App Review Defender vs a Novel Stealer Variant

[cruelsister]

Content source

https://www.youtube.com/watch?v=nPPbu24iYdg

This malware has been rather widespread lately as it is being sold by the original coders to the less sophisticated on the Darkweb. Although the vast majority making their way into the Wild are clones and the dropped file is detectable, point builds of the actual dropper, which are fairly frequent are not, and thus the issue.

But nonetheless the mechanism is pretty.



(ps- video used Win11 with StartAllBack desktop, and
WD Antimalware Client Version: 4.18.2211.5)

 

[Andy Ful]

I asked myself many times: Why Microsoft did not choose to (optionally) protect exclusions via Tamper Protection?
Microsoft guys think that this method cannot be used as an initial attack vector but only to obtain persistence. That is partially true. Furthermore, adding exclusions is not a perfect solution, because it works only on the pre-execution level - the malware can be still detected by behavior.

Anyway, I think that @cruelsister is right in the case of info stealers. The behavior of such malware is usually hardly detected, because its impact on the system is minimal and well hidden.
This malware (and many more) can be mitigated by hardening the firewall (blocking outbound connections to LOLBins, like powershell.exe, vbc.exe, etc.

 

[Andy Ful]

It is worth mentioning that info stealers are a rather general problem. Many samples are unique, (seen only on a single machine) so if they initially bypassed the AV and could elevate, then they can persist in the system for several days.
For Home AVs, probably the best mitigation method is Network Protection or Firewall hardening. Although the particular sample can be unique to a single machine, most of the morphed samples of the particular malware usually connect to the same servers. So the AVs can blacklist the servers' IPs to mitigate the malware.

 

[cruelsister]

Similar to the creation of a malicious dropper adding (or deleting) rules in WF, it was just a matter of time before someone realized that the same could be done with Defender- code a file that could drop an otherwise detectable malicious file, and protect the nasty spawn by an exclusion. Sadly the "WD Is Enough" crowd will no doubt rather be living in CloudCookooLand than demanding that this bypass be immediately remediated (rant ends).

 

[wat0114]

What is a Windows Ribbon Markup compiler?
How does this generally make it on to a victim's device?
Company: Microsoft Corporation, digitally signed with a Sony certificate. Is this normal?

 

[cruelsister]

What is a Windows Ribbon Markup compiler?

As stated in the OP, the mechanism is pretty.

 

[Andy Ful]

Using a free AV is like using two locks on the door. Is it enough?
The first answer could be YES, because most people use two locks (at least in my country).
Another answer could be NO, because thieves think so and many people use cameras, alarms, and even dogs to protect homes.

Edit.
For casual users, I prefer something more than two locks.

 

[plat]

I have confidence in your FirewallHardening, Andy Ful. Are you confident as well?

 

[ForgottenSeer 97327]

Sadly the "WD Is Enough" crowd will no doubt rather be living in CloudCookooL

Comodo without CS-config is a not so well maintained reasonable well performing security solution. The same applies to WD, without Andy Full's Configure Defender and Simple Windows Hardening, WD is just a well performing one size serves all security solution. That said I always enjoy your videos which show holes and blind spots in security solutions. Without knowledgeable people like you (showing the shortcomings of blacklist solutions ), I would not have invested time to improve my security setup.

I think for my Microsoft based security setup WD is more than enough (my setup) and although I like parties, with WD Appication Control and WD cloud whitelist there is no need for third-parties

BTW I just checked, but exclusions are disabled in GPO, so it must have been an advice in Microsoft's 2019 security baseline or one of the GOV's security advices.

 

[oldschool]

It is worth mentioning that info stealers are a rather general problem. Many samples are unique, (seen only on a single machine) so if they initially bypassed the AV and could elevate, then they can persist in the system for several days.

What is the typical point of entry or initial attack in this video? and generally?

 

[Andrezj]

What is a Windows Ribbon Markup compiler?

the file shown is a fake windows ribbon markup compiler, naming the infostealer using a legitimate microsoft file name is a part of obfuscation

How does this generally make it on to a victim's device?

email attachment (can be easily blocked by policy) or download link (download to user space; launch from there can easily be blocked by policy) are the most common attack vector
could use weaponized office document or even script that user launches and then file download in background, drive by download on older misconfigured systems, replace a malicious file in a legitimate file download bucket
there are many potential vectors
the infostealer shown is part of maas (malware as a service) available for purchase on dark web, it employs low hanging fruit type attacks that rely upon basic user mistakes, this is not in the arena of a sophisticated attack

Company: Microsoft Corporation, digitally signed with a Sony certificate. Is this normal?

the digital signature is done by sony and is fake
the digital certificate is not issued by sony (she deliberately did not show certificate details)
basic level, the way micrsoft authenticode works, a digital certificate is purchased (applied for), the certificate authority is supposed to do due diligence to verify applicant, the certificate is issued to the applicant (with a date range within which the applicant must apply the digital certificate to the file; that is signature date\time stamp you see when first open a signed file properties, if the file is not signed within the date range issued by the certificate authority the certificate is nullified in the certificate database), the digital certificate is accessed properties > details > view certificate, the digital certificate validity date can be seen, it is years beyond the signature time stamp range
there are techniques that can be used to apply fake certificates or ways to make a file appear that it is legitimately signed, then there is a completely separate method where stolen certificate is applied, these methods are mainly figured out by the criminals through persistent efforts of trial and error, much information about such is online
a file digital signature is not the same as the digital certificate

 

[Andy Ful]

I have confidence in your FirewallHardening, Andy Ful. Are you confident as well?

