How I got infected last time thread

[Zero Knowledge]

I don't know of an event I know was malware, but I did have an episode recently when I installed Windscribe. I have a 50 GB data account, but I had stopped using the account. Got an e-mail from Windscribe, so decided to try it again. Less than a week later someone hacked my main e-mail account. Windscribe was the only thing that had been changed on the system recently, so I changed the password for the e-mail and uninstalled Windscribe.

I don't think the legit Windscribe installer would do this, but if there is a RCE exploit in the client that may explain your incident. Who knows?

Another explanation is that someone is doing MiTM attacks on vpn client downloads , this I'm certain people are doing now, it's just such a juicy target .

 

[piquiteco]

@RoboMan I am sorry, for the bad experience you had, I will not judge if you made mistakes, because we are all human and we can make mistakes, I hope you managed to neutralize the malware and disinfect your machine. I at, least, even MT members, are sad when this happens as our friends, it's not nice to go through this at all. I wish good luck and a Merry Christmas and a Happy New Year to you and all your family.

 

[Andrezj]

lessons:

• advanced user with knowledge and experience can be infected
• relying upon a single security software is not sufficient
• when problem infection occurs, security software and resolution requires user with knowledge and experience
• average computer user would still be infected in this case

nothing new here

 

[ForgottenSeer 69673]

What would have happened if a whitelisting firewall was used allowing say only Edge.

 

[JoeN]

Next time as an advanced user, try to use an Sandboxie or other virtual environment

 

[Evjl's Rain]

Next time as an advanced user, try to use an Sandboxie or other virtual environment

or simply upload a file to virustotal. if kaspersky and eset report as unsafe, don't install it. if the file is too new, <1 week and kaspersky + eset report as safe, wait a few days and test again or put that file to sandboxie/VM if we can't wait

 

[danb]

I'm guessing VS wouldn't have stopped it, since your operating assumption was that the file was safe, you would have allowed it? Or would it have ?

VS would have blocked the file and displayed a prompt similar to this... (WLC would almost certainly have returned a Not Safe verdict, and VoodooAi would probably have returned a Suspicious or Unsafe verdict)

If he would have clicked the Allow False Positive button, this prompt would have then been displayed...

In all fairness, I do not think most users would override both of these prompts, especially if the prompt is red and telling the user to block the file . Users can also click on the Get Second Opinion link to display more verdicts.

Nothing is 100%, but prompts like these are what gives the user pause and a second or third chance of not becoming infected. These are just the default VS settings.. obviously you can set VS to not let the user allow anything new.

It would be interesting to see if he can find the file to analyze with WLC and VoodooAi .

 

[ScandinavianFish]

or simply upload a file to virustotal.

These files are over 700 mb's, which prevents the user from uploading files to sites like Virustotal or Hybrid Analysis, and even prevents AV's from uploading the file in question to the cloud, or even prevent them from performing static scanning as they can neither analyze nor create an signature for it due to its size.

Its most likely the most effective way to avoid detection, especially for malware, such as these info-stealers, that inject their payload into LOLbins like .NET framework's vbc exe or applaunch.exe.

 

[Shadowra]

RedLine Stealer is a malware that I regularly monitor.
It is already very popular with cyber-criminal groups (a bit like AgentTesla, VIDAR or Racoon) but it is also turnkey!

I had already seen fake videos on YTB coming from pirated channels broadcasting pirated software (it happened to a friend not long ago using Microsoft Defender) .
He had trouble recovering the machine and I had to help him clean it up.
In fact, RedLine installs itself by modifying a process in order to go unnoticed, hence the memory detection by Kaspersky.

Fortunately, Norton Firewall alerted us and nothing was stolen!

