Hard_Configurator - February 2019 Report

Status
Not open for further replies.

AlanOstaszewski

Level 16
Thread author
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
  1. Containment: VirtualBox 5.1.38
  2. Windows: 10 LTSB
  3. VPN: CyberGhost
  4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
  5. Office: LibreOffice (standard settings)
Disclaimer: Experimental setup for testing effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with above-average knowledge of Windows' built-in security features.
February 2019Amount of samplesSamples that have harmed the system/ changed system configurationFiles aren't touched/encryptedThread link
Mixed Threats #13 (01/02/2019)130yeslink
#CDC Ransomware (almost FUD) - 02/02/201910yeslink
#Exploit (03/02/2019)10yeslink
4/02/2019 #18180yeslink
AZORult (5/02/2019)10yeslink
#Buhtrap Ransomware (signed) - 07/02/201911nolink
8/02/2019 #15150yeslink
#FCrypt Ransomware10yeslink
AgentTesla (11/02/2019)10yeslink
12/02/2019 #23230yeslink
Malware Big Pack #24 (13/02/2019)240yeslink
Remcos RAT (14/02/2019)10yeslink
Malware x4 (16/02/2019)40yeslink
18/02/2019 #17170yeslink
Rietspoof Malware10yeslink
#LockerGoga Ransomware (signed)10yeslink

Hard_Configurator by @Andy Ful
 

Attachments

  • vm_test1.png
    vm_test1.png
    129.1 KB · Views: 32
  • vm_test2.png
    vm_test2.png
    156.4 KB · Views: 31
  • vm_test3.png
    vm_test3.png
    127.8 KB · Views: 27
  • vm_test4.png
    vm_test4.png
    119.6 KB · Views: 28
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The ransomware from MH https://malwaretips.com/threads/buhtrap-ransomware-signed-07-02-2019.90379/ is signed, so it will be a challenge for SmartScreen Application Reputation. The malware should be mitigated by SRP, even if it would bypass SmartScreen, because it uses Windows Script Host (CScript).

Edit
I had to edit my post, because of my evident error - SRP (in H_C recommended settings) is set to allow the processes with Admin rights, and the tested malware was run with Admin rights.:(
It could be mitigated If the option <Disable Win. Script Host> was set to ON. Maybe I should add it to recommended settings alongside SRP script mitigations?
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I have just seen the [S]@askalan video, and it seems that the trojan part of the malware was mitigated by H_C, because the CScript payload was blocked and remote features were disabled. But, the ransomware part (no elevation) was successful.[/S]
That malware is an example of what I wrote in the January report. In some cases, the signed malware can bypass the SmartScreen even some days after detecting by many AVs. So, it is good to have also a real-time AV alongside H_C.
Anyway, this malware will be delivered in the wild mostly via malicious spam attachments (scripts, documents), and this will be prevented by H_C settings.

Post edited - the malware was not mitigated by H_C, because it was allowed to run with Admin rights via "Run As SmartScreen".
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Would have it made any difference if the test had been done with tighter (enhanced) settings instead of default ones?
Yes, but not for preventing encryption in this case - it is done by the main executable which was allowed to run. Yet, this malware can also use cmd.exe to run some sponsors: attrib.exe, bcedit.exe, cscript.exe (already blocked), chcp.exe, net.exe ('net view' command blocked), reg.exe, vssadmin.exe, wbadmin.exe, wmic.exe.
https://www.hybrid-analysis.com/sam...7d239d5a45faf3e0cdf6b0ebd20?environmentId=100

Most of the above sponsors will require admin rights, SMB1, etc. to do something important - accessing Admin rights is hard with H_C settings and SMB1 is blocked. But, even without Admin rights the sponsor reg.exe can change the Registry keys in the HKCU Hive and wmic.exe can be used for gathering information about the system, so they are blocked in H_C enhanced settings.


I am sorry, I had to be very sleepy to overlook that the malware was run with Admin rights, so could not be mitigated by SRP and H_C recommended or enhanced settings.
That is the con of usability of "Run As SmartScreen" which is intended to bypass SRP.
The only H_C setting that could mitigate this malware is <Disable Win. Script Host> set to ON.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I had to edit my previous posts. I forgot that in the recommended settings the option <Disable Win. Script Host> is set to OFF. That means that Windows Script Host is protected only by SRP, and will be bypassed by design, when the malware is run with Admin rights. That is the case of the malware run via "Run As SmartScreen", if the SmartScreen failed to stop it.
The malware could be probably mitigated if <Disable Win. Script Host> was set to ON.
@askalan, could you please test it also with this setting ON, to see the difference?
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
Yes, but not for preventing encryption in this case - it is done by the main executable which was allowed to run. Yet, this malware can also use cmd.exe to run some sponsors: attrib.exe, bcedit.exe, cscript.exe (already blocked), chcp.exe, net.exe ('net view' command blocked), reg.exe, vssadmin.exe, wbadmin.exe, wmic.exe.
https://www.hybrid-analysis.com/sam...7d239d5a45faf3e0cdf6b0ebd20?environmentId=100


Most of the above sponsors will require admin rights, SMB1, etc. to do something important - accessing Admin rights is hard with H_C settings and SMB1 is blocked. But, even without Admin rights the sponsor reg.exe can change the Registry keys in the HKCU Hive and wmic.exe can be used for gathering information about the system, so they are blocked in H_C enhanced settings.