It is a very simple tool, but works as intended.

 

[Andy Ful]

What is the typical point of entry or initial attack in this video? and generally?

This can be any common initial attack vector, like a phishing email, fake website with pirated content, Google Ads, infected legit website (by exploit kits), etc. People can spread the links (sometimes with malicious intentions) via forums related to pirated content. In most cases, the user must manually bypass the SmartScreen alert to be infected. A simple and effective prevention (for a careful user) is using Edge web browser with enabled SmartScreen and PUA protection.

 

[wat0114]

the file shown is a fake windows ribbon markup compiler, naming the infostealer using a legitimate microsoft file name is a part of obfuscation

I knew it wasn't a windows markup compiler, but I was just wondering what a real windows markup compiler was about and who might be interested in that kind of file. Seems like it's a file that a software developer might be interested in? Just speculating of course.

email attachment (can be easily blocked by policy) or download link (download to user space; launch from there can easily be blocked by policy) are the most common attack vector
could use weaponized office document or even script that user launches and then file download in background, drive by download on older misconfigured systems, replace a malicious file in a legitimate file download bucket
there are many potential vectors
the infostealer shown is part of maas (malware as a service) available for purchase on dark web, it employs low hanging fruit type attacks that rely upon basic user mistakes, this is not in the arena of a sophisticated attack

Makes sense. These seem to be common vectors for most malicious files.

the digital signature is done by sony and is fake

the digital certificate is not issued by sony (she deliberately did not show certificate details)
basic level, the way micrsoft authenticode works, a digital certificate is purchased (applied for), the certificate authority is supposed to do due diligence to verify applicant, the certificate is issued to the applicant (with a date range within which the applicant must apply the digital certificate to the file; that is signature date\time stamp you see when first open a signed file properties, if the file is not signed within the date range issued by the certificate authority the certificate is nullified in the certificate database), the digital certificate is accessed properties > details > view certificate, the digital certificate validity date can be seen, it is years beyond the signature time stamp range
there are techniques that can be used to apply fake certificates or ways to make a file appear that it is legitimately signed, then there is a completely separate method where stolen certificate is applied, these methods are mainly figured out by the criminals through persistent efforts of trial and error, much information about such is online
a file digital signature is not the same as the digital certificate

Thank you!

 

[cruelsister]

I knew it wasn't a windows markup compiler

Some variants will also use Microsoft Debug Information Assessor as a description. Visual Studio is a wonderful thing. As to the digital signature, a number of these were used, all of them invalidated within 24 hours. Just enough stuff going on to trick the novice (most of whom are convinced that Defender is Enough) into running a seemingly legitimate application.

The beauty of the malware- all the dropper needs is a few hours of zero-day status as with the Defender exclusion will make the stealer invisible to Defender. Of course any 3rd party second opinion scanners will detect and eradicate the malware but the damage would be already done.

 

[Andy Ful]

The beauty of the malware- all the dropper needs is a few hours of zero-day status as with the Defender exclusion will make the stealer invisible to Defender.

I think that malware will be half-invisible because it can be still detected by behavior. By a simple modification, it can be also half invisible against other AVs by auto-deleting the initial sample (often done by info stealers). Of course, this is not required when the malware has been prepared against the concrete AV (Microsoft Defender).
Still, allowing AV exclusions for any process running with high privileges is not a good idea (see my next post). This can be very useful for administrators in Enterprises, but unnecessary at home.

 

[wat0114]

Sadly the "WD Is Enough" crowd will no doubt rather be living in CloudCookooLand than demanding that this bypass be immediately remediated (rant ends).

Which begs the question: "what is enough?" Is a paid anitvirus enough - can we rely implicitly on them, or are additional layers required?

I know you are not an advocate of the end user having to make educated decisions combined with common sense before running a file they downloaded from somewhere, because the anti-malware product should be infallible and warn them if it's malicious, but I'm not sure this perfect scenario will ever exist. In my case no matter what security solution I ever use, I won't place implicit faith in it ever.

 

[Andy Ful]

The real problem with exclusions is when the info stealer can download/run payloads. It will do it in the excluded folder so the payload does not have to be 0-day and can be detected only by behavior. That is why I would like to protect the exclusions by Tamper Protection.

 

[cruelsister]

The real problem with exclusions is when the info stealer can download/run payloads. It will do it in the excluded folder so the payload does not have to be 0-day and can be detected only by behavior. That is why I would like to protect the exclusions by Tamper Protection.

Totally agree with you, and this lack was the essential point of the video; it shouldn't be an issue to include blocking of this technique ("Add-MpPreference--ExclusionPath" or "-ExclusionWhatever") within Tamper Protection.

 

[Malleable]

Hate to derail, but will CFW with your settings catch this?
ty