App Review More Fun with Ransomware Part 5

[cruelsister]

As a number of newer threats are being pushed out via exploit kits from infected web pages recently, I'm putting the RAT series on hold for a week to concentrate on a newer ransomware file, Zcrypt.

This video will concentrate on the worm-like aspects of it. For any that get (rightfully) paranoid about what you see in this video, remember that Autoplay can be disabled in Group Policy.

 

[_CyberGhosT_]

Amazing, Thanks sis Great vid.

 

[Av Gurus]

+1 for video
+1 for music
+1 for WinAntiRansom

 

[Duotone]

Interesting video M... I think this one is more dangerous than previous ransomware due to its persistence infecting other drives!
Now I want to see Britec's test this.

 

[Der.Reisende]

Great vid as always, thanks for the work
Would love to see this RW against some AV products
HMP.A and MBAR really need to improve lately (although MBAR is still BETA).

 

[Noxx]

Sad result for HMPA and MBAR, particularly MBAR being a program specifically designed for ransomware. HMPA still has a lot going for it, but still not performing well with ransomware. And of course, WinAntiRansom kicking butt as to be expected. Lovely work as always, CS.

 

[DardiM]

Thanks for your video

 

[Iangh]

Can I be the noob? In the video 41/57 A-Vs detected it, so provided you have one of those A-Vs the file would not get onto your PC? I'm trying to understand how effective an A-V is against ransomware that isn't zero-day. Given my safe browsing habits I doubt I will ever see a zero-day. Thanks.

 

[cruelsister]

Hi Langh- No you are not close to a Noob and your comment is superb.

The applications that the malware was run against are Anti-Ransomware products and are not dependent on definitions; thus seeking out a true zero day sample (or by a total modification of this one) would be pointless. Instead this video was testing if any of the applications could detect and block the mechanism of action of the malware. If they could they would be proof against any morphed sample of this class, no matter how new.

As I stated on the initial slide, the malware used today was a week old and certainly should be detected by any half-way decent AV. The issue for AV's (and "Safe Browsing") is that the malware is being modified at the least daily to make it zero day (or as close to it as one can make it), and is being pushed out as an exploit (via the Hunter EK) on infected web pages. In short this one with the over 40 detections really won't be seen today as it has been replaced by a file with zero detections. Any Blackhat over Script-Kiddie level is aware that her malware can have an effective lifespan of about 12 hours before morphing (and change of servers) is needed.

But with a good AV you may be fine as long as you aren't in the wrong place at the wrong time.

 

[DardiM]

Noob Mode ON
What I love with ransomwares : when we run it, it's easy to see that it's a ransomware, with the ransom message at the end...
Noob Mode OFF

 

[Iangh]

Hi Langh- No you are not close to a Noob and your comment is superb.

But with a good AV you may be fine as long as you aren't in the wrong place at the wrong time.

Thanks for the excellent explanation - I am now clearer about the issue.
Cheers,
Ian

 

[1qay1qay]

so Comodo FW with Autosandox enabled and with rule "block ANY unknown/unrecognized from ANY location" will save oure ass i suppose , but only util this attack is in file dropper form - what about file less form (generated in memory and hijack some allowed thread ) - anyone has any explanation or link to some whitepaper about that ?

Regard Antivirus and signature detection based defense:

Crypto / Ransomware is designed to elude detection of ALL stages of every Anti-Virus product. It is tested to guarantee entrance is undetectable! Every decent sample is unique and polymorphic, so signature detection is completely worthless. A delay in execution evades all sandbox technology.

The ONLY action left for A/V is Behavioral Heuristics!

That's it, NADA, there nothing else for A/V to do, except for URL blocking.

And this evasion tactic its not from yesterday ... only difference is that today is fully automatic and its available to anyone with XXX eur ...

The Malware Factory and Massive Morphing Malware | RSA Link

 

[cruelsister]

Qay- The topic of fileless infection is both easy and complex to understand. I hope the following will serve:

1). first off, remember to set CF at the Proactive configuration to block things from any location.

2). When considering fileless malware, even though the mechanism of action of this type of malware varies- many hide out in RAM and from there inject into legit processes, something like POWELIKS will target the registry, Phasebot uses Powershell). The relatively recent Kovter malware family uses both methods.

3). But no matter what the mechanism is, the spawned stuff, no matter if it is Powershell or a hollowed svchost, would still be contained within the sandbox and suppressed from doing systemic damage. This sequestering of malicious activity would be seen both in the Comodo Sandbox or the also excellent Sandboxie.

4). Morphing malware- An absolute issue for the traditional AV and the main reason why I personally hold them in contempt. When initially coding a malware file it behooves one to add verbose code, one-shot loops, etc. These things can be removed one by one to have a zero day every day. Easy, Easy.

5). Time Delay method of Sandbox evasion- one of the standard methods used to trick a person to run a file outside the box. More popular is the dll search.

 

[Stas]

cruelsister did you test new cryptoprevent beta version???

