Andy Ful

Level 62
Verified
Trusted
Content Creator

harlan4096

Moderator
Verified
Staff member
Malware Hunter
As I always say in these cases, probably a tweaked Application Control would not compromise the system... all those tools used to encrypt the system are legit (system LOLBins) hehe...

 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
As I always say in these cases, probably a tweaked Application Control would not compromise the system...
It would be interesting to test this on MH. If one does not use Trusted Application Mode (can detect batch files), then many setups based on Application Control tweaks can be insufficient. Probably, one has to add cmd.exe and certutil.exe to the untrusted group. Adding cmd to the untrusted group can produce software incompatibilities. :unsure:
But, I may be wrong (I do not use KIS for some years).
 
Last edited:

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Protected folders can be also implemented in Kaspersky products (Application Control -> Manager Resources), although it is not so easy than WD or others products just enabling and adding apps... but Kaspersky way is more customizable and You can assign rights for different opeations over the files, folders, registry keys...

@Andy Ful: that variant of your link is already detected by Kaspersky, but probably the video one is a variant still not detected or it was recorded when still not detected...

I think TAM is not necessary to also stop .bat files attacks -> System Watcher can do it also...
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
...
@Andy Ful: that variant of your link is already detected by Kaspersky, but probably the video one is a variant still not detected or it was recorded when still not detected...
...
Yes, this is the new version 4.0 - did not found the analysis yet. But, the method is similar to ver. 3.3. Do you have any idea why the batch file from version 4.0 was not blocked by System Watcher?
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Probably they used certutil.exe to download an encrypted malware, as explained in my previous post link... don't know :unsure:

Also those additional LOLBins used by the malware are trusted in Application Control and KSN by default, so...

I see Symantec EndPoint also failed :unsure:
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
The previous version used an oversized batch file (7.10 Mb) which probably contained the malware. So, the crucial thing would be to block this batch file. The certutil.exe was used to encrypt files (via "certutil -encode" command-line) with legal certificates (*.der files).
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
My first thought was that the big batch file contained base64 encoded malware which was next decoded by using the command-line "certutil -decode" like in the below example:
BAT file based Ransomware targeting people in China – SonicWall
But, the ver. 3.3 did not use such a command-line, only "certutil -encode" was used. The video also suggests using only "certutil -encode" command-line.
 
Last edited:

MacDefender

Level 11
Verified
It is really nothing but a batch file (built around certutil with an encode verb) with a vbs tweak for show.
Hah, I guess it's starting to gain a little popularity.... I picked 7z for my fake malware but that's my lack of creativity. Using certutil is kind of cute.

On Linux/macOS, it's really common these days that either python or the openssl command is used to achieve either de-obfuscation or outright cryptoransom.

This is going to be a new area of challenge for behavior blockers / dynamic protection to understand. Combined with the ability to obfuscate scripts themselves, IMO this has to be handled by dynamic protection, not just some sort of static scanner or even a fancy signature scanner.... Looking forward to see what vendors come up with!
 

fabiobr

Level 9
Verified
Protected folders can be also implemented in Kaspersky products (Application Control -> Manager Resources), although it is not so easy than WD or others products just enabling and adding apps... but Kaspersky way is more customizable and You can assign rights for different opeations over the files, folders, registry keys...

@Andy Ful: that variant of your link is already detected by Kaspersky, but probably the video one is a variant still not detected or it was recorded when still not detected...

I think TAM is not necessary to also stop .bat files attacks -> System Watcher can do it also...
BitDefender protected folders/ATP is enough?

Can someone test it?
 
Top