Malware News Malware campaign attempts abuse of defender binaries | Sophos News

Kongo

Kongo

Level 36
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,519
Content source
https://news.sophos.com/en-us/2024/04/26/malware-campaign-abuses-legit-defender-binaries/
We are investigating a ransomware campaign that abuses legitimate Sophos executables and DLLs by modifying their original content, overwriting the entry-point code, and inserting the decrypted payload as a resource – in other words, impersonating legitimate files to attempt to sneak onto systems. A preliminary check indicates that all the affected Sophos files were part of the 2022.4.3 version of our Windows Endpoint product.


To be sure, this kind of malicious behavior is (unfortunately) nothing new for the infosecurity industry – indeed, for any software developer. Over the years we’ve seen other infostealers impersonating installers; we’ve seen grab-bag collections of fake utilities, including off-brand antimalware relabeled as legitimate Sophos protections; we’ve seen criminals attack closed-source and open-source code with equal fervor. Later in this post we’ll discuss precisely what attackers think to gain from this – and how defenders can respond.


The eventual payloads we have seen in our investigation vary – Cobalt Strike, Brute Ratel, Qakbot, Latrodectus, and others. Evidence exists of use by more than one criminal group, but further inquiry into attribution, or into the compromised signature or fake installer mentioned above, is beyond the scope of this post.


That said, it’s always interesting when something like this turns up. In this article we’ll walk through one such discovery and what we found when we dug into it.
Click to expand...

Article: Malware campaign attempts abuse of defender binaries
 
  • Like
  • +Reputation
Reactions: silversurfer, vtqhtr413, SeriousHoax and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,177
The title of the article can be misunderstood. The content is about abusing Sophos binaries. It is also mentioned in the article, that some other AVs can be abused in a similar way including AVG, BitDefender, Emsisoft, and Microsoft.
 
  • +Reputation
  • Like
Reactions: silversurfer, SeriousHoax, Khushal and 1 other person
Pat MacKnife

Pat MacKnife

Level 15
Verified
Top Poster
Well-known
Jul 14, 2015
739
There are a lot of articles lately about defender, also this one :
Its in my native language dutch,but with english translation it should be possible to read
www.clickx.be

Kwetsbaarheid in Windows Defender kan schade aanrichten | Clickx

Windows Defender, die standaard op elke Windows-computer is geïnstalleerd, kan in plaats van bescherming juist schade veroorzaken door een ernstige kwetsbaarheid.
www.clickx.be www.clickx.be
Researchers have determined that Windows Defender, which is installed by default on every Windows computer, instead of providing protection, can actually cause damage due to a serious vulnerability. This security program can be tricked into no longer detecting threats..... . . . .
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,177
Pat MacKnife said:
There are a lot of articles lately about defender, also this one :
Its in my native language dutch,but with english translation it should be possible to read
www.clickx.be

Kwetsbaarheid in Windows Defender kan schade aanrichten | Clickx

Windows Defender, die standaard op elke Windows-computer is geïnstalleerd, kan in plaats van bescherming juist schade veroorzaken door een ernstige kwetsbaarheid.
www.clickx.be www.clickx.be
Researchers have determined that Windows Defender, which is installed by default on every Windows computer, instead of providing protection, can actually cause damage due to a serious vulnerability. This security program can be tricked into no longer detecting threats..... . . . .
Click to expand...

That is normal. MD is the most popular AV.

"We chose to focus on Defender not because it's Microsoft, but because it's widely spread much more than Kaspersky,"
Click to expand...

The problem in that article can affect also other AVs:

Defender and Kaspersky are not the only ones having difficulty with EDR as an offensive tool. Earlier on Friday, a very busy Cohen gave another presentation that focused on Palo Alto Networks Cortex XDR.
Click to expand...

www.theregister.com

Researchers: Windows Defender attack can delete databases

Two rounds of reports and patches may not have completely closed this hole
www.theregister.com www.theregister.com
 
  • Like
Reactions: Pat MacKnife
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,177
The problem with all AVs is that all of them increase the attack area and all can be abused. Of course, in most scenarios, there is a significant advantage when using AVs. :)
 
  • Like
Reactions: Oldie1950

Similar threads

silversurfer
    • +Reputation
    • Wow
    • Like
Security News Ars Technica used in malware campaign with never-before-seen obfuscation
Replies
3
Views
1,201
Security News
Andy Ful
Andy Ful
silversurfer
    • Like
    • +Reputation
Malware News Pikabot Malware Surfaces as Qakbot Replacement for Black Basta Attacks
Replies
0
Views
1,017
Security News
silversurfer
silversurfer
CyberTech
    • +Reputation
    • Like
Malware News PSA: Watch out for these fake Safari and Chrome updates infecting Macs with AMOS
Replies
0
Views
1,082
Security News
CyberTech
CyberTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top