Evasive VBS with very low VT

Status
Not open for further replies.

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,617
And for me its sophos, how do I change that?

How do you know you're on the Sophos engine?
If you're like me, you're on Kaspersky, not Sophos.
If not, see if you can switch as you see on the screen. If not, contact CheckPoint support.
Capture d’écran 2023-06-29 144825.png
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Is it just threat intelliegence or also its behavior blocker and other stuff aswell
It’s not just threat intelligence, it is the anti-malware scanning engine.
For Sophos this is Sophos Antivirus Interface (SAVI SDK)

For Kaspersky, this is Kaspersky Antivirus Protection System (AVP)

To change at any time go to Infinity Portal.
Click on Policy -> Software Deployment -> Windows
Select any DHS Compliant version to deploy Sophos.
Select version without DHS compliant in it to use Kaspersky local engine.

Behavioural blocking is not provided neither by Kaspersky, nor by Sophos. It is proprietary Check Point technology and it’s quite good.
The local anti-malware engine provides local emulation (dynamic analysis), signatures and heuristics. Both Kaspersky and Sophos are heavily based on heuristics. Check Point already includes NGAV that’s based on static analysis.
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
I did not read this whole thread, too many posts.
But the initial file is pretty simple. If you unpack the initial obfuscation layer, it looks like this:

1688046132531.png


It is a malware downloader.

The downloaded file is a bit more interesing, I just uploaded it here, it has 0 detections:

It updates itself from this location: VirusTotal
The updated file atom.xml: atom.xml decodes this DLL VirusTotal
This DLL never touches the disk, so the AV scanner detections are not an indicator if this part is detected at all.

The DLL is used to decode another encrypted file, which is then injected into the legitimate RegSvcs.exe and Msbuild.exe processes as can be seen below. $data2 is here the final payload and $data1 is the DLL used for decoding.

1688048438448.png


Final payload decryption is a bit more involved because I need to execute it in a VM to do that (everything else was statically decoded), I might update later.
 

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
I did not read this whole thread, too many posts.
But the initial file is pretty simple. If you unpack the initial obfuscation layer, it looks like this:

View attachment 276718

It is a malware downloader.

The downloaded file is a bit more interesing, I just uploaded it here, it has 0 detections:

It updates itself from this location: VirusTotal
The updated file atom.xml: atom.xml decodes this DLL VirusTotal
This DLL never touches the disk, so the AV scanner detections are not an indicator if this part is detected at all.

The DLL is used to decode another encrypted file, which is then injected into the legitimate RegSvcs.exe and Msbuild.exe processes as can be seen below. $data2 is here the final payload and $data1 is the DLL used for decoding.

View attachment 276720

Final payload decryption is a bit more involved because I need to execute it in a VM to do that (everything else was statically decoded), I might update later.
I'll keep the samples coming:) This is fun
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
But the initial file is pretty simple. If you unpack the initial obfuscation layer, it looks like this:
Yeah, on my forensics report I have the full content captured by the AMSI. I noticed it replaces calc with IEX… the AMSI bypass line was not there but the detections itself was triggered by it. Not sure if maybe the AV manipulates PS to ignore that.

The other script’s full content was also provided, it was quite long. I’ll dm it to you in a moment.
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
I unpacked the injected final payload. Here it is: VirusTotal

The final payload is XWorm backdoor, version 3.1. You can find the malware name and version in the code itself.

1688052937533.png



The most interesting is the config, it has a rather complicated decryption function, but good thing is we can just call the function from PowerShell.
Here you see Host, Port, KEY, SPL, USBNM (in that order):

1688052701095.png
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,617
I unpacked the injected final payload. Here it is: VirusTotal

The final payload is XWorm backdoor, version 3.1. You can find the malware name and version in the code itself.

View attachment 276727


The most interesting is the config, it has a rather complicated decryption function, but good thing is we can just call the function from PowerShell.
Here you see Host, Port, KEY, SPL, USBNM (in that order):

View attachment 276726

Very surprised not to see Kaspersky detected, even though it's excellent at blocking RATs o_O
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Very surprised not to see Kaspersky detected, even though it's excellent at blocking RATs o_O
Detected or not doesn’t really matter. That detection is on the payload when @struppigel has decrypted/converted to normal hex code. This attack involves the payload converted to binary from what I saw and it is encrypted. It never touches the disk, it is downloaded in a byte array in memory and finally it is injected in a legitimate process (most likely via process hollowing). Kaspersky memory scanner may detect the final payload once it is injected, but many antiviruses that don’t have memory scanning will just see the trusted executable and will conclude there is nothing wrong.

Nevertheless, Kaspersky blocks the initial downloader.
 

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
Detected or not doesn’t really matter. That detection is on the payload when @struppigel has decrypted/converted to normal hex code. This attack involves the payload converted to binary from what I saw and it is encrypted. It never touches the disk, it is downloaded in a byte array in memory and finally it is injected in a legitimate process (most likely via process hollowing). Kaspersky memory scanner may detect the final payload once it is injected, but many antiviruses that don’t have memory scanning will just see the trusted executable and will conclude there is nothing wrong.

