit” command, then deletes the system backup using “wbadmin”. This makes it impossible for the user to restore the encrypted files using Windows system tools.

Figure 9 – VBScript that deletes shadow copy files and disables backup and recovery features

Phase 4.2:  Encrypt Files

To decide which files to encrypt, Magniber keeps a list of pseudohashes that each correspond to a different file extension. After enumerating a file, the ransomware generates a pseudohash of the file extension. If the pseudohash is in the list, the file is encrypted. The encrypted file is then renamed with another file extension that is unique to each Magniber sample. The ransomware file extension is identical to the URL path in the ransom note.

Magniber’s file extension hashes are best described as pseudohashes because no standard hash algorithm is used and the calculation causes hash collisions – meaning some files that aren’t in the attacker’s list of file extensions are also encrypted. An implementation of the hashing function in Python looks like this:

def pseudohash(file_ending):
hash = 0
counter = 0
for character in file_ending:
hash += ( ord(b) – 0x60 ) * ( 3 ** ( ( len(file_ending) – counter ) * 3 ) )
counter += 1
return hash

Finally, the ransomware tells the victim about what happened and how they can decrypt their data by dropping an HTML ransom note in every directory that contains an encrypted file. To make sure the user sees the demand, Magniber also opens the note in a web browser.

Figure 10 – Magniber ransom note

How to Protect Yourself

Home users can protect themselves from ransomware campaigns like this one by following this simple advice:

  • Follow the principle of least privilege by only using administrator accounts if you really need to. Many home users have administrator privileges but rarely need them.
  • Download software updates from trusted sources. The campaign depends on tricking people into opening fake software updates. Only download updates from trustworthy sources such as Windows Update and official software vendor websites.
  • Back up your data regularly. Backing up your data will give you peace of mind should the worst happen.

Conclusion

Even though Magniber does not fall into the category of Big Game Hunting, it can still cause significant damage. Home users were the likely target of this malware based on the supported operating system versions and UAC bypass. The attackers used clever techniques to evade protection and detection mechanisms. Most of the infection chain is “fileless”, meaning the malware only resides in memory, reducing the chances of it being detected. Magniber also bypasses detection techniques that rely on user-mode hooks because it uses syscalls instead of standard Windows API libraries. With the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

Indicators of Compromise (IOCs)

Reference Magniber JavaScript sample used for our analysis:

934cfeb5ee3d2ba49831d76dffb1a2658326e1cd90b50779d6670eb2fbdc7ed1

Magniber JavaScript files:

