- Mar 29, 2018
- 7,609
With default settings?
A interesting fully undetectable malware (until now)
- Thread starter XylentAntivirus
- Start date
- Sep 2, 2021
- 2,586
- Jun 22, 2020
- 189
- Feb 7, 2023
- 2,349
In Harmony Endpoint, the āFUDā triggers not one, but 3 behavioural detections. It also launches a variety of LOLBins, all blocked under my policy.
- Apr 16, 2017
- 2,603
just checking-in... with sorta "noob" question: here, Harmony does NOT detect the file as zip, did not detect anything at 1930z or at 0300z. Should it detect the zip?
- Feb 7, 2023
- 2,349
The file will be detected by emulation if downloaded and if emulation is setup correctly. In my case it was already downloaded and extracted so upon launch, 3 different behavioural detections were triggered. These detections are very generic and cover certain tactics used. At this point the sample is already known to Check Point so it will be detected by reputation as well.
Last edited:
- Apr 16, 2017
- 2,603
well what can I say, I did not setup the emulation, I let Lithify do the heavy lifting
So as I understand your post, CP should have (could have) blocked it during DL. It was a relatively slow DL and I saw the CP browser icon huffing & puffing, and then let it pass into \downloads... Also did a right-click scan 4+ hours later and no detection. Curious since "known"...
- Feb 7, 2023
- 2,349
I canāt say why this is happening without checking certain logs that are only available locally, not even on the portal. My guess is, the file is just being excluded from scanning due to size. Nevertheless, Behavioural Guard and EFR terminate the file very early in its execution stage, delete all dropped components and identify it as Nova Infostealer (how deep the attack will be cleaned depends on setup as well). You are protected against the attack.well what can I say, I did not setup the emulation, I let Lithify do the heavy lifting
The detections are:
behavioural.win.t1036_005.b
behavioural.win.suspmasquerading.c
gen.win.absvct.a
- Apr 16, 2017
- 2,603
yes, I believe Harmony is protecting this VM very deeply. At this point, I'll just delete that file as I'm not in the mood to deal with unintended consequences. (aka chickenshit)
- Feb 7, 2023
- 2,349
This Nova Stealer is not a novel tactic. Malware in Electron packages has been discussed many times, there is even Check Point blog post.
New Malware Capable of Controlling Social Media Accounts Infects 5,000+ Machines and is actively being Distributed via Gaming Applications on Microsoft's Official Store - Check Point Research
Popular games such as āTemple Runā or āSubway Surferā were found to be malicious Attackers can use the installed malware as a backdoor in order to gain full control on the victimās machine Most of the victims are from Sweden, Bulgaria, Russia, Bermuda and Spain Check Point Research (CPR) has...
research.checkpoint.com
28th February ā Threat Intelligence Report - Check Point Research
For the latest discoveries in cyber research for the week of 28th February, please download our Threat Intelligence Bulletin. Top Attacks and Breaches Check Point Research has released data on cyber attacks observed around the current Russia/Ukraine conflict. Cyber attacks on Ukraineās...
research.checkpoint.com
One of the files āelevate.exeā packages inside doesnāt change, Iāve seen it in all Electron Bots/Nova variants. The malicious code inside is all based on JavaScript, running on the Node.js. It is controlled by sending commands through Telegram and Discord. The developers are very active, repackage frequently but donāt bother checking for behavioural detections (they just scan on VT to ensure there are no detections). After every new version, ācustomersā start complaining that detections are now happening.
Alongside running security software, users are advised to download games only from trusted websites and stores, such as Steam.
More about Nova Stealer can be learned here:
Nova Infostealer Malware | Sordeal Stealer | Cyfirma
The report highlights a surge in malicious activities by Malware-as-a-service (MaaS) operators Sordeal ā particularly with their new malware āNovaā.
www.cyfirma.com
Nova Stealer among the malware variants distributed via Facebook ads advertising fake AI services
Nova Stealer among the malware variants distributed via Facebook ads advertising fake AI services
www.broadcom.com
Last edited:
- Sep 2, 2021
- 2,586
and Bitdefender detects it ?
Yes, with ATP.
Note that I've reported it twice, Bitdefender deletes all traces left behind, but last night it didn't.
No anti-malware detection yet.
Nikola Milanovic
Level 3
- Oct 17, 2023
- 100
The file would still be contained for those using Xcitium
The signature on the file is also invalid
All in all... Nice find.
View attachment 284459View attachment 284460
Malware now
- Feb 7, 2023
- 2,349
But this is Bitdefender Free that doesnāt have memory and command line scanning. Perhaps on the paid products where these features are enabled, it would have handled the LOLBins betterā¦
andytan
Level 1
- May 10, 2024
- 20
Opened it with Trend Micro and their behavior blocker catches it.
lokamoka820
Level 22
- Mar 1, 2024
- 1,140
Why on VirusTotal page it still shows that Avast, Bitdefender, Microsoft and others didn't detect it?
andytan
Level 1
- May 10, 2024
- 20
I submitted it to GDATA a few minutes ago. Unfortunately GDATA had no reaction; I was hoping a pop-up would appear showing BEAST detected it but it did not.
- Feb 7, 2023
- 2,349
For McAfee it was the other way around, detected on VT but when @Shadowra tested the Endpoint Security, there was no detection.
Download Advisor in home products would have removed it, as it doesnāt like executables with low reputation.
This frequently happens, VT is not an indication of how the real product will perform.
- Mar 29, 2018
- 7,609
Indeed, it is quite common that VT detection result is different from the actual AV detection, as @Trident posted.
tachion
New Member
- Jan 19, 2012
- 8
That's because there may be differences in the versions of antivirus engines, differences in configurations, and differences in databases. The way VirusTotal operates is also different from currently installed antivirus programs.
- Mar 16, 2019
- 3,862
For Avast and Bitdefender, the detection was from their behavior blocker which is not present on VT. For Microsoft Defender maybe some other on-execution detection logic was triggered which once again is not the scope of Virustotal.
BTW, I see that ESET is detecting it as "JS/Spy.Agent.HR". This "HR" variant is a detection that was created probably more than 2 weeks ago when I submitted a similar Electron based malware to them and I remember Kaspersky also detected as "Trojan-PSW.Win32.Alien" but don't remember if it was the same "ko" variant. For that particular sample Avast, Bitdefender, Norton all added signature yet for this malware, the file-based pre-execution detection didn't trigger for them.
I have to say that this matches with my own experience regarding the quality of signature produced by ESET and Kaspersky. They are better than others most of the time at identifying the malicious pattern in the code (Or as ESET say, they extract the gene) to detect similar malware. Bitdefender frustrates me the most with the amount of low-quality signature they regularly make (even acknowledged by a Bitdefender forum mod) but their post execution behavior blocking (that ESET lacks) is top-notch for sure.
Similar threads
