App Review A Microsoft Defender Follow-up

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister
Anthony Qian

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
454
Andy Ful said:
The initial CPL malware drops a DLL payload:
C:\Antivirus.System.Update.KB16889415-_.cpl.dll
and uses a Regsvr32 LOLBin to execute it.

This is a well-known attack vector, so the AVs (not only Defender) have more chances to detect it behaviorally compared to the MSI attacks with a side loading method.
The payload is a DLL so can be in theory detected by Defender's cloud-delivered protection - this is clearly stated in Microsoft's documentation (the support for MSI is not mentioned).
Finally, the CPL vector is extremely rare, even compared to MSI. I could find on Malware Bazaar hundreds of MSI malware, and 0 CPL samples.

So, even if we could find some samples undetected on VirusTotal or samples that could compromise Defender, the attacks via CPL files will not be as dangerous as in the case of MSI.
Anyway, if someone has access to this sample it would be good to check how efficiently Microsoft can fight it.
Click to expand...
A tester on another security forum ran this sample and Microsoft Defender failed to stop the encryption process. Although a behavior-based detection, "Behavior:Win32/Execution.A!ml", was triggered, it's useless.

7-8-2022_205211_bbs.kafan.cn.jpeg

Also please note that samples on MalwareBazaar are only a small portion of ITW threats. CPL-based Magniber ransomware is not particularly new. This kind of malware has been investigated and analyzed by Ahnlab last month, and they even published a report on this (Change in Magniber Ransomware (*.msi → *.cpl) - July 20th - ASEC BLOG).
 
Last edited:
  • Like
Reactions: Nevi, roger_m, [correlate] and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Anthony Qian said:
A tester on another security forum ran this sample and Microsoft Defender failed to stop the encryption process. Although a behavior-based detection, "Behavior:Win32/Execution.A!ml", was triggered, it's useless.
Click to expand...

I cannot say for sure, but this is how can often work cloud-delivered protection + post-infection detection + BAFS. The first victim would be infected, because cloud-delivered protection was too slow to save him. But, in the meantime, fast detection was created in the cloud (Behavior:Win32/Execution.A!ml), and other users can be protected. Furthermore, this detection could work also on the first victim's computer, the encryption could be stopped after some time, but before the malware would encrypt all possible files.

Of course, you can be also right in the case when the detection stopped some unimportant part of the attack. We cannot be sure without inspecting the sample.

Anthony Qian said:
Also please note that samples on MalwareBazaar are only a small portion of ITW threats. CPL-based Magniber ransomware is not particularly new. This kind of malware has been investigated and analyzed by Ahnlab last month, and they even published a report on this (Change in Magniber Ransomware (*.msi → *.cpl) - July 20th - ASEC BLOG).
Click to expand...
I have already read this report and that is why I posted about CPL vector before you entered this thread: Video - A Microsoft Defender Follow-up

We know that Malware Bazaar can contain only a small portion of malware samples but still, there is a big difference between several hundreds of MSI samples (Magniber and several other malware types) and 0 CPL samples in the period of time VI 2021-VIII 2022. It strongly suggests, that the CPL initial attack vector was extremely rare so far.
 
Last edited:
  • Like
Reactions: Nevi, roger_m, vtqhtr413 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
ScandinavianFish said:
But why would they switch to an attack vector thats easier for AV's to detect?
Click to expand...

We do not know the real motivations of Magniber guys, but they often change the attack vector:

Magniber (Malware Family)

According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new...
malpedia.caad.fkie.fraunhofer.de malpedia.caad.fkie.fraunhofer.de

They could simply use the old WannCry and be happy.
 
Last edited:
  • Like
Reactions: vtqhtr413 and [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
lvseqiji said:
I don't understand why many vendors are still not taking Magniber seriously.
Many of them just add Hashes regularly to the cloud and that's it.
Maybe because Magniber mainly attacks personal users in Asia?
Click to expand...

The AV vendors do not bother about one fly when there are so many vultures around.

1659890369849.png


Of course, they can be wrong.
 
  • Like
Reactions: Nevi, vtqhtr413, wat0114 and 2 others
Anthony Qian

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
454
Andy Ful said:
I cannot say for sure, but this is how can often work cloud-delivered protection + post-infection detection + BAFS. The first victim would be infected, because cloud-delivered protection was too slow to save him. But, in the meantime, fast detection was created in the cloud (Behavior:Win32/Execution.A!ml), and other users can be protected. Furthermore, this detection could work also on the first victim's computer, the encryption could be stopped after some time, but before the malware would encrypt all possible files.

Of course, you can be also right in the case when the detection stopped some unimportant part of the attack. We cannot be sure without inspecting the sample.


I have already read this report and that is why I posted about CPL vector before you entered this thread: Video - A Microsoft Defender Follow-up

We know that Malware Bazaar can contain only a small portion of malware samples but still, there is a big difference between several hundreds of MSI samples (Magniber and several other malware types) and 0 CPL samples in the period of time VI 2021-VIII 2022. It strongly suggests, that the CPL initial attack vector was extremely rare so far.
Click to expand...
1. According to the tester, all the test files were unfortunately encrypted.
2. "Behavior:Win32/Execution.A!ml" is a detection created in the cloud? I'm unsure because the suffix is not "!cl".
3. The tester may not be the first victim, as the sample was uploaded to VT the day before yesterday.
4. Many MSI Magniber samples on MalwareBazaar were actually uploaded by a member of Kafan (the forum mentioned above). This tester also tested MSI-based Magniber vs Microsoft Defender in the past, and the results were not satisfying.
 