 

[cruelsister]

I did a quick whirl with it when the beta was first available but as it obviously was still a work in progress I passed on doing anything rigorous with it. I did submit a "wishlist"- number one on the list was protection for folders other than Documents. Fortress class ransomware can do a lot of damage outside of the typically protected areas.

I actually anticipate running it again, but probably not until a later Beta.

 

[1qay1qay]

Qay- The topic of fileless infection is both easy and complex to understand. I hope the following will serve:

Cruelsister, first things first - thanks for your knowledge and no BS answer !

1). first off, remember to set CF at the Proactive configuration to block things from any location.

This is my main question : can auto sandbox (default deny ALL unknown) help in this fileless attack or not ?

Since i did not see any fileless infection in action (and i hope that will stay so regard live attack ... i would like to see one only in youre video) i would like to know if payload does get written at any stage on disk or is really everything made in ram - as name says - file less ?

Until now i did follow your recommendation and did not use HIPS - but Proactive setting use HIPS if i remember correctly ?


2). When considering fileless malware, even though the mechanism of action of this type of malware varies- many hide out in RAM and from there inject into legit processes, something like POWELIKS will target the registry, Phasebot uses Powershell).

So with your expert knowledge: is it possibile to create/generate and finally start crypto-xxx (and finally sucessfully encrypt user files on hd) without ANY payload written to hard disk BEFORE actual encryption of user files on hard disk starts ?

3). But no matter what the mechanism is, the spawned stuff, no matter if it is Powershell or a hollowed svchost, would still be contained within the sandbox and suppressed from doing systemic damage.

If i understands Comodo FW correctly : this is true ONLY if i run any browser in sandbox (with green border) - correct ? But If i run browser normaly and get this exploit my files will be encrypted - comodo autosandbox with "default deny ALL unknown from ALL sources " will not help me since there will not be any file to block - everything will be executed in memory - do i get this correct ( even if we asume that malware does need contact with CC and will send request for a unique key before start encryption - that shuld be blocked with FW - but in fileless scenario this request will still be made from "trusted" browser and will not be blocked ... ) ?

5). Time Delay method of Sandbox evasion- one of the standard methods used to trick a person to run a file outside the box. More popular is the dll search.

So i suppose that we can say that making any rating and decision of unknown file based only on sandbox behaviour is Russian roulette (and this time in real sense of words ... with big R )

 

[1qay1qay]

err: I found a good autopsy analysis here (made by Kofeine in 2014 !) Malware don't need Coffee: Angler EK : now capable of "fileless" infection (memory malware)

So basicly, we are defenseless aginst exploits like this one in Angler EK .... ok specific one that Kaffeine got 2 years ago can be stoped today with MBAM antiexploit, but i am afraid that they have no working heuristic for that ... todays fileles are deadly again based on youre test .... only solution left is fully sandboxd browser and "Tower of Hanoi" style backup of backup ... ;(

@cruelsister: if you can, please look into Heimdel exploit filter (not fraffic scanning dns url filter -, but this one What is a Malware Engine? What does it do?) and WAR . I have purchased booth apps , and can send you full working licence for Heimdal or better yet Heimdal SHULD send you a few lifetime licences ( you already have WAR if i remember corectly ) if you will find time to look into these.

I am realy happy with Heimdal patching system for now ( it covers most dangerus exploit vectors like flash, java and pdf) and his DNS URL filter (based on "realtime monitoring" of computer underground ) , but i am not so sure about his dedicated "maleware engine" (look pic below) vs Fileless attacks, since there is no info beside usual marketing BS.

Mybe somebody from Heimdal can tell us more about "malware engine" ?

 

[cruelsister]

Let me address the last point first- the Angler EK that you referenced above is to the point. The infection of systems is becoming quite common. Although Angler is still widely used (I believe that link was from 2014), things have branched out to other EK's like pseudo-darkleech, Hunter, and Neutrino. But all currently are doing pretty much the same thing, and that is the exploitation of Flash/Shockwave to deliver malware.

The initial malicious action, whether by swf or js files, would be contained in the sandbox if you have your browser sandboxed. To see this (safely) for yourself just keep the browser sandboxed and go to ether a java or flash or shockwave test site and try to run the test. Then check out what is in the sandbox as well as the blocked intrusions. This is a backhanded way of seeing how an exploit would be handled.

Secondly, these exploits invariably will connect to Command to do the actual downloading of a payload. If (when) the payload is autorun it would b treated as any other piece of malware by Comodo. I've done this a number of times with various Exploit Kits trying to run CryptXXX and still have not been able to trash the system. The worst scenario (still not seen n the Wild) would be a high quality signed payload. This I will deal with in Part 5 of the current (and currently sidetracked) RAT series.

Finally, Powershell is also used frequently in Fileless attacks. As noted in my post above this would be handled as a normal scriptor attack and would be brushed off. I've made numerous video on scriptors.

Hope this helped.

M

 

[done]

she is the best
Thanx

 

[1qay1qay]

Thx Cruelsister for clarification - as always .... deadley to the point and no BS answer

Did anyone see in the wild that actual payload is also file less ?