A interesting fully undetectable malware (until now)

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
In Harmony Endpoint, the ā€œFUDā€ triggers not one, but 3 behavioural detections. It also launches a variety of LOLBins, all blocked under my policy.
just checking-in... with sorta "noob" question: here, Harmony does NOT detect the file as zip, did not detect anything at 1930z or at 0300z. Should it detect the zip?
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
just checking-in... with sorta "noob" question: here, Harmony does NOT detect the file as zip, did not detect anything at 1930z or at 0300z. Should it detect the zip?
The file will be detected by emulation if downloaded and if emulation is setup correctly. In my case it was already downloaded and extracted so upon launch, 3 different behavioural detections were triggered. These detections are very generic and cover certain tactics used. At this point the sample is already known to Check Point so it will be detected by reputation as well.
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
The file will be detected by emulation if downloaded and if emulation is setup correctly. In my case it was already downloaded and extracted so upon launch, 3 different behavioural detections were triggered. These detections are very generic and cover certain tactics used. At this point the sample is already known to Check Point so it will be detected by reputation as well.
well what can I say, I did not setup the emulation, I let Lithify do the heavy lifting :ROFLMAO: So as I understand your post, CP should have (could have) blocked it during DL. It was a relatively slow DL and I saw the CP browser icon huffing & puffing, and then let it pass into \downloads... Also did a right-click scan 4+ hours later and no detection. Curious since "known"... :unsure:
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
well what can I say, I did not setup the emulation, I let Lithify do the heavy lifting :ROFLMAO: So as I understand your post, CP should have (could have) blocked it during DL. It was a relatively slow DL and I saw the CP browser icon huffing & puffing, and then let it pass into \downloads... Also did a right-click scan 4+ hours later and no detection. Curious since "known"... :unsure:
I canā€™t say why this is happening without checking certain logs that are only available locally, not even on the portal. My guess is, the file is just being excluded from scanning due to size. Nevertheless, Behavioural Guard and EFR terminate the file very early in its execution stage, delete all dropped components and identify it as Nova Infostealer (how deep the attack will be cleaned depends on setup as well). You are protected against the attack.

The detections are:
behavioural.win.t1036_005.b
behavioural.win.suspmasquerading.c
gen.win.absvct.a
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
I canā€™t say why this is happening without checking certain logs that are only available locally, not even on the portal. My guess is, the file is just being excluded from scanning due to size. Nevertheless, Behavioural Guard and EFR terminate the file very early in its execution stage, delete all dropped components and identify it as Nova Infostealer (how deep the attack will be cleaned depends on setup as well). You are protected against the attack.

The detections are:
behavioural.win.t1036_005.b
behavioural.win.suspmasquerading.c
gen.win.absvct.a
yes, I believe Harmony is protecting this VM very deeply. At this point, I'll just delete that file as I'm not in the mood to deal with unintended consequences. (aka chickenshit)
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
yes, I believe Harmony is protecting this VM very deeply. At this point, I'll just delete that file as I'm not in the mood to deal with unintended consequences. (aka chickenshit)
This Nova Stealer is not a novel tactic. Malware in Electron packages has been discussed many times, there is even Check Point blog post.

One of the files ā€œelevate.exeā€ packages inside doesnā€™t change, Iā€™ve seen it in all Electron Bots/Nova variants. The malicious code inside is all based on JavaScript, running on the Node.js. It is controlled by sending commands through Telegram and Discord. The developers are very active, repackage frequently but donā€™t bother checking for behavioural detections (they just scan on VT to ensure there are no detections). After every new version, ā€œcustomersā€ start complaining that detections are now happening.

Alongside running security software, users are advised to download games only from trusted websites and stores, such as Steam.

More about Nova Stealer can be learned here:
 
Last edited:

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
and Bitdefender detects it ? :unsure: :/

Yes, with ATP.
Note that I've reported it twice, Bitdefender deletes all traces left behind, but last night it didn't.
No anti-malware detection yet.

Capture dā€™Ć©cran 2024-07-24 115000.png
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Yes, with ATP.
Note that I've reported it twice, Bitdefender deletes all traces left behind, but last night it didn't.
No anti-malware detection yet.

View attachment 284483
But this is Bitdefender Free that doesnā€™t have memory and command line scanning. Perhaps on the paid products where these features are enabled, it would have handled the LOLBins betterā€¦
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Why on VirusTotal page it still shows that Avast, Bitdefender, Microsoft and others didn't detect it?

View attachment 284497
For McAfee it was the other way around, detected on VT but when @Shadowra tested the Endpoint Security, there was no detection.
Download Advisor in home products would have removed it, as it doesnā€™t like executables with low reputation.

This frequently happens, VT is not an indication of how the real product will perform.
 

tachion

New Member
Jan 19, 2012
8
Indeed, it is quite common that VT detection result is different from the actual AV detection, as @Trident posted.
That's because there may be differences in the versions of antivirus engines, differences in configurations, and differences in databases. The way VirusTotal operates is also different from currently installed antivirus programs.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
Why on VirusTotal page it still shows that Avast, Bitdefender, Microsoft and others didn't detect it?

View attachment 284497
For Avast and Bitdefender, the detection was from their behavior blocker which is not present on VT. For Microsoft Defender maybe some other on-execution detection logic was triggered which once again is not the scope of Virustotal.
BTW, I see that ESET is detecting it as "JS/Spy.Agent.HR". This "HR" variant is a detection that was created probably more than 2 weeks ago when I submitted a similar Electron based malware to them and I remember Kaspersky also detected as "Trojan-PSW.Win32.Alien" but don't remember if it was the same "ko" variant. For that particular sample Avast, Bitdefender, Norton all added signature yet for this malware, the file-based pre-execution detection didn't trigger for them.
I have to say that this matches with my own experience regarding the quality of signature produced by ESET and Kaspersky. They are better than others most of the time at identifying the malicious pattern in the code (Or as ESET say, they extract the gene) to detect similar malware. Bitdefender frustrates me the most with the amount of low-quality signature they regularly make (even acknowledged by a Bitdefender forum mod) but their post execution behavior blocking (that ESET lacks) is top-notch for sure.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top