A interesting fully undetectable malware (until now)

likeastar20

Level 9
Verified
Mar 24, 2016
423
For Avast and Bitdefender, the detection was from their behavior blocker which is not present on VT. For Microsoft Defender maybe some other on-execution detection logic was triggered which once again is not the scope of Virustotal.
BTW, I see that ESET is detecting it as "JS/Spy.Agent.HR". This "HR" variant is a detection that was created probably more than 2 weeks ago when I submitted a similar Electron based malware to them and I remember Kaspersky also detected as "Trojan-PSW.Win32.Alien" but don't remember if it was the same "ko" variant. For that particular sample Avast, Bitdefender, Norton all added signature yet for this malware, the file-based pre-execution detection didn't trigger for them.
I have to say that this matches with my own experience regarding the quality of signature produced by ESET and Kaspersky. They are better than others most of the time at identifying the malicious pattern in the code (Or as ESET say, they extract the gene) to detect similar malware. Bitdefender frustrates me the most with the amount of low-quality signature they regularly make (even acknowledged by a Bitdefender forum mod) but their post execution behavior blocking (that ESET lacks) is top-notch for sure.
You are right about everything. Kaspersky and ESET have very accurate detection. If you see a detection from them on VT, then that file is probably malicious. I always check them first to see the detection.
 

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
Signatures on this file are useless. Attackers repack it frequently. Only behavioural detections would work.
Even Deep Learning Models are trending down. Too easy to evade/fool.

Even Analysts can be fooled. This is one of my favs that I posted. This one is a MS Threat Analyst

Xcitium Analyst Fooled
 
Last edited:

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Even Deep Learning Models are trending down. Too easy to evade/fool.
That’s not from now. Deep Learning in the form of static analysis has always suffered with packers, because the only feature it can extract is that the file is packed. In some cases, this will be enough trigger detection. With the electron packages, it is not. They are very variable.

This kind of malware is better handled by reputation and behaviour.

There is no simple method is that is best and bulletproof, rather an ensemble of methods works together to provide what’s best for the case.
Signatures most of the time are useless. There are many groups abusing the electron package to distribute stealers and they push new variants daily.
 

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
That’s not from now. Deep Learning in the form of static analysis has always suffered with packers, because the only feature it can extract is that the file is packed. In some cases, this will be enough trigger detection. With the electron packages, it is not. They are very variable.

This kind of malware is better handled by reputation and behaviour.
Agreed. Static analysis for binaries is tricky for ML models. I do see how electron apps can be a bad match up for a well trained model.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
The main culprit of this malware is this obfuscated js file which ESET detects:
Though a vendor like ESET who are extremely good at creating very smart behavioral signatures that might be able to detect some new future variants, the best defense against these stealers is behavior blocking as @Trident suggested. So, the likes of Bitdefender and Kaspersky are likely to spend less time creating signatures and more time on training their behavior blocker on new tactics.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top