6155453a58b0ba360fd18a32d838c4452fec374c364824b50447500c8fd12e80

5b2a5ac50977f41ac27590395bb89c1afd553e58f2979b680d545bff1530a17b

79590d91e9131918df458221e8fcb9c5e33d0200f05f9704dcf88167a5515b3f

7064eab88837bc68b8c5076300170cd73dbea046c9594b588779082396dbfe4c

a292ff42e0e1b58b13c867d2c94da2a5d34caa2e9c30b63610f7e12be5e7d3d9

dfa32d8ed7c429b020c0581148a55bc752c35834d7a2b1bae886f2b436285c94

c1d1402226179c66570d66290dff2238b6a9f918c81267a61d58f4807f0d911c

56fb0d5e2e216f2b4d9846517d9ed23b69fba4f19f2bad71cdce47d9081642eb

92ec900b0aa0f8a335cf63d4f313729da2831ffc7d15985adf2d98f2c85c3783

c7729a7817a3d63f71d6c9066bd87192d07992ae57fc3d3e6d0e67c5ab9fb213

9d665f87440c22e3ae209308e3712a83a67932643be019e18b1ae00dc4ab8cbd

b12461bdd88bb2a7f56d11324272ae2a766d560371b2725be6f9d3175fb32f8c

abeec5267f6eb9fc9f01f4688a53e83c87898845767b8cd8599c75dbce1766a8

aeee31c3649724686cb9ad17fe1ee2b70b1ad1b6cd77cb8b1997aa6e75d49cc5

1eba630a870ce1aa840219d77e280cfd05d3d5e5cdea6f382c1c2b8b14ddf04d

54a5b06060639a483a8f6c80c8f095fb41e3eb5e7c02c3ad4ba29ee3a9ed7aab

76c012f134e81138fb37ac3638488f309662efcc9bb4011ff8e54869f26bb119

56d301fe7a6b1a9e21898162b0dada9ff12878c539591052919fabcc36d28541

4936cf896d0e76d6336d07cc14fbe8a99fbe10ad3e682dbc12fdfe7070fd1b24

6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c

05cf26eaea577417804075a2458ac63f58a56b7612653d3a4c2ce8fa752bd418

266f930572d3006c36ba7e97b4ffed107827decd7738a58c218e1ae5450fbe95

9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6

98d96f56deaec6f0324126fcdd79fd8854d52ac2996d223d0cb0ab4cff13ff7c

0c5956b7f252408db7e7b0195bb5419ad3b8daa45ec1944c44e3ec1cca51920f

c4f9dbff435d873b4e8ecbab8c1b7d2dbdb969ac75af4b1d325e06eb4e51b3ad

5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34

d0375fc9cbb564fb18e0afea926c7faf50464b9afb329913dd5486c7cbb36e2e

ad89fb8819f98e38cddf6135004e1d93e8c8e4cba681ba16d408c4d69317eb47

99f0e7f06831c6283f5f4dc261a7bcbe4109b4a6717b534c816ca65cd2f05dc4

b81f76bd5c6e66b9b3a4f2828e58d557091475bed656c9a8d13c8c0e4b7f3936

c6f1da2490fe78b1f281a98c32d6fa88d675598e658d4e660274047e36f1b189

dd30688a0e5ac08fc547f44b60f13ef664654c9a8977f7a5f8f619b08c09620b

c0bf9153ce1641791b357fdb5c2c596fbbf15991a86f510cc444bdb477574d44

bf50794c33eebc9dc2ce3902fe29f683a37da50de3654a2775baa74d0bbd1188

b8e76ad7c7857d9985b15dcd064664d198db7201cb9eb6a0e53d81b6002f7d29

cc1ce8c687450b082dd19a6c5d868f5798e52422172f91ee4b70cb5ffd9f6fcd

a587172f1bbe665cdfc0cbcec54e72d8b9048c77f344ba5076a17fbf620597de

c4560eee4b02dc0ef087e48848cc83b270068d167f613f04d43a64025e72c09f

82fcea3c48509a1724c0a6ded9e3d3cab775a86588119c35b79355105bd828c4

e993e4ddd05007e62e6e2d00e70927933446ff4bcae2b559bb6be3bc5e4ad2d8

5b513dfd8f94f9b6e962eb691caa56d52ab4453369108ae3b572e2ee7f9b555d

d2d3fbfa73dfeb73a6f5c59fefab8dd99dcff58cefeb0d3b3b1c1a8854178933

d80d90ef631bb60b773bf1211f3c53c1cac043674c85eb65dbc457656ba5d4cc

757cd5b65155cd115b71021685fcc52a42ee80aca247ea68f41aa0d82dc20fc0

bba85d79db69db1b638e24e0a426ccccdc5c95875b8c3a26aa959cce3f6c8575

beb5e1c5ba835f29e272b2942b27b63f6f15647f3da51754fcf53c277e0eccf7

f41ec94f9d0c7480df2196b3fc5493599d50de222d2c903b173db3e7caff8747

397aa7bcc4a574dc30f0a491e03be15da55fa898624c7b15d0197e72802d048d

6b18a287aa2c170605409a4675fd600d0597623d174445aaea5a2279bee0c145

46d8d6230083254fa324299fc609125ee404e4bbdd3936ddc0235ae21479b655

e8663c5c28d8591f06eb7995e0f22b7ae7909f9431786f8557f2c081e0e79fad

d3f626d3e533f3b4aa0599c231210d53f709c46f0cfc3d28f0303df544a39b1b

814061567356daf6306eb673cfb97cab264c798320bf1b432d396b66393adf83

2c93879d024238d23270fab734a5ba530bfba2d35b44d265c8be3c93ff8cf463

3055baf30466f1c0f4cd5b78d05fe32ef7fd406dead3ecfcbdef464fdee551b8

568e1e3d55a6146f0f899159c3a5183362b8b13304109b49f7394a9fe8c69ea7

932d2330dc3c1366a8e956183858246c4052027cae1590d2211186be648fdcf4

dfabd6462ab2ecb9fb0cea7caa257841a751c1e91118168ef5a082cf8a25210f

fbd69303e6255aae830daba957c8ef62eb6d23340274eb8058826a08e82773db

123d7744a407af376b4ee4402ff8bee588b40540bcfba22fb64768d1de8c1861

 

Magniber encrypts files with these extensions:

{

“1”: [“c”, “h”, “j”, “p”, “x”],

 

“2”: [“ai”, “ca”, “cd”, “cf”, “cs”, “ct”, “db”, “dd”, “dt”, “dv”, “dx”, “em”, “ep”, “eq”, “fa”, “fb”, “fi”, “fo”, “gv”, “hp”, “hs”, “hz”, “ib”, “ii”, “js”, “jw”, “ma”, “mb”, “me”, “mm”, “mx”, “my”, “of”, “pa”, “pm”, “pu”, “px”, “qd”, “rb”, “rd”, “rs”, “rt”, “rw”, “sh”, “sq”, “st”, “te”, “tm”, “vb”, “vm”, “vw”, “wn”, “wp”, “xd”, “ya”, “ym”, “zw”],

