App Review Antivirus vs RedLine Stealer malware Competition

[Trident]

damage is a possibility concerning time has passed.

Damage with stealers is caused about 20-30 seconds after execution from my long practice of playing with them, including on various emulation sites. They usually have a long sleep of about 10-15 seconds and then extract a copy of themselves somewhere (might be the startup folder in start menu, might be somewhere else). Once they do that, they will harvest the data. By the time you even type KVRT on Google, it’s already too late, let alone doing a full scan with it.

The test I performed is slightly different but still had plenty of rats and stealers.

 

[cruelsister]

Damage with stealers is caused about 20-30 seconds after execution from my long practice of playing with them, including on various emulation sites. They usually have a long sleep of about 10-15 seconds and then extract a copy of themselves somewhere (might be the startup folder in start menu, might be somewhere else). Once they do that, they will harvest the data. By the time you even type KVRT on Google, it’s already too late, let alone doing a full scan with it.

The test I performed is slightly different but still had plenty of rats and stealers.

Although some stealers do have delayed starts and extended sleep functions, some are essentially instantaneous in data theft and transmission.

 

[Trident]

Although some stealers do have delayed starts and extended sleep functions, some are essentially instantaneous in data theft and transmission.

It depends on how the agent will he configured. Most of them are truly versatile and have various options. You can configure refresh rate for the event listener on RATs, sleeps, anti-termination options (such as on termination to cause BSOD) and many others. It all depends on what the customer (attacker) wants. Attackers who are more knowledgeable allow long sleeps to evade sandboxing and threat emulation — they still don’t know that long sleeps are ignored.

 

[pvsurfer]

Even if Stealer malware avoids AV detection/cleaning, any theft can be prevented if firewall blocks 'non-whitelist' outbound connections. In that regard I find Malwarebytes' Windows Firewall Control (freeware) does a great job.

 

[Trident]

Even if Stealer malware avoids AV detection/cleaning, any theft can be prevented if firewall doesn't allow 'non-whitelist' outbound connections. In that regard I find Malwarebytes' Windows Firewall Control (freeware) does a great job.

It then depends on how the agent will be delivered. If it is injected in a benign LOTLbin such as aspnetcompiler, msbuild and many others, these are MS signed executables. It is unlikely that user will realise a stealer is trying to connect.

There is no 100% protection in any case. Even if Antivirus X on test Y has blocked more, attackers will go to great lengths to evade detection and they will, one way or another.

 

[zkSnark]

It then depends on how the agent will be delivered. If it is injected in a benign LOTLbin such as aspnetcompiler, msbuild and many others, these are MS signed executables. It is unlikely that user will realise a stealer is trying to connect.

There is no 100% protection in any case. Even if Antivirus X on test Y has blocked more, attackers will go to great lengths to evade detection and they will, one way or another.

So what is the most effective way for protection? Do you suggest any particular AV + other tools for at least 99.9% protection?

 

[cruelsister]

It all depends on what the customer (attacker) wants.

Very, very true! But as the great many just rely on junk like WD + WF, something that will lift and send desired data is preferred (actually will be posting a quick video on exactly this tomorrow).

 

[Trident]

So what is the most effective way for protection? Do you suggest any particular AV + other tools?

No, I suggest that users are vigilant at all times and only work with a small set of trusted apps.

Below are the builders of 2 RATs, there are many others too.

Apart from the various config options there, the attackers have different ways of distributing them and this is where their true creativity gets unlocked. It could be presented as a crack, it could be as a shortcut, through weaponised documents, scripts and many others. Users should always observe, think and suspect — and avoid executing anything that looks suspicious.

 

[ErzCrz]

A little OT but quick CF question @cruelsister as I'm trialling using CF with MD or full CIS. Question is, do you get a lot of Edge firewall blocks to ports 25 & 1900? It only happens when i swap over to Proactive config but just wondering whether this was something to ignore? It didn't happen with Win 10

EDIT: Seems I was connected to the same network name but named (2) and (3) but not connected to the actual 192.168.0.1 router. Win 11 had set network profile as public so may be why CF detecting as network 192.168.0.17 with gateway 192.168.0.1. I think I'll ignore the 100s of log entries or create specific rules.

Love your vids.

 

[cruelsister]

A little OT but quick CF question @cruelsister as I'm trialling using CF with MD or full CIS. Question is, do you get a lot of Edge firewall blocks to ports 25 & 1900? It only happens when i swap over to Proactive config but just wondering whether this was something to ignore? It didn't happen with Win 10

EDIT: Seems I was connected to the same network name but named (2) and (3) but not connected to the actual 192.168.0.1 router. Win 11 had set network profile as public so may be why CF detecting as network 192.168.0.17 with gateway 192.168.0.1. I think I'll ignore the 100s of log entries or create specific rules.

Love your vids.

Thank you! My suggestion is that you don't bother with the full CIS as you really do not need the manual scanning functionality of it and CF already has an on-access cloud AV.

As to Containing (sandboxing) Edge or any other browser, I personally don't do that myself as there is little point (as far as infection to the computer is concerned) in doing so as any infective mechanism is extrinsic to the browser, and not actually arising from it.

 

[Shadowra]

So what is the most effective way for protection? Do you suggest any particular AV + other tools for at least 99.9% protection?

A good antivirus, stay up to date (Windows, Java, risky software etc) and don't click anywhere.
No antivirus will protect you 100%.

No, I suggest that users are vigilant at all times and only work with a small set of trusted apps.

Below are the builders of 2 RATs, there are many others too.

The base of your 2 clients is the same which is njRAT (named Bladabindi by the antiviruses) which is an open-source RAT that can be modified at will.
But you are right about the rest, the attacker can check what he wants. RATs are a bit like the "poor man's botnet".

 

[Trident]

True. Bladabindi/njRAT/Ratenjay (Symantec) is one of the most commonly distributed RATs, originally developed by Houdini’s mate Naser Al Mutairi. Houdini (Mohamed Benabdellah) was mostly famous with his Dinihou and H-Worm which were worm+rat. They were spreading on a removable drive by replacing harmless files with a shortcut that both executed the file and in the same time delivered njRAT.

Down the H-W0rm Hole with Houdini's RAT

fidelissecurity.com

The tactic has since inspired many.

njRAT and its derivatives have remained “poor man affair” due to them widely being available cracked, but other RATs and stealers offer even more versatile configuration in the backend.

For example, this is Agent Tesla.

Vidar, njRat and Agent Tesla still account for a large proportion of the infections worldwide, as they provide low to no-cost way of stealing data.

January 2023’s Most Wanted Malware: Infostealer Vidar Makes a Return while Earth Bogle njRAT Malware Campaign Strikes - Check Point Software

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cybersecurity solutions globally, has published its Global Threat Index for

www.checkpoint.com

 

[Shadowra]

Vidar, njRat and Agent Tesla still account for a large proportion of the infections worldwide, as they provide low to no-cost way of stealing data.

And RedLine

 

[Trident]

And RedLine

RedLine, AsyncRAT and few others yes.

 

[ErzCrz]

Thank you! My suggestion is that you don't bother with the full CIS as you really do not need the manual scanning functionality of it and CF already has an on-access cloud AV.

As to Containing (sandboxing) Edge or any other browser, I personally don't do that myself as there is little point (as far as infection to the computer is concerned) in doing so as any infective mechanism is extrinsic to the browser, and not actually arising from it.

Thank you! , working great and quietly protecting me using your config.