Q&A How well are you protected against Emotet?

Nagisa

Level 6
Verified
Jul 19, 2018
288
In my case I was lazy to put more effort, so you have to execute the bat file. If I were to embed this in a document, you don’t have to do anything else, other then clicking “allow content”. It will automatically do everything else for you. There are many other possible ways to run this code on your machine.
Hmm, I see. Yet, from the limited knowledge i have, the block rule should block the execution of all suspicious applications(.bat, .ps, etc.) from vulnerable applications(office files, etc.), regardless of file rating. Unless there is an uncommon way to do this. Then, maybe a system wide rule would be more protective. Though I still think simply blocking all unrecognized scripts would be enough to stop this attack chain. The same goes with cruel CFW settings. I would like to try it in the VM to see how it will perform against CFW.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
I don’t think System.Net.WebClient can be blocked either.
I could go even further. I could choose to download a malicious dll instead of executable and utilise rundll32.exe.
It will be blocked.
I used the command-line in the PowerShell console (32-bit):
Code:
$wbc= New-Object System.Net.WebClient;$wbc.DownloadFile('https://kcsoftwares.com/files/sumo_lite.exe','d:\Users\Admin\Downloads\sumo_lite.exe')

Here is the entry from the FirewallHardening Log:
Event[0]:
Local Time: 2020/11/15 15:16:50
ProcessId: 8076
Application: C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Direction: Outbound
SourceAddress: xxxxxxxx
SourcePort: 63434
DestAddress: 213.186.33.69
DestPort: 443
Protocol: 6
FilterRTID: 81582
LayerName: %%14611
LayerRTID: 48

There are many ways to download something by using scripting. If PowerShell is going to use a service running under Svchost (TaskHost), then only blocking Svchost (TaskHost) connections will prevent downloading the payload.

Anyway, the System.Net.WebClient will be blocked by using PowerShell in Constrained Language Mode.
 
Last edited:

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
Recommend Defender settings from ConfigureDefender with recommend settings (I use some extended settings) from Hard_Configurator are enough? Ah and of course with recommend settings from included Firewall tool (without blocking lolbins)

It's at least SRP with scripts blocked..
This particular attack will be performed in the wild via weaponized Office document, so will be prevented by ASR rule "Block Office applications from creating child processes". The scenario used by @McMcbrad can be probably used in targetted attacks and can be probably prevented by adding to ConfigureDefender HIHG settings the rule "Block process creations originating from PSExec and WMI commands". In my tests with scripting loaders, many PowerShell downloaders in the wild could be blocked by the rule "Use advanced protection against ransomware" (but not all).
The EXE payload can be also blocked by the rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".
 

McMcbrad

Level 20
Oct 16, 2020
967
This particular attack will be performed in the wild via weaponized Office document, so will be prevented by ASR rule "Block Office applications from creating child processes". The scenario used by @McMcbrad can be probably used in targetted attacks and can be probably prevented by adding to ConfigureDefender HIHG settings the rule "Block process creations originating from PSExec and WMI commands". In my tests with scripting loaders, many PowerShell downloaders in the wild could be blocked by the rule "Use advanced protection against ransomware" (but not all).
The EXE payload can be also blocked by the rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".
I don't know what happened to my system, but now I am unable to download a file with PowerShell Bits, NetClient or anything that I try. My guess is Avast, when remediating the threat changed my WMI permissions. I can see the threat works on sandbox analyses, but on my system - no luck.

Start-BitsTransfer : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Start-BitsTransfer -Source [removed for safety] -De ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: ) [Start-BitsTransfer], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.BackgroundIntelligentTransfer.Management.Ne
wBitsTransferCommand

Update: never mind, just needed to restart Windows :LOL: :geek:
I can confirm Hard_Configurator can block the attack payload.
Norton failed and the system was infected with AutoIT. Avast has been brilliant today and all layers reacted to the attack, minutes after IDP detected it. Kaspersky, Qihoo 360 and QuickHeal continue to detect samples statically before they are even executed. About 10-15 minutes after I uploaded it on VT, ESET joined the list of solutions detecting it (PowerShell/Kryptik.H) and Microsoft now detects Trojan:Win32/Powersploit!ml
 
Last edited:

Nagisa

Level 6
Verified
Jul 19, 2018
288
There are 4 containment rules i have set. I disabled all of them one by one.

1- Block all unrecognized pseudo file downloaders: It got blocked immediately.
2 - Run all unrecognized applications which are newer than 5 days old under restricted settings: cmd and powershell terminated itself without doing anything noticeable.
3 - Run all unrecognized applications under partially limited settings: Same.
4 - Block pseudo file downloaders from get executed by unrecognized applications: cmd.exe got blocked as it was executed by the bat script.

Is there something i missed?

1.png

2.png


3.png


4.png

5.png



7.png

8.png

9.png
 

TairikuOkami

Level 30
Verified
Content Creator
May 13, 2017
1,900
There are many ways to download something by using scripting. If PowerShell is going to use a service running under Svchost (TaskHost), then only blocking Svchost (TaskHost) connections will prevent downloading the payload.
I guess limiting svchost to the trusted IP ranges would help too, unfortunately MS is not very forthcoming, when it comes to revealing its CDN servers. :cautious:
 

McMcbrad

Level 20
Oct 16, 2020
967
WD has detected this malware via post-execution behavior monitoring. So, the 0-victim will be infected but after a short time, others will be protected. Also, WD will try to kill and remove the malware from infected computers.
Yes, this is similar to Avast. IDP (behavioural blocker) found the AutoIt threat shortly after it managed to execute. It remediated it and reported both the URL and the file. Few minutes after, opening the URL produces a URL:Blacklist detection and downloading the sample produces FileRep Malware, or something of this sort. I'll test McAfee now.

Update:
McAfee LiveSafe fails to do anything. Upon executing the script, an you_are_about_to_get_infected.exe file appears on desktop (as designed).
Simple check in task manager can confirm threat is running.

Capture.PNG
Capture2.PNG
 
Last edited:

McMcbrad

Level 20
Oct 16, 2020
967
@McMcbrad Could you test it with WiseVector StopX when you have time? I am curious to see how its AI deal with this kind of malware.

1605457971533.png

Static scan detects nothing. Upon execution, black CMD prompt appears with obfuscated code, ready to launch PowerShell with a hidden Window. The second CMD disappears, WiseVector pops up.
1605458142943.png

The attack chain is suspended. After installing the product, I haven't even checked for updates.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629

McMcbrad

Level 20
Oct 16, 2020
967
WiseVector StopX has a very aggressive engine, so it should detect this malware.

Edit.
Oops, @McMcbrad was quicker. :)
So in an upper post we see McAfee, another product getting 100% ratings on AV-Comparatives last test, as well as few consequent AV-Test.org reports. It fails to detect both the script I've made and the AutoIT trojan. The final status of the system is infected, mining bitcoins.
 

McMcbrad

Level 20
Oct 16, 2020
967
I didn't make any configuration whatsoever. I tried it in W10 VM as well (without any security product installed) and nothing happened. Powerscript runs for a while and it terminates itself. Nothing happens.
is the you_are_about_to_get_infected.exe file appearing on your desktop at all? See the McAfee case above.
 
  • Like
Reactions: Cortex
Top