 

“3”: [“hpi”, “icn”, “idc”, “idx”, “igt”, “igx”, “ihx”, “iiq”, “ocr”, “abm”, “abs”, “abw”, “act”, “adn”, “adp”, “aes”, “aft”, “afx”, “agp”, “ahd”, “aic”, “aim”, “alf”, “ans”, “apd”, “apm”, “aps”, “apt”, “apx”, “art”, “arw”, “asc”, “ase”, “ask”, “asm”, “asp”, “asw”, “asy”, “aty”, “awp”, “awt”, “aww”, “azz”, “bad”, “bay”, “bbs”, “bdb”, “bdp”, “bdr”, “bib”, “bmx”, “bna”, “bnd”, “boc”, “bok”, “brd”, “brk”, “brn”, “brt”, “bss”, “btd”, “bti”, “btr”, “can”, “cdb”, “cdc”, “cdg”, “cdr”, “cdt”, “cfu”, “cgm”, “cin”, “cit”, “ckp”, “cma”, “cmx”, “cnm”, “cnv”, “cpc”, “cpd”, “cpg”, “cpp”, “cps”, “cpx”, “crd”, “crt”, “crw”, “csr”, “csv”, “csy”, “cvg”, “cvi”, “cvs”, “cvx”, “cwt”, “cxf”, “cyi”, “dad”, “daf”, “dbc”, “dbf”, “dbk”, “dbs”, “dbt”, “dbv”, “dbx”, “dca”, “dcb”, “dch”, “dcr”, “dcs”, “dct”, “dcx”, “dds”, “ded”, “der”, “dgn”, “dgs”, “dgt”, “dhs”, “dib”, “dif”, “dip”, “diz”, “djv”, “dmi”, “dmo”, “dnc”, “dne”, “doc”, “dot”, “dpp”, “dpx”, “dqy”, “drw”, “drz”, “dsk”, “dsn”, “dsv”, “dta”, “dtw”, “dvi”, “dwg”, “dxb”, “dxf”, “eco”, “ecw”, “ecx”, “edb”, “efd”, “egc”, “eio”, “eip”, “eit”, “emd”, “emf”, “epf”, “epp”, “eps”, “erf”, “err”, “etf”, “etx”, “euc”, “exr”, “faq”, “fax”, “fbx”, “fcd”, “fcf”, “fdf”, “fdr”, “fds”, “fdt”, “fdx”, “fes”, “fft”, “fic”, “fid”, “fif”, “fig”, “flr”, “fmv”, “fpt”, “fpx”, “frm”, “frt”, “frx”, “ftn”, “fxc”, “fxg”, “fzb”, “fzv”, “gdb”, “gem”, “geo”, “gfb”, “ggr”, “gih”, “gim”, “gio”, “gpd”, “gpg”, “gpn”, “gro”, “grs”, “gsd”, “gtp”, “gwi”, “hbk”, “hdb”, “hdp”, “hdr”, “hht”, “his”, “hpg”, “htc”, “hwp”, “ibd”, “imd”, “ink”, “ipf”, “ipx”, “itw”, “iwi”, “jar”, “jas”, “jbr”, “jia”, “jis”, “jng”, “joe”, “jpe”, “jps”, “jpx”, “jsp”, “jtf”, “jtx”, “jxr”, “kdb”, “kdc”, “kdi”, “kdk”, “kes”, “key”, “kic”, “klg”, “knt”, “kon”, “kpg”, “kwd”, “lay”, “lbm”, “lbt”, “ldf”, “lgc”, “lis”, “lit”, “ljp”, “lmk”, “lnt”, “lrc”, “lst”, “ltr”, “ltx”, “lue”, “luf”, “lwo”, “lwp”, “lws”, “lyt”, “lyx”, “lzf”, “mac”, “man”, “map”, “maq”, “mat”, “max”, “mbm”, “mdb”, “mdf”, “mdn”, “mdt”, “mef”, “mel”, “mft”, “min”, “mnr”, “mnt”, “mos”, “mpf”, “mpo”, “mrg”, “msg”, “mud”, “mwb”, “mwp”, “myd”, “myi”, “ncr”, “nct”, “ndf”, “nef”, “nfo”, “njx”, “nlm”, “now”, “nrw”, “nsf”, “nyf”, “nzb”, “obj”, “oce”, “oci”, “odb”, “odg”, “odm”, “odo”, “odp”, “ods”, “odt”, “oft”, “omf”, “oqy”, “ora”, “orf”, “ort”, “orx”, “ost”, “ota”, “otg”, “oti”, “otp”, “ots”, “ott”, “ovp”, “ovr”, “owc”, “owg”, “oyx”, “ozb”, “ozj”, “ozt”, “pan”, “pap”, “pas”, “pbm”, “pcd”, “pcs”, “pdb”, “pdd”, “pdf”, “pdm”, “pds”, “pdt”, “pef”, “pem”, “pff”, “pfi”, “pfs”, “pfv”, “pfx”, “pgf”, “pgm”, “phm”, “php”, “pic”, “pix”, “pjt”, “plt”, “pmg”, “pni”, “pnm”, “pnz”, “pop”, “pot”, “ppm”, “pps”, “ppt”, “prt”, “prw”, “psd”, “pse”, “psp”, “pst”, “psw”, “ptg”, “pth”, “ptx”, “pvj”, “pvm”, “pvr”, “pwa”, “pwi”, “pwr”, “pxr”, “pza”, “pzp”, “pzs”, “qmg”, “qpx”, “qry”, “qvd”, “rad”, “ras”, “raw”, “rcu”, “rdb”, “rft”, “rgb”, “rgf”, “rib”, “ric”, “ris”, “rix”, “rle”, “rli”, “rng”, “rpd”, “rpf”, “rpt”, “rri”, “rsb”, “rsd”, “rsr”, “rst”, “rtd”, “rtf”, “rtx”, “run”, “rzk”, “rzn”, “saf”, “sam”, “sbf”, “scc”, “sch”, “sci”, “scm”, “sct”, “scv”, “scw”, “sdb”, “sdf”, “sdm”, “sdw”, “sep”, “sfc”, “sfw”, “sgm”, “sig”, “skm”, “sla”, “sld”, “slk”, “sln”, “sls”, “smf”, “sms”, “snt”, “sob”, “spa”, “spe”, “sph”, “spj”, “spp”, “spq”, “spr”, “sqb”, “srw”, “ssa”, “ssk”, “stc”, “std”, “sti”, “stm”, “stn”, “stp”, “str”, “stw”, “sty”, “sub”, “suo”, “svf”, “svg”, “sxc”, “sxd”, “sxg”, “sxi”, “sxm”, “sxw”, “tab”, “tcx”, “tdf”, “tdt”, “tex”, “thp”, “tlb”, “tlc”, “tmd”, “tmv”, “tmx”, “tne”, “tpc”, “trm”, “tvj”, “udb”, “ufr”, “unx”, “uof”, “uop”, “uot”, “upd”, “usr”, “vbr”, “vbs”, “vct”, “vdb”, “vdi”, “vec”, “vmx”, “vnt”, “vpd”, “vrm”, “vrp”, “vsd”, “vsm”, “vue”, “wbk”, “wcf”, “wdb”, “wgz”, “wks”, “wpa”, “wpd”, “wpg”, “wps”, “wpt”, “wpw”, “wri”, “wsc”, “wsd”, “wsh”, “wtx”, “xar”, “xdb”, “xlc”, “xld”, “xlf”, “xlm”, “xls”, “xlt”, “xlw”, “xps”, “xwp”, “xyp”, “xyw”, “ybk”, “zdb”, “zdc”],