  • Like
  • Thanks
Reactions: Sunshine-boy, Nevi, SeriousHoax and 4 others
S

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
Anthony Qian said:
1. According to the tester, all the test files were unfortunately encrypted.
2. "Behavior:Win32/Execution.A!ml" is a detection created in the cloud? I'm unsure because the suffix is not "!cl".
3. The tester may not be the first victim, as the sample was uploaded to VT the day before yesterday.
4. Many MSI Magniber samples on MalwareBazaar were actually uploaded by a member of Kafan (the forum mentioned above). This tester also tested MSI-based Magniber vs Microsoft Defender in the past, and the results were not satisfying.
Click to expand...
Can answer for the second one.

An "Behavior" detection means it was detected by Windows Defender's Behavior Monitoring, with "Execution" meaning Defender detected execution of malicious code, the !ml means it was detected by the local machine learning as detection by cloud machine learning would indeed by "!cl". TL;DR: local Behavioral ML detected execution of malicious code.
 
  • Like
  • +Reputation
Reactions: Nevi, roger_m, Anthony Qian and 3 others
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Andy Ful said:
The initial CPL malware drops a DLL payload:
C:\Antivirus.System.Update.KB16889415-_.cpl.dll
and uses a Regsvr32 LOLBin to execute it.

This is a well-known attack vector, so the AVs (not only Defender) have more chances to detect it behaviorally compared to the MSI attacks with a side loading method.
The payload is a DLL so can be in theory detected by Defender's cloud-delivered protection - this is clearly stated in Microsoft's documentation (the support for MSI is not mentioned).
Finally, the CPL vector is extremely rare, even compared to MSI. I could find on Malware Bazaar hundreds of MSI malware, and 0 CPL samples.

So, even if we could find some samples undetected on VirusTotal or samples that could compromise Defender, the attacks via CPL files will not be as dangerous as in the case of MSI.
Anyway, if someone has access to this sample it would be good to check how efficiently Microsoft can fight it.
Click to expand...
Maybe it will be brought to the HUB, it can be found here (requires HA account):

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'Antivirus.System.Update.KB16889415 - 복사본.cpl'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
hybrid-analysis.com hybrid-analysis.com
Confirmed working inside Win 10 x64, ShadowDefender environment, F-Secure FreeDome VPN, not blocked by K7 Ultimate Security v16.0.0701 behaviour blocker / Anti-Ransomware module, though DataLocker safes my precious documents. Already reported to K7 staff.
 
  • Like
Reactions: Nevi, SeriousHoax, roger_m and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Anthony Qian said:
1. According to the tester, all the test files were unfortunately encrypted.
2. "Behavior:Win32/Execution.A!ml" is a detection created in the cloud? I'm unsure because the suffix is not "!cl".
3. The tester may not be the first victim, as the sample was uploaded to VT the day before yesterday.
4. Many MSI Magniber samples on MalwareBazaar were actually uploaded by a member of Kafan (the forum mentioned above). This tester also tested MSI-based Magniber vs Microsoft Defender in the past, and the results were not satisfying.
Click to expand...
Could you post a link to this test?
 
  • Like
Reactions: SeriousHoax and vtqhtr413
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Anthony Qian said:
...
2. "Behavior:Win32/Execution.A!ml" is a detection created in the cloud? I'm unsure because the suffix is not "!cl".
...
Click to expand...

The suffix !cl does not mean "cloud", but it is a specific category:
  • !cl: an internal category used to refer to some threats
Click to expand...
https://docs.microsoft.com/en-us/mi...telligence/malware-naming?view=o365-worldwide

The detection with !cl suffix can happen when scanning the system, for example:
https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2544

The !ml suffix means machine learning. When cloud-delivered protection works, the file can be
sometimes uploaded to the cloud backend and after creating the fast detection it is downloaded to the client machine. Next, Defender can block the file/process by using this behavior-based detection. I do not know if the detection was done with or without the cloud backend, so I asked for the link to the test.

As soon as the sample was uploaded, a backend file-processing system analyzed the sample. A multi-class machine learning classifier determined there was more than a 95% chance that the file was malicious. The cloud protection service created a signature, which it sent back to client.
Click to expand...
https://www.microsoft.com/security/...me-defense-against-never-before-seen-malware/
 
Last edited:
  • Like
  • +Reputation
Reactions: vtqhtr413, Nevi, SeriousHoax and 2 others
D

Digmoons

New Member
Jun 13, 2022
6
wow, so few software detecting it in Virus Total. Recently I've switched from Kaspersky to F-Secure, but if it was today, I think I would have renewed Kaspersky.
I'm afraid...😱
 
  • Like
Reactions: vtqhtr413

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,308
Video Reviews - Security and Privacy
tofargone
tofargone
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
34
Views
3,256
Video Reviews - Security and Privacy
lokamoka820
lokamoka820
Gandalf_The_Grey
    • Like
Technology MSN brand is back with a fresh new logo to replace 'Microsoft Start'
Replies
0
Views
133
Technology News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top