I am sorry, I had to be very sleepy to overlook that the malware was run with Admin rights, so could not be mitigated by SRP and H_C recommended or enhanced settings.
That is the con of usability of "Run As SmartScreen" which is intended to bypass SRP.
The only H_C setting that could mitigate this malware is <Disable Win. Script Host> set to ON.
Ah, OK, so I was correct to set <Disable Win. Script Host> to ON :emoji_v:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Ah, OK, so I was correct to set <Disable Win. Script Host> to ON :emoji_v:
Please, look after some time into the log of blocked events, for event Id = 1000 with Provider = Windows Script Host. This event means that Windows Script Host script was blocked with Admin rights. There are some administrative&troubleshooting scripts in Windows folder, which will be blocked by this setting, but they are not important in the healthy system.

In the first versions of H_C the <Disable Win. Script Host> was set to ON by default, but now it is set to OFF. When set to ON, it could mitigate some malware which bypassed SmartScreen. But anyway, such mitigation will be usually insufficient because the malware is already running with Admin rights. Furthermore, such event will be very improbable in the home user environment, because the infection chain in the wild will start not from EXE file (like in the test), but from the weaponized document or script started without admin rights. Such files will be blocked by recommended H_C settings and cannot bypass SmartScreen (automatically blocked when "Run As SmartScreen").
The different scenario is probable only when the user is going to download cracks and pirated software.
But, setting <Disable Win. Script Host> = ON will not hurt - the user has to only remember that scripts are blocked by two independent settings and that blocked events cannot be whitelisted.
 
Last edited:

AlanOstaszewski

Level 16
Thread author
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
In my future tests you will find the screenshots of the al-khaser test.
LordNoteworthy/al-khaser

This program is supposed to determine if a virtual machine solution is hidden enough. I hope that the other testers will also publish the screenshots of this test in the future. It is very important to know how well the virtual machine has been configured.

(For information: if you want to run this test on your own VM it usually takes an hour. So don't be confused and let the test take its time.)

Video - Why a good VM configuration is important
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
So, it is good to have also a real-time AV alongside H_C.
Would the windows defender enabled on high settings, stopped it if the signatures detect it? Since WD has behaviour monitoring, but is that as effective as behaviour blocker

Is there anything that would make WD+ H_C stronger, something like appcheck or ransomoff? Anything to add on that combo, i know that i would probably be alright running wd alone, but is there anything that can still harden that setup? Custom settings of H_C? If the malware werent signed by comodo TVL, wouldnt something like comodo firewall be alright to add into that WD+H_C combo
 
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
… … Is there anything that would make WD+ H_C stronger, something like appcheck or ransomoff? Anything to add on that combo, i know that i would probably be alright running wd alone, but is there anything that can still harden that setup? Custom settings of H_C? If the malware werent signed by comodo TVL, wouldnt something like comodo firewall be alright to add into that WD+H_C combo

More is not the answer. You are already secure. :D
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
WD and any other AV can sometimes detect such malware, and sometimes not. This sample was initially detected by 5 AVs (Avast, AVG, DrWeb, Eset, VB32). In other cases, it could be detected by Microsoft, Kaspersky, Avira, and BitDefender. Defender High settings can detect much more than WD on defaults.

One could strengthen the setup in many ways, but that would be unreasonable. Let's look at the below scenario:
  1. I have a very strong setup, which is also pretty much usable, but not so easy anyway.
  2. It can be even stronger by blocking many sponsors, adding the sandbox application or anti-ransomware protection, using Application Guard to block sponsors as administrator, blocking the Internet connection to vulnerable applications in the firewall, adding HIPS and Exploit Protection, etc.
  3. Wow, I have extremely strong protection.
  4. But, wait. Why my system is so unusable and I do not understand what disturbs the functionality of my applications?
  5. I give up. The default-deny protection sucks. I rather go back to AV only.
  6. Wow, I have so usable setup now. But, wait. Why it cannot detect everything on Malware Hub?
  7. I can make it stronger by adding .... (and so on).
I would rather recommend to think through this fact:
If default-deny protection is not simple, then it is unusable for most users, including the reader of this post.
:giggle:(y):emoji_pray:
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
  1. It can be even stronger by blocking many sponsors, adding the sandbox application or anti-ransomware protection, using Application Guard to block sponsors as administrator, blocking the Internet connection to vulnerable applications in the firewall, adding HIPS and Exploit Protection, etc.
  2. Wow, I have extremely strong protection.
  3. But, wait. Why my system is so unusable and I do not understand what disturbs the functionality of my applications?
Very funny, and very true. Such a setup is good for people who enjoy and make a hobby out of creating a paranoid security setup.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top