App Review Malware Obfuscation Part 1

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister
cruelsister said:
Same outcome with WHHL tools fully tricked out. A thing can't stop what a thing can't see...
Click to expand...
This is true for AV, which has to see and identify the file as malicious to stop.

While SRP and PS constrained language mode do not have to see anything; they blindly block certain files (and PS capability) regardless of the file nature; a completely different method, which can be relied on to fill the gaps by defective AV detection (applies to all AVs, not MD alone).

Something similar to Kaspersky application control (when combined with WDAC), yet less refined.
 
  • Like
Reactions: Khushal, Miravi, Dave Russo and 1 other person
cruelsister said:
Same outcome with WHHL tools fully tricked out. A thing can't stop what a thing can't see...
Click to expand...

Could you provide a sample? It would be interesting to see how this sample could bypass RunBySmartScreen or WDAC.
Did it manage to bypass the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion"?
How could the initial shortcut land on the desktop where shortcuts are whitelisted by WHHLight? Normally, it will be located in the Downloads folder or on the flash drive and easily blocked by WHHLight restrictions.
 
Last edited:
  • Like
  • +Reputation
Reactions: Halp2001, Brownie2019, Moonhorse and 10 others
General note about the attack vector used in the video.

Such type of attacks has been successful against most of popular AVs/EDRs for some years.
The nice article about it can be found here:

It seems that Microsoft Defender in HIGH settings was too slow to mitigate the malware. However, such attacks can mainly be prevented by adding the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria". This ASR rule is similar to the Comodo way of blocking/containing executables in the Internet Security configuration. Of course, Comodo can easily block such attacks, except maybe in the Firewall config.
 
  • Like
  • +Reputation
Reactions: Halp2001, piquiteco, Brownie2019 and 10 others
Andy Ful said:
Block executable files from running unless they meet a prevalence, age, or trusted list criteria
Click to expand...
The most aggressive and protective one among ASR rules; it blocks the installer of PeaZip and Media player classic if recently released, just for being 1-day old and not that prevalent, in addition to not being signed of course.
 
Last edited:
  • Like
Reactions: simmerskool, Zero Knowledge, Khushal and 2 others
Parkinsond said:
The most aggressive and protective one among ASR rules; it blocks the installer of PeaZip and Media player classic if recently released, just for being 1-day old and not that prevalent.
Click to expand...

Yes, and that is why it can also block most evasive threats, too.:)
 
  • Like
  • +Reputation
Reactions: Halp2001, simmerskool, Khushal and 3 others
These malicious files aren't in the normal executable (exe) form, but instead can be from Utube videos, mp3's or txt files. They avoid detection by being heavily obfuscated.....
Click to expand...
Is there any browser extension, any AV browser extension, NextDNS filter setting (Block NRD's) that would have the potential to stop this type of exploit at the browser level, as this file was already on the desktop?
 
  • Like
Reactions: Halp2001, simmerskool, Zero Knowledge and 1 other person
Jonny Quest said:
Is there any browser extension, any AV browser extension, NextDNS filter setting (Block NRD's) that would have the potential to stop this type of exploit at the browser level, as this file was already on the desktop?
Click to expand...

The test scenario can be prepared by copying the archive from the flash drive to the Desktop, unpacking files on the Desktop, and running the shortcut.
If the file was originating from the Internet, opening the shortcut would trigger an alert. That is why it is necessary to use Run By SmartScreen for files originating from flash drives when using WHHLight on default settings. Otherwise, the malware executable should be blocked by WDAC.
 
  • +Reputation
  • Like
  • Thanks
Reactions: Halp2001, Khushal, simmerskool and 2 others
I think that the attack in the video can be similar to that one (two-year-old example used against student gamer community):

View attachment 1769364025661.png
  • Lua51.dll – LuaJIT Runtime interpreter
  • Compiler.exe – a thin compiled Lua loader
  • Lua script – Malicious Lua script
  • Launcher.bat – Batch script used to run Compiler.exe with the malicious script as parameter
However, instead of using the batch script, the shortcut was used.
If so, then for files originating from the Internet, most such attacks can be blocked by SmartScreen, SAC, or WDAC.

Edit.
SRP, WDAC, AppLocker, and SAC can mainly block such threats, also in the scenario from the video (it can depend on the settings).
 
Last edited:
  • +Reputation
  • Like
Reactions: Khushal, simmerskool, Zero Knowledge and 2 others
Parkinsond said:
But AppLocker has not rules for LNK files, only executable files, windows installers, package app files, and script files!
Click to expand...

Yes, but it will block the compiled LUA loader (detected too late by MD in the video). Similarly, the malware can be blocked by the MD ASR rule noted by me (and by SRP, WDAC, SAC).
 
Last edited:
  • +Reputation
  • Like
Reactions: Khushal, simmerskool, LinuxFan58 and 2 others
Andy Ful said:
If the file was originating from the Internet, opening the shortcut would trigger an alert.
Click to expand...
Andy Ful said:
How could the initial shortcut land on the desktop where shortcuts are whitelisted by WHHLight?
Click to expand...
Your questions beg this question: Where does the file originate from? This is the issue I have with this kind of testing.
 
  • Like
  • Hundred Points
  • Applause
Reactions: Khushal, Brownie2019, Moonhorse and 6 others

You may also like...