 

“4”: [“agif”, “albm”, “apng”, “awdb”, “bean”, “cals”, “cdmm”, “cdmt”, “cdmz”, “cimg”, “clkw”, “colz”, “djvu”, “docb”, “docm”, “docx”, “docz”, “dotm”, “dotx”, “dtsx”, “emlx”, “epsf”, “fdxt”, “fodt”, “fpos”, “fwdn”, “gcdp”, “gdoc”, “gfie”, “glox”, “grob”, “gthr”, “icon”, “icpr”, “idea”, “info”, “itdb”, “java”, “jbig”, “jbmp”, “jfif”, “jrtf”, “kdbx”, “mbox”, “mgcb”, “mgmf”, “mgmt”, “mgmx”, “mgtx”, “mmat”, “mrxs”, “oplc”, “pano”, “pict”, “pjpg”, “pntg”, “pobj”, “potm”, “potx”, “ppam”, “ppsm”, “ppsx”, “pptm”, “pptx”, “psdx”, “psid”, “rctd”, “riff”, “scad”, “sdoc”, “sldm”, “sldx”, “svgz”, “text”, “utxt”, “vsdm”, “vsdx”, “vstm”, “vstx”, “wire”, “wmdb”, “xlgc”, “xlsb”, “xlsm”, “xlsx”, “xltm”, “xltx”, “zabw”],

 

“5”: [“accdb”, “class”]

}

 

Magniber domains:

totwo[.]pw

ittakes[.]fun

catat[.]site

tinpick[.]online

pirlay[.]fun

buyaims[.]online

orhung[.]space

actsred[.]site