Serious Discussion Harmony Endpoint by Check Point

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
CIS automatically would have contained the stealer.CIS automatically would have contained the stealer.
But it was not contained by the CIS
The stealer was signed together with all files it drops and downloads. So no, it wouldn't have.
It has a signature but it is invalid, so CIS should have contained it. However, the signature is Microsoft's, surely forged to remain undetectable by AVs, posing as signed by Microsoft, and the certificate expired on 05/11/2023
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
It has a signature but it is invalid, so CIS should have contained it. However, the signature is Microsoft's, surely forged to remain undetectable by AVs, posing as signed by Microsoft, and the certificate expired on 05/11/2023
I don't think Comodo performs any validity checks (I may be wrong). Microsoft does not provide the necessary APIs to do it, you will have to rely on internal lists. Hence, it was not contained by Comodo under default setup.

No, there is no way to change the size limit in ZA and in many others.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Hence, it was not contained by Comodo under default setup.
Comodo was not in the default settings, it is in proactive configuration and all enabled, the CIS was only possible to block when it was with the hips enabled, when I disabled and ran the malware the CIS could not contain in the sandbox. PS: The CIS by default comes with the hips disabled.
*/off topic
with Default Settings❓(expected I guess)
Proactive configuration active, still couldn't block stealer malware.
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
Comodo was not in the default settings, it is in proactive configuration and all enabled, the CIS was only possible to block when it was with the hips enabled, when I disabled and ran the malware the CIS could not contain in the sandbox. PS: The CIS by default comes with the hips disabled.

Proactive configuration active, still couldn't block stealer malware.
Was "Do not virtualize the following..." selected? If the file was in the Download Folder it would be ignored initially unless that box is unchecked.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Was "Do not virtualize the following..." selected? If the file was in the Download Folder it would be ignored initially unless that box is unchecked.
When I used comodo I never checked this box Do not virtualize the following, I always do it from the CF/CIS GUI and the same goes for a trusted file, never from the popup shown.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
It's ticked by default, just wanted to check whether that was unticked or not when you ran the malware.
It was not unchecked when I ran the malware. The Malware I ran from the Desktop. First I did a scan and found nothing, then I decided to run it but with Hips enabled and it showed a red popup that the file was unknown then I clicked finish and block. Then I ran with HIPS disabled trusting that CIS would play in containment and it didn't the malware did the party, but when trying to connect to C&C servers the connections were blocked, probably the data stolen but didn't leave the machine.
Was it signed by a reputable vendor?I didn't look at the sample.
No, forged Microsoft signature to appear to be legitimate Windows process, but the certificate expired 11/05 and I have it here is still packaged .exe
1687650494491.png
1687650456659.png

1687650616007.png
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
No, forged Microsoft signature to appear to be legitimate Windows process, but the certificate expired 11/05 and I have it here is still packaged .exe
Majority of the content inside is just filler to increase the size and do it in a way that won’t raise suspicion by static analysis, which suggests that AVs like Norton, Defender or Kaspersky were the target for evasion. The Cursed.exe is the actual stealer, which is configured with a very high refresh rate (amateur attacker maybe) and has very high CPU usage. Upon execution, I noticed that high network activity occured which means it is not a stealer but a full-fledged RAT and the attackers were looking at my screen and browsing the folders. I would normally say hi in this case Notepad and most amateur attackers sometimes would even reply but I was lazy this time.

@piquiteco BD uses cloud and everyone else does as well. There is nobody not using it.
 
Last edited:

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Majority of the content inside is just filler to increase the size and do it in a way that won’t raise suspicion by static abalysis, which suggests that AVs like Norton, Defender or Kaspersky were the target for evasion. The Cursed.exe is the actual stealer, which is configured with a very high refresh rate (amateur attacker maybe) and has very high CPU usage.Majority of the content inside is just filler to increase the size and do it in a way that won’t raise suspicion by static abalysis, which suggests that AVs like Norton, Defender or Kaspersky were the target for evasion. The Cursed.exe is the actual stealer, which is configured with a very high refresh rate (amateur attacker maybe) and has very high CPU usage.
@piquiteco BD uses cloud and everyone else does as well. There is nobody not using it.
Now that he steals after all lol, passwords saved in the browser, empties cryptocurrency wallets? I am looking like an idiot, I get an atomic bomb, what is this button for? let me press it and see what happens, there goes me and my city and my country into space, kidding aside this business should never have created.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
@Trident Probably this elevate.exe file elevates privileges in SUA account? or ignores the UAC?
I am not sure as I didn't analyse that deep, it wasn't a very interesting sample. But normally RAT builders include all necessary bypasses already, including UAC bypass. If you ask me, they just copied bunch of random files.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
When scanning with Norton Power Eraser it detected as High risk, untrusted reputation see in the screenshots, so it is good to have a second opinion scanner. It's cloud yes, all AVs use cloud @Trident was correct in his statements, I was the one who didn't know how to express it.
I'm not pulling @Trident's leg but norton seems to be really good, so guys, leave the saved NPE in your arsenal that one day you might need it. ;)
1687655131689.png

1687655222856.png
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
The Cursed.exe is the actual stealer, which is configured with a very high refresh rate (amateur attacker maybe) and has very high CPU usage. Upon execution, I noticed that high network activity occured which means it is not a stealer but a full-fledged RAT and the attackers were looking at my screen and browsing the folders. I would normally say hi in this case Notepad and most amateur attackers sometimes would even reply but I was lazy this time.
Wow, my God I had not even read carefully what you posted is like VNC, TeamViewer, Windows RDP? If I had run on real machine without any scruples would they have controlle on my computer? Probably if it happened to me I would pull the network cable on the spot fly router and modem everywhere lol
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top