How I got infected last time thread

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
865
I don't know of an event I know was malware, but I did have an episode recently when I installed Windscribe. I have a 50 GB data account, but I had stopped using the account. Got an e-mail from Windscribe, so decided to try it again. Less than a week later someone hacked my main e-mail account. Windscribe was the only thing that had been changed on the system recently, so I changed the password for the e-mail and uninstalled Windscribe.

I don't think the legit Windscribe installer would do this, but if there is a RCE exploit in the client that may explain your incident. Who knows?

Another explanation is that someone is doing MiTM attacks on vpn client downloads 🤔, this I'm certain people are doing now, it's just such a juicy target :cool:.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
@RoboMan I am sorry, for the bad experience you had, I will not judge if you made mistakes, because we are all human and we can make mistakes, I hope you managed to neutralize the malware and disinfect your machine. I at, least, even MT members, are sad when this happens as our friends, it's not nice to go through this at all. I wish good luck and a Merry Christmas and a Happy New Year to you and all your family. (y)
 

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
lessons:
  • advanced user with knowledge and experience can be infected
  • relying upon a single security software is not sufficient
  • when problem infection occurs, security software and resolution requires user with knowledge and experience
  • average computer user would still be infected in this case
nothing new here
 
F

ForgottenSeer 69673

What would have happened if a whitelisting firewall was used allowing say only Edge.
 
Last edited by a moderator:

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Next time as an advanced user, try to use an Sandboxie or other virtual environment (y)
or simply upload a file to virustotal. if kaspersky and eset report as unsafe, don't install it. if the file is too new, <1 week and kaspersky + eset report as safe, wait a few days and test again or put that file to sandboxie/VM if we can't wait
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
I'm guessing VS wouldn't have stopped it, since your operating assumption was that the file was safe, you would have allowed it? Or would it have ?
VS would have blocked the file and displayed a prompt similar to this... (WLC would almost certainly have returned a Not Safe verdict, and VoodooAi would probably have returned a Suspicious or Unsafe verdict)

Alert1.PNG


If he would have clicked the Allow False Positive button, this prompt would have then been displayed...

Alert2.PNG


In all fairness, I do not think most users would override both of these prompts, especially if the prompt is red and telling the user to block the file ;). Users can also click on the Get Second Opinion link to display more verdicts.

Nothing is 100%, but prompts like these are what gives the user pause and a second or third chance of not becoming infected. These are just the default VS settings.. obviously you can set VS to not let the user allow anything new.

It would be interesting to see if he can find the file to analyze with WLC and VoodooAi ;).
 

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
or simply upload a file to virustotal.
These files are over 700 mb's, which prevents the user from uploading files to sites like Virustotal or Hybrid Analysis, and even prevents AV's from uploading the file in question to the cloud, or even prevent them from performing static scanning as they can neither analyze nor create an signature for it due to its size.

Its most likely the most effective way to avoid detection, especially for malware, such as these info-stealers, that inject their payload into LOLbins like .NET framework's vbc exe or applaunch.exe.
 
Last edited:

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,617
RedLine Stealer is a malware that I regularly monitor.
It is already very popular with cyber-criminal groups (a bit like AgentTesla, VIDAR or Racoon) but it is also turnkey!

I had already seen fake videos on YTB coming from pirated channels broadcasting pirated software (it happened to a friend not long ago using Microsoft Defender) .
He had trouble recovering the machine and I had to help him clean it up.
In fact, RedLine installs itself by modifying a process in order to go unnoticed, hence the memory detection by Kaspersky.

Fortunately, Norton Firewall alerted us and nothing was stolen! :)
 

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
207
From what I have seen,
ESET detects 9/10 of these files by signature/heuristic and on some rare occasions by the local ML/Augur detection prior to execution. The others after execution.
Avast detects 7/10 by signatures prior to execution. Some after execution and saw it missing two last month but not recently. Maybe it has improved.
Norton 2/10 by signatures prior to execution. Sometimes detects payloads which stops the attack or via IPS via like yours with Redline stealer activity or backdoor activity in case of backdoor samples. So I think the data remains safe.
Microsoft Defender detects 0/10 by signatures prior to execution even a week later but after execution detects payloads and end up protecting the system 9/10 times.
Bitdefender and Kaspersky on average 0/10 by signatures prior to execution when the sample is new. Bitdefender detects all I tested pretty quickly after execution by behavior. Sometimes it doesn't delete the main sample file, sometimes it does.
Kaspersky detects by behavior at a slightly later stage but prior to any data getting stolen and always perform a perfect cleanup.
These malware are changed almost every day with new C2C servers to communicate. But the behavior remains similar mostly. Norton should have found something by now to detect the activity by their BB aka SONAR.
Another request to @Shadowra :)
Can you please test the malware, that @RoboMan got infected with, using above (mainly ESET, Avast, Avira and Kaspersky) and see if these AVs prompt/stop initially unlike Norton? Or they would also let it get installed and alert later only like Norton did?
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,617
Another request to @Shadowra :)
Can you please test the malware, that @RoboMan got infected with, using above (mainly ESET, Avast, Avira and Kaspersky) and see if these AVs prompt/stop initially unlike Norton? Or they would also let it get installed and alert later only like Norton did?

I would need the malware and especially to see if it is still fresh
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,617
@RoboMan Can you please help her for the AV test?

I got it :)

It is a RedLine.
The file itself is 712MB, pumped up artificially.
Pumped is a software and artificial weighting of a malware to make it heavier (and destroy software like Trendmicro that blocks unknown files of ordinary weight)
Once launched, it is in memory and launches aspnet_compiler.exe (which crashes, but the malware is still running!) connecting to a server in Russia.... (I didn't see it for a long time though)

I have decompiled the malware and put the active load in an archive, I leave you with the VT... VirusTotal

A video is well planned against some antiviruses!
 

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
207
I got it :)

It is a RedLine.
The file itself is 712MB, pumped up artificially.
Pumped is a software and artificial weighting of a malware to make it heavier (and destroy software like Trendmicro that blocks unknown files of ordinary weight)
Once launched, it is in memory and launches aspnet_compiler.exe (which crashes, but the malware is still running!) connecting to a server in Russia.... (I didn't see it for a long time though)

I have decompiled the malware and put the active load in an archive, I leave you with the VT... VirusTotal

A video is well planned against some antiviruses!
Awaiting your test video :D
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
I would need the malware and especially to see if it is still fresh
Hey @Shadowra, I was curious what you thought about something. If I need a certain malware sample to be fresh, I will use a hex editor and change one insignificant bit, then voila, we have a fresh sample with a new hash. Do you ever do this as well, or have you ever found a downside in doing this?
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,617
Hey @Shadowra, I was curious what you thought about something. If I need a certain malware sample to be fresh, I will use a hex editor and change one insignificant bit, then voila, we have a fresh sample with a new hash. Do you ever do this as well, or have you ever found a downside in doing this?

I have a malware that has 3 hours, do you want it?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top