Nevertheless, Kaspersky blocks the initial downloader.
Layers.

I unpacked the injected final payload. Here it is: VirusTotal

The final payload is XWorm backdoor, version 3.1. You can find the malware name and version in the code itself.

View attachment 276727


The most interesting is the config, it has a rather complicated decryption function, but good thing is we can just call the function from PowerShell.
Here you see Host, Port, KEY, SPL, USBNM (in that order):

View attachment 276726
If I needed to do DFIR for that customer... I know that I would find that implant. Nice break down.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
If I needed to do DFIR for that customer... I know that I would find that implant. Nice break down.
Yara signatures on process memory could detect the final payload because in memory it is already “naked” and in its true form. There is no encryption and conversion. In addition, IPS signatures and systems such as Symantec IPS, Snort, Surikata, Check Point IPS/Anti Bot and others will detect all communication attempts.
 

Xeno1234

Level 14
Jun 12, 2023
684
It’s not just threat intelligence, it is the anti-malware scanning engine.
For Sophos this is Sophos Antivirus Interface (SAVI SDK)

For Kaspersky, this is Kaspersky Antivirus Protection System (AVP)

To change at any time go to Infinity Portal.
Click on Policy -> Software Deployment -> Windows
Select any DHS Compliant version to deploy Sophos.
Select version without DHS compliant in it to use Kaspersky local engine.

Behavioural blocking is not provided neither by Kaspersky, nor by Sophos. It is proprietary Check Point technology and it’s quite good.
The local anti-malware engine provides local emulation (dynamic analysis), signatures and heuristics. Both Kaspersky and Sophos are heavily based on heuristics. Check Point already includes NGAV that’s based on static analysis.
Which do you personally think is better, and do you think Checkpoints Behavioral Detection is better than Kaspersky or Sophos aswell?

Very surprised not to see Kaspersky detected, even though it's excellent at blocking RATs o_O
VirusTotal has a delay on Cloud Protection, looking now it was detected by behavioral detection whenever someone tried to use it maliciously.
 
  • Like
Reactions: Shadowra

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
Yara signatures on process memory could detect the final payload because in memory it is already “naked” and in its true form. There is no encryption and conversion. In addition, IPS signatures and systems such as Symantec IPS, Snort, Surikata, Check Point IPS/Anti Bot and others will detect all communication attempts.
Yes but I'm taking about blind DFIR. Having zero prior knowledge of the sample. Identifying the infection after post execution.
 
  • Like
Reactions: Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Which do you personally think is better, and do you think Checkpoints Behavioral Detection is better than Kaspersky or Sophos aswell?
There is no way to establish whose behavioural blocking is better as on many antiviruses, behavioural blocking relies on data already extracted by other layers such as dynamic and static analysis. Many AVs do not allow you to switch off antivirus and leave just the behavioural blocking on. And if you do, you may be decreasing its effectiveness. Sophos Intercept X is not anything special.
For example Symantec detected the initial downloader with ISB which is their script emulator.
Yes but I'm taking about blind DFIR. Having zero prior knowledge of the sample. Identifying the infection after post execution.
Continuing on script emulators, unfortunately this is one of the attacks that may slip past some defences, I believe G Data (@struppigel will know here) uses memory CONTENT (not just image path) scanning. Same for Kaspersky and Bitdefender. CrowdStrike uses Intel TDT/VPro enhanced memory scanning as well. Some AVs where the script emulation is not sophisticated enough and memory content scanning is not performed may block secondary payloads once the URL is known malicious. Other than that, it will be a miss.

The attack relies on introducing a payload that even Nano Antivirus and Protegent will detect in a way that the AV may not notice.

Lesson to you, if you see no data encrypted and code injected somewhere, this is most likely some Infostealer/RAT. You need to check scheduled tasks, start menu startup folder and others as this is how it will maintain persistence after reboot.
 
Last edited:

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
There is no way to establish whose behavioural blocking is better as on many antiviruses, behavioural blocking relies on data already extracted by other layers such as dynamic and static analysis. Many AVs do not allow you to switch off antivirus and leave just the behavioural blocking on. And if you do, you may be decreasing its effectiveness. Sophos Intercept X is not anything special.
For example Symantec detected the initial downloader with ISB which is their script emulator.

Continuing on script emulators, unfortunately this is one of the attacks that may slip past some defences, I believe G Data (@struppigel will know here) uses memory CONTENT (not just image path) scanning. Same for Kaspersky and Bitdefender. CrowdStrike uses Intel TDT/VPro enhanced memory scanning as well. Some AVs where the script emulation is not sophisticated enough and memory content scanning is not performed may block secondary payloads once the URL is known malicious. Other than that, it will be a miss.

Lesson to you, if you see no data encrypted and code injected somewhere, this is most likely some Infostealer/RAT. You need to check scheduled tasks, start menu startup folder and others as this is how it will maintain persistence after reboot.
I use Unhackme Professional. These are all items in the scope of inspection. It's all manual. Already would have looked in those spots. Thanks bro but I am aware.
 
  • Like
Reactions: Trident
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top