Malware News Malware campaign attempts abuse of defender binaries | Sophos News

Kongo

Level 36
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,532
We are investigating a ransomware campaign that abuses legitimate Sophos executables and DLLs by modifying their original content, overwriting the entry-point code, and inserting the decrypted payload as a resource – in other words, impersonating legitimate files to attempt to sneak onto systems. A preliminary check indicates that all the affected Sophos files were part of the 2022.4.3 version of our Windows Endpoint product.


To be sure, this kind of malicious behavior is (unfortunately) nothing new for the infosecurity industry – indeed, for any software developer. Over the years we’ve seen other infostealers impersonating installers; we’ve seen grab-bag collections of fake utilities, including off-brand antimalware relabeled as legitimate Sophos protections; we’ve seen criminals attack closed-source and open-source code with equal fervor. Later in this post we’ll discuss precisely what attackers think to gain from this – and how defenders can respond.


The eventual payloads we have seen in our investigation vary – Cobalt Strike, Brute Ratel, Qakbot, Latrodectus, and others. Evidence exists of use by more than one criminal group, but further inquiry into attribution, or into the compromised signature or fake installer mentioned above, is beyond the scope of this post.


That said, it’s always interesting when something like this turns up. In this article we’ll walk through one such discovery and what we found when we dug into it.

Article: Malware campaign attempts abuse of defender binaries
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,224
The title of the article can be misunderstood. The content is about abusing Sophos binaries. It is also mentioned in the article, that some other AVs can be abused in a similar way including AVG, BitDefender, Emsisoft, and Microsoft.
 

Pat MacKnife

Level 15
Verified
Top Poster
Well-known
Jul 14, 2015
745
There are a lot of articles lately about defender, also this one :
Its in my native language dutch,but with english translation it should be possible to read
Researchers have determined that Windows Defender, which is installed by default on every Windows computer, instead of providing protection, can actually cause damage due to a serious vulnerability. This security program can be tricked into no longer detecting threats..... . . . .
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,224
There are a lot of articles lately about defender, also this one :
Its in my native language dutch,but with english translation it should be possible to read
Researchers have determined that Windows Defender, which is installed by default on every Windows computer, instead of providing protection, can actually cause damage due to a serious vulnerability. This security program can be tricked into no longer detecting threats..... . . . .

That is normal. MD is the most popular AV.

"We chose to focus on Defender not because it's Microsoft, but because it's widely spread much more than Kaspersky,"

The problem in that article can affect also other AVs:

Defender and Kaspersky are not the only ones having difficulty with EDR as an offensive tool. Earlier on Friday, a very busy Cohen gave another presentation that focused on Palo Alto Networks Cortex XDR.

 
  • Like
Reactions: Pat MacKnife

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,224
The problem with all AVs is that all of them increase the attack area and all can be abused. Of course, in most scenarios, there is a significant advantage when using AVs. :)
 
  • Like
Reactions: Oldie1950

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top