App Review A Malicious LNK Stealer Part 2

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Will blocking C2 traffic using either software or hardware based firewall help with this type of data theft?

Can Comodo be used to blocked C2 traffic?
Blocking outbound connections to Command and Control servers (by whatever means) is of paramount importance. C2 servers exist- one must ensure that potential victim's system does not come to their attention.

Regarding Comodo, I have a video (more or less) completed pitting it against the malware used here as well as a few other diverse stealers that just popped up. Really just have to pick the music (I'm in a flamenco mood...).
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
i suppose avast premium firewall protects against data thiefing as ARP protection?

Should one use ask mode with the avast firewall? Or do i simply just install comodo firewall along with avast?

fw124.png
fw123.png
 

Jonny Quest

Level 22
Verified
Top Poster
Well-known
Mar 2, 2023
1,107
@cruelsister What I appreciate about your videos is the ability to track what you're doing, including your text that you let sit there long enough for us to read (without pausing).
Some of the other malware-testing videos (not any of the other members from this forum) seem to be more about how many widows can I have open and running at the same time, and how fast can I dart my mouse across and around the screen. At times, I need a Dramamine just to watch those before I stop and move on. Let alone your fantastic taste in the background music on your videos :) And yes, I did Subscribe :)
 
Last edited:

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Should one use ask mode with the avast firewall? Or do i simply just install comodo firewall along with avast?
You can use Ask Mode but it won’t help when code injection is involved, as it will be a trusted and already whitelisted process doing the malicious actions (via process hollowing, doppelgänging, dll sideloading and other techniques of such). Any firewall (without containment, HIPS and other layers) is useless in such cases.

To protect against these attacks, you will have to rely on Avast’s detection abilities (antivirus, behavioural blocking) which are not bad. To protect against theft of passwords saved in Chrome and Edge, Avast has the password protection feature.

In the cases when no code injection is performed and malware is not signed (in which case it may be allowed without a prompt depending on the settings), blocking the connection will prevent a lot of headaches coming your way. But then Avast also terminates connections to known CnCs (which in many cases can be helpful as well) and uses reputation, and a host of other methods to block unknown executables. Comodo doesn’t — it’s just you, yourself and your sandbox.

So in a nutshell - Comodo is great if you are looking to answer prompts and alerts, and you believe you will answer them correctly. If not, then other solutions are better. What’s displayed in this video is not Comodo’s protection abilities, but @cruelsister ’s knowledge of the threat landscape. And she will be able to protect herself against this malware even without Comodo, as she will not execute a malicious shortcut from an email in the first place.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
Nice demo video, thanks!

Indeed, Outbound application firewalls are still a worthy security tool in one's security setup, especially if they are set to Default-deny (y)

Great cover of the Willie Nelson original by Linda Ronstadt, although I do prefer the Patsy Cline version released in 1961:)

Fwiw, Ronstadt was ranked #47 and Cline #13 on Rolling Stone's Top 200 Greatest Singers list :)
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
You can use Ask Mode but it won’t help when code injection is involved, as it will be a trusted and already whitelisted process doing the malicious actions (via process hollowing, doppelgänging, dll sideloading and other techniques of such). Any firewall (without containment, HIPS and other layers) is useless in such cases.
Is code injection even commonly used these days?
 
  • Like
Reactions: Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Is code injection even commonly used these days?
Of course it’s commonly used. It’s one of the great ways to evade detection, turning a trusted process into a puppet. Other ways like obtaining certificates are short-term solution and iffy. Even this malicious lnk stealer, what’s the point of using builders (perhaps the Quantum shortcut builder) to create FUDs and then drop the final payload as an executable, where antiviruses have reputation and petabytes of training?
 
Last edited:

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Okay thanks. This is more common on server side isn't it?
LOLBin abuse or LOtLBins as they call them now (Living off the Land attacks) are common amongst all attackers that have knowledge of how antivirus products work. It can be against businesses and servers, but it may as well be against home users using weaponised documents to initiate the attack (one example). It all depends on the attackers. There are many of them and growing (specially with the current difficult economics), and their creativity knows no end.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
LOLBin abuse or LOtLBins as they call them now (Living off the Land attacks) are common amongst all attackers that have knowledge of how antivirus products work. It can be against businesses and servers, but it may as well be against home users using weaponised documents to initiate the attack (one example).

Regrding LOLBins being exploited in the Home environment, this is interesting:


Btw, I've been running Linux as Home user with basic needs for the last four months (finally, I think for real, ditching Windows for good except for Work purposes), so I'm starting to lose sight of these Windows exploits.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
Windows is just a playground for me — I would never rely on this platform to do my work. Many do… I don’t.
No choice for me. It's a COE-issued laptop from my employer, as one of my essential tools for doing my job. It is, afaik, locked down by the IT team like Fort Knox.
 
Last edited:
F

ForgottenSeer 98186

Btw, I've been running Linux as Home user with basic needs for the last four months (finally, I think for real, ditching Windows for good except for Work purposes), so I'm starting to lose sight of these Windows exploits.
Linux has a list of LOLBins that is larger than Windows.

Regrding LOLBins being exploited in the Home environment, this is interesting:
As long as a user is not downloading and executing code on their system -- either by choice or blocked from doing so by policy, then LOLBin blocking is not necessary except if you fear exploits (e.g. you are running Windows with unpatched software). If they user is downloading stuff and executing it, then to protect the system LOLBins can be blocked to break the kill chain.

If you want case-hardened security against the greatest number of potential eventualities of rogue code execution, then there is no other localhost protection that beats SRP global blocking.

Blocking LOLBins can create corner case issues, but virtually all of them are manageable. It is based upon SRP with the purpose of configuring a known-clean system, enabling and configuring policies, and then modifying that system carefully only once in a while.

If users want to use stuff, then default deny really isn't for them. If a user never wants to look at a log, then default deny definitely is not for them.

It all comes down to what a user wants. Do they want ballistic nuclear armor security or are they a "user that wants to use stuff."
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
Linux has a list of LOLBins that is larger than Windows.
That's okay, I'm not alarmed or concerned by how many LOLBins or exploits a Linux home environment might have.

Truth be told, I'm not alarmed or concerned about the LOLBins or exploits Windows has. I just don't like the direction Microsoft is going with the OS since Windows 10.
 
Last edited:

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
That's okay, I'm not alarmed or concerned by how many LOLBins or exploits a Linux home environment might have.

Truth be told, I'm not alarmed or concerned about the LOLBins or exploits Windows has. I just don't like the direction Microsoft is going with the OS since Windows 10.
I am not concerned myself, but I’ve invested a lot of time studying attacks with LOtLbins involved and coverage from AV vendors is a bit patchy (unless blocks or emulation is used). At the same time AMSI bypasses have been documented thousands of times on security forums and a relatively low-skilled attacker can make use of them.
Whilst it doesn’t necessarily affect many of us here on MalwareTips, it is definitely a vector that calls to be overseen and acted on.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top