A interesting fully undetectable malware (until now)

Status
Not open for further replies.
SeriousHoax said:
For Avast and Bitdefender, the detection was from their behavior blocker which is not present on VT. For Microsoft Defender maybe some other on-execution detection logic was triggered which once again is not the scope of Virustotal.
BTW, I see that ESET is detecting it as "JS/Spy.Agent.HR". This "HR" variant is a detection that was created probably more than 2 weeks ago when I submitted a similar Electron based malware to them and I remember Kaspersky also detected as "Trojan-PSW.Win32.Alien" but don't remember if it was the same "ko" variant. For that particular sample Avast, Bitdefender, Norton all added signature yet for this malware, the file-based pre-execution detection didn't trigger for them.
I have to say that this matches with my own experience regarding the quality of signature produced by ESET and Kaspersky. They are better than others most of the time at identifying the malicious pattern in the code (Or as ESET say, they extract the gene) to detect similar malware. Bitdefender frustrates me the most with the amount of low-quality signature they regularly make (even acknowledged by a Bitdefender forum mod) but their post execution behavior blocking (that ESET lacks) is top-notch for sure.
Click to expand...
You are right about everything. Kaspersky and ESET have very accurate detection. If you see a detection from them on VT, then that file is probably malicious. I always check them first to see the detection.
 
  • Like
  • Hundred Points
Reactions: Game Of Thrones, Divine_Barakah, Zartarra and 7 others
First look the ClamAV detection. It's pretty reliable. You can extract with 7zip. Then you see this probably:
Win.Malware.Zusy-10032984-0;Engine:81-255,Target:1;0&1&2&3&4;687474703a2f2f39352e3231342e32342e3131372f737663686f7374322e657865;4661696c656420746f206765742070726f63657373204944;5c737663686f73742e657865;6170692d6d732d77696e2d636f72652d72656769737472792d6c312d312d302e646c6c::w;4552524f523a20496d4775695f496d706c4f70656e474c335f4372656174654465766963654f626a656374733a206661696c656420746f20636f6d70696c6520257321205769746820474c534c3a202573
Ask ChatGPT then. It will say the reason: VirusTotal
1721985859652.png

Then you can see the detection from file. VirusTotal The file is actually malware and detected by Kaspersky in link analysis. But Kaspersky didn't detected this cheat as malware in file analysis. That doesn't mean it's malware. Stop Kaspersky-centred thinking, ClamAV is great product and liberated product because it's open source. Which helps you why it's flagged as malware. Second if ClamAV didn't detect then use my product: Releases · HydraDragonAntivirus/HydraDragonAntivirus If still not yet detected then use filescan.io or look community comments like Thor. You can also use Hybrid-Analysis, tria.ge etc. Open source antiviruses calls why it's malware with proof. Closed source ones didn't show his signatures because they are closed source. But you can still guess why it's flagged.
 
  • Like
Reactions: zidong
You've provided a comprehensive approach to malware detection. Using multiple tools such as ClamAV, VirusTotal, and HydraDragonAntivirus can indeed increase the chances of identifying malware. Open source antiviruses are beneficial as they allow users to understand the detection process. However, closed source antiviruses can also be effective, even if their detection methods are not openly disclosed.
 
  • Love
Reactions: Behold Eck
Trident said:
Signatures on this file are useless. Attackers repack it frequently. Only behavioural detections would work.
Click to expand...
Even Deep Learning Models are trending down. Too easy to evade/fool.

Even Analysts can be fooled. This is one of my favs that I posted. This one is a MS Threat Analyst
malwaretips.com

Malware Analysis - Evasive Sample - Bypassed MS

Signed sample pretending to be TeamViewer. It is a password stealer. As a DFIR Specialist it's easy to me. After submitting the sample to Microsoft... They said the file was clean. File has been in the wild for a week now. Welcome to the current state of insecurity. Happy hunting! VirusTotal
malwaretips.com malwaretips.com

Xcitium Analyst Fooled
malwaretips.com

Malware Analysis - Malware/PUA listed as clean (again)

Found this at a customer. It was blocked but upon further inspection I saw that Xcitium marks the files as clean. Their human analyst also concluded its clean. ITS NOT. https://verdict.xcitium.com/get_info?sha1=caaa052ae05d6032d8361e61fa22a686c6b5a392...
malwaretips.com malwaretips.com
 
Last edited:
  • Like
  • +Reputation
Reactions: Zartarra, simmerskool and Trident
Sandbox Breaker said:
Even Deep Learning Models are trending down. Too easy to evade/fool.
Click to expand...
That’s not from now. Deep Learning in the form of static analysis has always suffered with packers, because the only feature it can extract is that the file is packed. In some cases, this will be enough trigger detection. With the electron packages, it is not. They are very variable.

This kind of malware is better handled by reputation and behaviour.

There is no simple method is that is best and bulletproof, rather an ensemble of methods works together to provide what’s best for the case.
Signatures most of the time are useless. There are many groups abusing the electron package to distribute stealers and they push new variants daily.
 
  • Like
  • +Reputation
Reactions: simmerskool, SeriousHoax and Sandbox Breaker - DFIR
Trident said:
That’s not from now. Deep Learning in the form of static analysis has always suffered with packers, because the only feature it can extract is that the file is packed. In some cases, this will be enough trigger detection. With the electron packages, it is not. They are very variable.

This kind of malware is better handled by reputation and behaviour.
Click to expand...
Agreed. Static analysis for binaries is tricky for ML models. I do see how electron apps can be a bad match up for a well trained model.
 
  • Like
Reactions: simmerskool, SeriousHoax and Trident
XylentAntivirus said:
Stop Kaspersky-centred thinking, ClamAV is great product and liberated product because it's open source. Which helps you why it's flagged as malware. Second if ClamAV didn't detect then use my product: Releases · HydraDragonAntivirus/HydraDragonAntivirus If still not yet detected then use filescan.io or look community comments like Thor. You can also use Hybrid-Analysis, tria.ge etc. Open source antiviruses calls why it's malware with proof.
Click to expand...
Closed-source and open source AVs are both prone to false positives. A system with more users and more channels for receiving safe files will be less susceptible, but far from perfect. During the development, all technologies are created with false positives reduction/elimination in mind.

Evidence of the detection most of the time is not necessary, users would open a case with the vendor and they will investigate the detection method.

Providing evidence why and how the file is detected will allow attackers to evade this detection.
 
  • +Reputation
  • Like
  • Hundred Points
Reactions: struppigel, simmerskool, HydraDragonAntivirus and 2 others
The main culprit of this malware is this obfuscated js file which ESET detects:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Though a vendor like ESET who are extremely good at creating very smart behavioral signatures that might be able to detect some new future variants, the best defense against these stealers is behavior blocking as @Trident suggested. So, the likes of Bitdefender and Kaspersky are likely to spend less time creating signatures and more time on training their behavior blocker on new tactics.
 
  • +Reputation
  • Like
Reactions: Game Of Thrones, Divine_Barakah, Zartarra and 2 others
Status
Not open for further replies.

You may also like...