Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
News
Security News
Chinese Hacking Group APT41 Exploits Google Calendar to Target Governments
Message
<blockquote data-quote="Andy Ful" data-source="post: 1127832" data-attributes="member: 32260"><p>The attackers enhanced the attack vector known for several years:</p><p>phishing ---> ZIP archive ----> LNK -----> RunDLL32 -----> DLL loader (decrypted payload) ----> Process Hollowing -----> abusing legal cloud services for C2</p><p></p><p>State-sponsored phishing is often successful, so antivirus software attempts to detect the attack when the DLL loader is executed. When RunDLL32 LOLBin is used, some AVs can efficiently block the attack via Advanced Threat Protection features (like Microsoft Defender ASR rules) or LOLBin restrictions (like Comodo Script Analysis). Such loaders have a low level of suspicious IOCs on the pre-execution stage, so the attack can be detected by Machine Learning only after some time. This time can be longer if the attackers use a runtime FUD malware (unique crypter). It is probable that this was the case in this smart attack.</p><p>Top AVs can detect Process Hollowing methods (especially Enterprise versions). But I am not sure how effective they are against evolving attack methods.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1127832, member: 32260"] The attackers enhanced the attack vector known for several years: phishing ---> ZIP archive ----> LNK -----> RunDLL32 -----> DLL loader (decrypted payload) ----> Process Hollowing -----> abusing legal cloud services for C2 State-sponsored phishing is often successful, so antivirus software attempts to detect the attack when the DLL loader is executed. When RunDLL32 LOLBin is used, some AVs can efficiently block the attack via Advanced Threat Protection features (like Microsoft Defender ASR rules) or LOLBin restrictions (like Comodo Script Analysis). Such loaders have a low level of suspicious IOCs on the pre-execution stage, so the attack can be detected by Machine Learning only after some time. This time can be longer if the attackers use a runtime FUD malware (unique crypter). It is probable that this was the case in this smart attack. Top AVs can detect Process Hollowing methods (especially Enterprise versions). But I am not sure how effective they are against evolving attack methods. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
