App Review Microsoft Defender vs Magniber

[Chuck57]

Great video, as always, and good to see you back in action. Cannot comment on the music since I know it isn't Buddy Holly,and his music would be a difficult fit.

 

[Anthony Qian]

Although any video with working ransomware can be kinda shocking, the truth is that there is no need to worry. The method used by Magniber (MSI file) is very rarely used against home users.

Furthermore, for any AV one can find working malware. There is no perfect & usable protection against malware. Even such a strong protection like CF with @cruelsister settings cannot save many users. Of course, the installer/fix will be blocked, but this is expected for pirated software, game mods, or cracks. The blocked malware cannot expose the malicious actions, so the user will simply turn off the protection and still can be infected.

Microsoft can efficiently (but not perfectly) fight such malware in several ways:

1. Making the samples very short-living (Block At First Sight + post-execution detections). Even if the sample could infect a few users, then after several minutes other users can be often protected against this sample.
2. Adding the methods used by ransomware to ASR rules.
3. Blocking delivery paths, when the malicious actors would like to use the malware in widespread attacks (weaponized documents, scripts, etc.).
4. Adding the malicious URLs to SmartScreen (used also system-wide by Defender's Network Protection).

So, we will see the normal cat & mouse game. When Microsoft (or any other AV) is going to improve the protection, the Magniber fellows will make necessary modifications, and so on.

It is not true that Magniber doesn’t target home users. In fact, there are many discussions about Magniber on Chinese Virus Rescue forums, and most victims are home users.

Block at first sight doesn’t work for Magniber ransomware. Also, according to my observation, Microsoft Defender is not one of the few vendors to add Magniber detection in a timely manner (Kaspersky and ESET always respond quickly).

Magniber injects malicious codes into the various legitimate processes (including system processes), making it hard to block this ransomware using HIPS rules because deploying such rules will cause FPs.

 

[wat0114]

It is not true that Magniber doesn’t target home users. In fact, there are many discussions about Magniber on Chinese Virus Rescue forums, and the most victims are home users.

What you're saying makes complete sense. Magniber is being disguised, at least in some cases, as legitimate updates for both Google Chrome and Microsoft Edge browsers.

Magniber ransomware being spread in the guise of a legit Microsoft Edge and Google Chrome update

Analysts have now discovered that attackers behind the Magniber ransomware, who have been exploiting IE-based vulnerabilities so far, are now targeting PCs via modern browsers such as Edge and Chrome. The Magniber ransomware is disguised as a legit update package for Edge or Chrome and comes as...

www.notebookcheck.net

I would say it's incumbent upon the home user to obtain these updates via official channels and methods only.

 

[Sunshine-boy]

Does Avast BB and kaspersky SW block this rat?

 

[lvseqiji]

Does Avast BB and kaspersky SW block this rat?

Kaspersky can block it and rollback encrypted files, but Avast can not.

 

[shmu26]

Blocking delivery paths, when the malicious actors would like to use the malware in widespread attacks (weaponized documents, scripts, etc.).

Weaponized documents seem to be the home user's biggest enemy. Exe files will be blocked by most email providers, so it's unlikely that they will be delivered to your inbox. You have to go looking for them. But docs come in all the time, and can look legit, especially if the sender's address was spoofed.

 

[Adrian Ścibor]

Did I miss something, or we not given any information on how the malware was delivered to the system? @Andy Ful will surely have his similar opinion. Rightly so, as I suspect a drag&drop method, which unfortunately makes some of Microsoft's mechanisms not work.

 

[shmu26]

Did I miss something, or we not given any information on how the malware was delivered to the system? @Andy Ful will surely have his similar opinion. Rightly so, as I suspect a drag&drop method, which unfortunately makes some of Microsoft's mechanisms not work.

All cruelsister tests that I remember seeing were performed by executing clearly-named malware files sitting in orderly fashion on her desktop.

 

[Andy Ful]

Did I miss something, or we not given any information on how the malware was delivered to the system? @Andy Ful will surely have his similar opinion. Rightly so, as I suspect a drag&drop method, which unfortunately makes some of Microsoft's mechanisms not work.

According to some articles about the last Magniber campaign, the malware was delivered as follows:

The transmission method is still various forums, cracked software websites, fake pornographic websites, etc. When users visit these websites, they are induced to download from third-party network disks.

Win11 users beware! Magniber ransomware has been upgraded again, aiming at win11 | 360 Total Security Blog

At the end of April this year, the Magniber ransomware disguised as a Windows 10 upgrade patch package and spread widely, and 360 Security Center...

blog.360totalsecurity.com

The targets can be home users who are convinced & motivated to use pirated content. Such users are not well protected by Microsoft Defender even with ConfigureDefender MAX settings. They will not be well protected by any AV, too. I do not think that Magniber campaigns can be dangerous for most home users, but some features are dangerous for businesses. A similar attack vector was used by the Raspberry Robin worm:

New Update - Simple Windows Hardening

Interesting. Is the block present if you open Microsoft Store and do nothing? Please, wait - I have noticed the same now on my computer. I will try to investigate what it means. Thanks Andy.

malwaretips.com

Such fileless combinations like:

• shortcut + MSI & malicious DLL
• disk image with embedded MSI & malicious DLL

are not well covered by Microsoft Defender, because ASR rules are kinda blind to MSI files + DLL sideloading (no file reputation or prevalence check). Also, running DLLs by some rarely used LOLBins is not covered by ASR rules. In this way, many 0-day ransomwares can be delivered and executed. Furthermore, the protection mentioned in my previous post (Block At First Sight + post-execution detections) is inefficient in the targetted attacks.

