Malware News Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment

[Solarquest]

A sample of a potentially new ransomware called Erebus has been discovered by MalwareHunterTeam on VirusTotal. I say that this is a potentially new ransomware because TrendMicro had reported another ransomware using the same name was previously released back in September 2016. Though I do not have a sample of the original Erebus, from its outward characteristics, the one discovered today looks like either a complete rewrite or a new ransomware using the same name..

While at this time, it is not currently known how Erebus is being distributed, analysis of the ransomware shows some interesting features. The first, and most noticeable features, is the low ransom amount of ~$90 USD being requested by the ransomware. Another interesting features is its use of a UAC bypass that allows the ransomware to run at elevated privileges without displaying a UAC prompt.

Erebus performs a UAC Bypass by Hijacking the MSC File Association
When the installer for Erebus is executed, it will also utilize a User Account Control (UAC) bypass method so that victim's will not be prompted to allow the program to run at higher privileges. It does this by copying itself to a random named file in the same folder. It will then modify the Windows registry in order to hijack the association for the .msc file extension so that it will launch the random named Erebus executed instead.

The hijacked keys are shown below.
..more in the link above

 

[Solarquest]

Antivirus scan for ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791 at 2017-02-07 10:15:35 UTC - VirusTotal

 

[Parsh]

Nice share!

Symantec detection: ML.Attribute.HighConfidence

I'm not sure since when did Symantec provide ML analysis on uploaded files on VT. It has detected the threat with a 'Confidence Level', like Falcon and the other likes.
@Mr.Pr Dr.Web in action, and so is Kaspersky

 

[Like a Western!]

once i heard from one of Dr.Web staffs, Virustotal will share the samples with vendors, so why this sample still undetected by many vendors ? its an important one by the way !

 

[Parsh]

once i heard from one of Dr.Web staffs, Virustotal will share the samples with vendors, so why this sample still undetected by many vendors ? its an important one by the way !

On detection by any, yes the companies do get access to the samples but it takes time for them to ANALYSE it, CONFIRM it and then push out the SOLUTION.

Confirming it is quite important because there have been cases in history where one company claimed to have made a detection on VT and some others followed blindly. Those were some test conducted to inspect the malpractice by some budding AVs. Its said that Kaspersky had done that to reveal such practice by others.

 

[Like a Western!]

so this is about how their analyst are slow !

 

[Parsh]

so this is about how their analyst are slow !

Their? I assume that you aren't pointing to Kaspersky

 

[Like a Western!]

Their? I assume that you aren't pointing to Kaspersky

Kaspersky detected already this malware.
check VT link, Kaspersky & Dr.Web the best in this section IMO, specialy in detecting Governmental spywares ( Kaspersky may be not deect Russia governmental spywares ). i trust their VirLab

 

[Parsh]

Kaspersky detected already this malware.
check VT link, Kaspersky & Dr.Web the best in this section IMO, specialy in detecting Governmental spywares ( Kaspersky may be not deect Russia governmental spywares ). i trust their VirLab

That's a famous speculation regarding Kaspersky and may be true. Kaspersky works with Russian govt for defence and intelligence officially.
Anyways, lately Qihoo, Avast, Rising cloud, CrowdStrike ML have also been doing great on VT.

 

[Wingman]

Nice share!

I'm not sure since when did Symantec provide ML analysis on uploaded files on VT. It has detected the threat with a 'Confidence Level', like Falcon and the other likes.
@Mr.Pr Dr.Web in action, and so is Kaspersky

Hi All

Symantec detection "ML.Attribute.HighConfidence" is based on the new Machine learning algorithm available in SEP 14. I am not sure whether norton consumer products has capability as of now. For example, earlier versions of SEP (before 14) won't be detecting this sample as they do not have such capability. They might detect it through sonar/insight though but it's not possible to confirm atm . Most likely , if someone where to rescan the sample, you would notice a new signature from Symantec. Also please keep in mind that if a Vendor detects a sample, that doesn't necessary mean that the detection would be real-time visible in VT

 

[cruelsister]

A fairly large percentage of ransomware (and malware in general) do not trigger UAC even when it is set at the Max, so any UAC bypass by Erebus isn't really any surprise. Although UAC will indeed not allow some ransomware to proceed and will not allow manipulation of vssadmin in any case (thus stopping the deletion of Windows Restore Points), as absolute protection against file encryption it leaves loads and loads to be desired.

 

[Parsh]

Hi All

Symantec detection "ML.Attribute.HighConfidence" is based on the new Machine learning algorithm available in SEP 14. I am not sure whether norton consumer products has capability as of now. For example, earlier versions of SEP (before 14) won't be detecting this sample as they do not have such capability. They might detect it through sonar/insight though but it's not possible to confirm atm . Most likely , if someone where to rescan the sample, you would notice a new signature from Symantec. Also please keep in mind that if a Vendor detects a sample, that doesn't necessary mean that the detection would be real-time visible in VT

True mate.
The ML integrations look impressive and even if that doesn't come to many Symantec products soon, that will help getting more detections at their (Symantec) system, eventually being able to deliver a signature protection and base for heuristics to all Symantec AV products.

