Fake Huorong Download Site Used to Deploy ValleyRAT Backdoor in Targeted Malware Campaign
- Thread starter Parkinsond
- Start date
I won’t call ESET overrated at all. Sorry
F
ForgottenSeer 116559
Avast blocks the website and installer. Avast doesn't specifically detect the strain of malware embedded in the installer here, but it does recognize that there's little reason to trust the file.
Last edited by a moderator:
F
ForgottenSeer 116559
Avast's file reputation detection took precedence. The installer has such low prevalence, no/poor reputation that Avast errs on the side of caution. I could've added an exception to see how the installation played out, but I'll leave it here for now.
The file was sent for analysis.
Last edited by a moderator:
Ok thanks for clarification. To prove ESET's effectiveness i will upload my tests soon few are recorded editing is pending. That will clear why i think ESET is overrated.Yes, I'm sure it was uploaded. I have TrafficMonitor installed. As soon as Kaspersky's icon turned red, it started to upload it. It took a few seconds to upload as the file was 193 MB. In addition, it may have uploaded other files extracted by the malware. This is a common pattern whenever I test Kaspersky against a sample that it has never seen before. Most products don't upload the whole file but Kaspersky does quite often. That's how the NSA employees' secret hacktool file which Kaspersky deemed suspicious, ended up in Kaspersky's KSN server even though it was that employee who was being stupid while Kaspersky was just doing its job as it is designed to.
Opentip is not always reliable. Sometimes it doesn't find the hash if the file wasn't uploaded manually to Opentip. But even then, it's as if Kaspersky has forgotten about this file. I have manually uploaded it now and it says it's safe
I won't say ESET is overrated but you may call it overrated only in the sense that it has some obvious weaknesses like Ransomware and MBR destroyer malware, which many users may not know about; though the case of ransomware has improved in the last couple of years.
I would say it's underrated in the sense that it can still detect almost all threats locally pre-execution by signatures & heuristics + what they call their DNA detection with no/rare help from the cloud, which is very impressive. The more you detect pre-execution, the better, but a high detection rate by a behavior blocker looks more fancy, so this very high pre-execution detection rate of ESET is often not appreciated as much.
ESET also blocks this RAT. It detected the same file that BD detected + one more PUA.
View attachment 295921
Any AV can fail a certain test and pass another. Sure if you compare ESET with BD or Kaspersky, it lags behind since it doesn’t have any fancy BB but ESET has great signatures. This has both its advantage’s & disadvantages. It can detect many samples before execution but if a sample can evade the detection there’s nothing much ESET can do. K & BD will stop the attacks with their BB but other than ransomware I’ll never trust if they could roll back all the malicious actions. For the past 5 years, I’ve installed ESET on so many customers PC & none of them have had any infections so far. Of course you need common sense else no AV is enough. Moreover I always mandatorily install SWH on each & every home PC since it stops more than 75% of the common threat vectors. Moreover ESET can be hardened with custom rules to offer increased protection.
Cloudflare Zero Trust DNS "Security Category" blocked it.
I disabled F-Secure Browser/Scam Protection and the WARP app, and it looks like Cloudflare is now aware of it.
Last edited:
My HIPS rules are on, nothing naughty can execute.
That should help albeit i might do a part 2 for ESET later where i will use self created malware to go pass HIPS just for educational purposes. But so far this is all theory for u all. Let me back it up by evidence.
TBH your self created malware has very less probability of being detected by ESET since it has no BB. Are you using the IS or Premium? The IS does not have LiveGuard(for unknown executables)or Folder Protection(for ransomware). ESET should at least provide Folder Guard in their IS version.
I have tested both. Folder guard should be there in IS no doubt.
Pretty much quad9 blocked it first, then norton safe web and lastly after skipping both of these, sophos blocked it. Sure im late to this train but anyways
K7 Safe Surf also block it last nightPretty much quad9 blocked it first, then norton safe web and lastly after skipping both of these, sophos blocked it. Sure im late to this train but anyways
View attachment 295971
F
ForgottenSeer 116559
I forgot to check on this sooner, but I confirmed this morning that Avast now identifies the installer with generic detection instead of just reputation.
Last edited by a moderator:
Reputation labeling precedes the generic because it relies on the concept "if I do not know what is this, then it will not pass"; more false postivie detections, but more safe.
Yes, I'm sure it was uploaded. I have TrafficMonitor installed. As soon as Kaspersky's icon turned red, it started to upload it. It took a few seconds to upload as the file was 193 MB. In addition, it may have uploaded other files extracted by the malware. This is a common pattern whenever I test Kaspersky against a sample that it has never seen before. Most products don't upload the whole file but Kaspersky does quite often. That's how the NSA employees' secret hacktool file which Kaspersky deemed suspicious, ended up in Kaspersky's KSN server even though it was that employee who was being stupid while Kaspersky was just doing its job as it is designed to.
Opentip is not always reliable. Sometimes it doesn't find the hash if the file wasn't uploaded manually to Opentip. But even then, it's as if Kaspersky has forgotten about this file. I have manually uploaded it now and it says it's safe
I won't say ESET is overrated but you may call it overrated only in the sense that it has some obvious weaknesses like Ransomware and MBR destroyer malware, which many users may not know about; though the case of ransomware has improved in the last couple of years.
I would say it's underrated in the sense that it can still detect almost all threats locally pre-execution by signatures & heuristics + what they call their DNA detection with no/rare help from the cloud, which is very impressive. The more you detect pre-execution, the better, but a high detection rate by a behavior blocker looks more fancy, so this very high pre-execution detection rate of ESET is often not appreciated as much.
ESET also blocks this RAT. It detected the same file that BD detected + one more PUA.
View attachment 295921
emmm...I don't think Kaspersky will upload the whole file (193MB is too big),maybe just some metadata like fullhash fuzzhash and so on.That's the reason why Opentip can't find the file.
The threat may employ techniques to evade detection within the Kaspersky Sandbox Environment. Therefore, when you upload the file to Opentip,it may not detect the critical behavior that was actually caught by System Watcher in your local environment.
You may also like...
-
Check Point Research Exposes Hidden Malware Pipeline Lurking Behind Fake Open-Source Download Sites- Started by Khushal
- Replies: 1
-
iClicker hack targeted students with malware via fake CAPTCHA- Started by Gandalf_The_Grey
- Replies: 2
-
Fake Avast Antivirus Sites Are Spreading SpyNote Android Malware- Started by enaph
- Replies: 1
-
Typosquat campaign mimics 27 brands to push Windows, Android malware
- Started by Gandalf_The_Grey
- Replies: 0
-
ExpressVPN Clone Sites Infect Visitors with Redline Malware- Started by CyberTech
- Replies: 0