 

[zkSnark]

From what I have seen,
ESET detects 9/10 of these files by signature/heuristic and on some rare occasions by the local ML/Augur detection prior to execution. The others after execution.
Avast detects 7/10 by signatures prior to execution. Some after execution and saw it missing two last month but not recently. Maybe it has improved.
Norton 2/10 by signatures prior to execution. Sometimes detects payloads which stops the attack or via IPS via like yours with Redline stealer activity or backdoor activity in case of backdoor samples. So I think the data remains safe.
Microsoft Defender detects 0/10 by signatures prior to execution even a week later but after execution detects payloads and end up protecting the system 9/10 times.
Bitdefender and Kaspersky on average 0/10 by signatures prior to execution when the sample is new. Bitdefender detects all I tested pretty quickly after execution by behavior. Sometimes it doesn't delete the main sample file, sometimes it does.
Kaspersky detects by behavior at a slightly later stage but prior to any data getting stolen and always perform a perfect cleanup.
These malware are changed almost every day with new C2C servers to communicate. But the behavior remains similar mostly. Norton should have found something by now to detect the activity by their BB aka SONAR.

Another request to @Shadowra
Can you please test the malware, that @RoboMan got infected with, using above (mainly ESET, Avast, Avira and Kaspersky) and see if these AVs prompt/stop initially unlike Norton? Or they would also let it get installed and alert later only like Norton did?

 

[Shadowra]

Another request to @Shadowra
Can you please test the malware, that @RoboMan got infected with, using above (mainly ESET, Avast, Avira and Kaspersky) and see if these AVs prompt/stop initially unlike Norton? Or they would also let it get installed and alert later only like Norton did?

I would need the malware and especially to see if it is still fresh

 

[ItsReallyMe]

I would need the malware and especially to see if it is still fresh

If you ever do it, please try with WVSX too!

 

[zkSnark]

I would need the malware and especially to see if it is still fresh

@RoboMan Can you please help her for the AV test?

 

[Shadowra]

@RoboMan Can you please help her for the AV test?

I got it

It is a RedLine.
The file itself is 712MB, pumped up artificially.
Pumped is a software and artificial weighting of a malware to make it heavier (and destroy software like Trendmicro that blocks unknown files of ordinary weight)
Once launched, it is in memory and launches aspnet_compiler.exe (which crashes, but the malware is still running!) connecting to a server in Russia.... (I didn't see it for a long time though)

I have decompiled the malware and put the active load in an archive, I leave you with the VT... VirusTotal

A video is well planned against some antiviruses!

 

[zkSnark]

I got it

It is a RedLine.
The file itself is 712MB, pumped up artificially.
Pumped is a software and artificial weighting of a malware to make it heavier (and destroy software like Trendmicro that blocks unknown files of ordinary weight)
Once launched, it is in memory and launches aspnet_compiler.exe (which crashes, but the malware is still running!) connecting to a server in Russia.... (I didn't see it for a long time though)

I have decompiled the malware and put the active load in an archive, I leave you with the VT... VirusTotal

A video is well planned against some antiviruses!

Awaiting your test video

 

[Shadowra]

Another Fake FLStudio - RedLine

VirusTotal

VirusTotal

www.virustotal.com

 

[danb]

I would need the malware and especially to see if it is still fresh

Hey @Shadowra, I was curious what you thought about something. If I need a certain malware sample to be fresh, I will use a hex editor and change one insignificant bit, then voila, we have a fresh sample with a new hash. Do you ever do this as well, or have you ever found a downside in doing this?

 

[Shadowra]

Hey @Shadowra, I was curious what you thought about something. If I need a certain malware sample to be fresh, I will use a hex editor and change one insignificant bit, then voila, we have a fresh sample with a new hash. Do you ever do this as well, or have you ever found a downside in doing this?

I have a malware that has 3 hours, do you want it?

 

[danb]

I have a malware that has 3 hours, do you want it?

Sure, that would be great, thank you! Please send to support at voodooshield.com.

 

[Shadowra]

Sure, that would be great, thank you! Please send to support at voodooshield.com.

Send