 

[Wingman]

Don't want to hijack the thread but just wanted to confirm that Symantec appears that have now release a signature

 

[DracusNarcrym]

UAC bypasses have been notorious... even in Windows 10 and in "Always Notify" settings.

One of the reasons I have disabled UAC is that it has been disproved, and the other is that since it has been disproved, it is officially an annoyance to me.

One might argue "why not have it, since you can" / "it works at kernel level" / "it doesn't hurt to have it anyway" / etc, but I believe that users that are advanced enough to do without it or to substitute it with other software, may benefit from the decreased hassle.

 

[tim one]

Windows, as it is designed, allows the malware to hide itself without problems, acting everywhere.
UAC is a layer but the "average" user is no longer suited to the modern needs of security.

 

[Handsome Recluse]

UAC bypasses have been notorious... even in Windows 10 and in "Always Notify" settings.

One of the reasons I have disabled UAC is that it has been disproved, and the other is that since it has been disproved, it is officially an annoyance to me.

One might argue "why not have it, since you can" / "it works at kernel level" / "it doesn't hurt to have it anyway" / etc, but I believe that users that are advanced enough to do without it or to substitute it with other software, may benefit from the decreased hassle.

But wouldn't it be useful to at least limit or control the damage to the system given it can't touch some stuff? Wouldn't this make for an easier recovery and reduce persistence?

 

[Solarquest]

Windows, as it is designed, allows the malware to hide itself without problems, acting everywhere.
UAC is a layer but the "average" user is no longer suited to the modern needs of security.

I agree, modern user is actually "lost"...Who has the time and then the knowledge to keep himself and the system updated enough to avoid most infection vectors?
Everything needs updates, every software has bugs, vulnerability.
IOTs, routers have buggy firmware/security.
Drive-by download are getting frequent...On "safe/knows sites" too.
A normal user updates windows, programs with auto-update features...And that's it.
I think security, or better, keeping a device safe is getting too complicated and time consuming for most people.

 

[DracusNarcrym]

But wouldn't it be useful to at least limit or control the damage to the system given it can't touch some stuff? Wouldn't this make for an easier recovery and reduce persistence?

Indeed, this falls under the last statement I presented in my reply: "Why not have it? Even if it's not 100% bulletproof, why not gain as much security as you can from it?"

To clarify, it's all about the "usability" to "potential/theoretical security provided" ratio.

In my own case, and from my own experience:
So far I have not run any software, that are genuinely unknown, and for which the UAC notification was warranted.

In other words, UAC has appeared on so many of my frequently used legitimate applications, when it absolutely and obviously did not have to.

In the end, it only added an extra step of user interaction during the startup of those applications, one that I deemed time consuming and bothersome enough, to disable it. (or, I set the applications to "Run as Administrator" as default, which is as good as disabling UAC in the first place - even though those applications did not need the administrator privileges)

I'm highly certain that there are plenty of powerusers out there that have been in a similar situation to mine, and decided to... end their relationship with UAC on account of frustrating alerts - alerts that for their computing habits, had no need to exist to begin with.

 

[FleischmannTV]

UAC bypasses have been notorious... even in Windows 10 and in "Always Notify" settings

One of the reasons I have disabled UAC is that it has been disproved

Actually none of those bypasses work on a standard user account with UAC, that's why the recommendation is to use that instead of disabling UAC.

In other words, UAC has appeared on so many of my frequently used legitimate applications, when it absolutely and obviously did not have to.

The applications absolutely and obviously requested elevated privileges, otherwise there wouldn't have been any alerts from UAC. Either you don't understand why the applications needed those privileges or they have been badly coded to needlessly request them.

 

[DracusNarcrym]

Actually none of those bypasses work on a standard user account with UAC, that's why the recommendation is to use that instead of disabling UAC.

If you were to test the effectiveness of UAC alone, you'd make sure that no other factor would interfere with the execution of the exploits.
It should be UAC vs its threats. Perhaps the developers should make a move at acknowledging the exploits and patching them. UAC is too much of a core security measure for such bypasses to be leniently misprioritized.
As for using as standard user account, that is indeed a measure of mitigation for such threats.

The applications absolutely and obviously requested elevated privileges, otherwise there wouldn't have been any alerts from UAC. Either you don't understand why the applications needed those privileges or they have been badly coded to needlessly request them.

Granted, and granted.
The fact that UAC blindly prompts the user at the execution of the very same, fully legitimate application, seems very unappealing to me. What if the application's function does warrant a UAC prompt, but is verified to be harmless, unless used by inexperienced users? This is were the "noob shield" function of the UAC prompts comes in - a standard account user trying to perform a change to Windows for example, that could mess up the system. This is the scenario where the user would be prompted with a UAC notification, which would also request the administrator's password (in a properly setup Windows environment) - and this is where the users would call the individuals who are certified to operate the endpoint with administrative privileges, and know the administrator password, i.e. the administrators.

The latter approach does not apply to power users, though, unless it acts like a last minute "misclick" protector (i.e. you accidentally click a button that runs a function that would require administrative rights, but you get the chance to take that action back because of the UAC prompt).

A safe application is safe, in an isolated workstation environment.