The history of Magnigate: from redirection to fingerprinting

The Magnitude exploit kit uses a gate to efficiently redirect traffic and filter unwanted targets

The Magnitude exploit kit (EK), which is being used to deliver the Cerber ransomware to targets across Asia, is using a gate to both filter users and collect identifying information.

Cerber is one of the most common and profitable ransomware variants currently live. It is mainly spread through malicious advertising (malvertising), where the Magnitude EK is hidden in bad adverts, placed by deceiving automated advertising agencies.

A Malwarebytes blog details how users are filtered, using a tool dubbed Magnigate. This gate inspects users and determines whether or not they should be passed on to the EK. To do so, it checks a visitor's IP address and user-agent to determine their geolocation, Internet Service Provider, Operating System and browser information.

As well as identifying potential targets and passing them further along the infection chain, the gate also acts as a decoy site. If a visitor is tagged as an unintended target, they are redirected to a fake site, or a 404 or 502 error.

Malwarebytes has tracked the history of Magnigate to 2013/2014, using publicly-available packet captures and its own honeypots. It believes that the use of decoy sites may have begun in late 2014/early 2015, with an additional twist - an added step using fingerprinting code - being added roughly a year later, in March 2016.

The Magnitude EK was originally a kit, rented by multiple groups to deliver harmful payloads. That changed in autumn 2016 when it came under the sole ownership of a single actor; that actor is targeting Asia, especially South Korea, with the Cerber ransomware. The gate is used for efficient traffic filtering, rather than wasting resources on unintended targets like honeypots.