My own experience with bypassing Defender's protection is as follows:

1. If the method is rarely used, then Microsoft ignores it and uses signatures or BAFS to detect the malware.
2. If the malware is more prevalent, then behavior-based detection for the sample is added or the ASR rules are updated.
3. If the malware is prevalent and dangerous, then Microsoft adds behavioral detection for the whole attack method. This point also includes blocking many UAC bypasses like Fodhelper, DiskCeanup, etc.

For now, Microsoft claims that the method used in the wild is properly detected. But, the Magniber group declared that they can easily change the method to successfully bypass Defender (I believe them).

 

[Andy Ful]

It is not true that Magniber doesn’t target home users.

I did not say that it does not. I also mentioned who could be the victim of the last Magniber campaign.

Block at first sight doesn’t work for Magniber ransomware.

Magniber ransomware is contained in the DLL which does not have MOTW. So, it is beyond the scope of BAFS. But the initial MSI file can be detected via BAFS if directly downloaded from the Internet via Chrome web browsers (it will be also blocked by SmartScreen for Explorer). Unfortunately, in-the-wild samples are mostly downloaded in archives or disk images and BAFS (SmartScreen) does not work, anyway.
So, BAFS is triggered due to the delivery method. The same will be true for any ransomware (malware) delivered in this way. See for example:

Raspberry Robin gets the worm early

Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.

redcanary.com

 

[cruelsister]

Did I miss something, or we not given any information on how the malware was delivered to the system? @Andy Ful will surely have his similar opinion. Rightly so, as I suspect a drag&drop method, which unfortunately makes some of Microsoft's mechanisms not work.

Adrian- You missed nothing, and I thank you very much for bringing up this point! So to answer:

The file could have showed up on my computer on any number of ways:
1). I copied it from a USB and plopped it on the Desktop (which is actually what I did), or
2). It was an email attachment that I opened (to my Dismay). or
3). I got it from a torrent site, or
4). I downloaded it from a website that I used a thousand times before without issue, or
5). I downloading it from a website and decided to ignore a SmartScreen warning (since I know better than a stupid warning, don't I?), or
6). I got it from any number of sources and methods that don't come immediately to mind.

But stating that a test specifically to determine if a given product will stop specific malware is potentially invalid because the malware should have been acquires in a certain way to my mind essentially calls into question ALL testing including the "gang-bang" approach of Professional testers that will utilize hundreds of samples gotten from God-Knows-Where against a specific product.

My testing has always been malware file source agnostic and restricted in scope (few malware samples) done in the hope of both education and amusement. And the choice of malware used to bypass a product tends to me much, much easier than picking a song to fit perfectly.

M

 

[Andy Ful]

Wonderful music, the video shows that WD is not efficient with this Malware variant which leaves me concerned because it is my current setup. It even bypassed the WD protected folders.

Yes. If you want to be protected against such (so far) rare threats then, additional protection is required.
There are several well-known options for Defender (based on the file reputation lookup): CatchPulse (SecureaPlus), Comodo Firewall with @cruelsister settings, Crystal Security (???), Hard_Configurator (Recommended_Settings), SWH + RunBySmartScreen, VoodooShield. I am not sure if I can recall all.
Another option is using a very aggressive solution like WiseVector StopX or skip Defender and use a paid AV like KIS (@harlan4096 settings) or Norton.
In all the above cases, one has to face the problem of false positives. So, some discipline is required and a wise method to manage the blocked/detected files.

 

[wat0114]

Yes. If you want to be protected against such (so far) rare threats then, additional protection is required.
There are several well-known options for Defender (based on the file reputation lookup): CatchPulse (SecureaPlus), Comodo Firewall with @cruelsister settings, Crystal Security (???), Hard_Configurator (Recommended_Settings), SWH + RunBySmartScreen, VoodooShield. I am not sure if I can recall all.
Another option is using a very aggressive solution like WiseVector StopX or skip Defender and use a paid AV like KIS (@harlan4096 settings) or Norton.
In all the above cases, one has to face the problem of false positives. So, some discipline is required or a wise method to manage the blocked/detected files.

I'm thinking the SRP-enforced rules used in H_C (Hard_Configurator) would maybe block either of the UAC elevation commands using C:\Windows\System32\wbem\WMIC.exe as explained further down the cybereason article in this link:

Threat Analysis Report: PrintNightmare and Magniber Ransomware

Of course we don't yet know if CS' test resulted in the malware gaining elevated privileges, and whether or not the test even utilized that UAC elevation method.

Actually, any possibility CS could test this malware with H_C ?

EDIT

I tried to include the quoted UAC elevation methods from the article, but I was unable to post for some reason

 

[cruelsister]

With malware such as Magniber that utilizes the LoLBIN route in the infective pathway I prefer Containment as things like CF (and SBIE) will prevent legitimate files doing nasty things separately but equally. Many products will instead code their products to detect the msiexec switches to detect and stop thist malware but as others use taskhostw or certutil or mshta ir becomes like a game of whack-a-mole with no end in sight.

Guess being a simple girl I like a more straightforward solution.

 

[Andy Ful]

I'm thinking the SRP-enforced rules used in H_C (Hard_Configurator) would maybe block either of the UAC elevation commands using C:\Windows\System32\wbem\WMIC.exe as explained further down the cybereason article in this link:

Threat Analysis Report: PrintNightmare and Magniber Ransomware

This article is not related to the Magniber sample used in the video. It used an exploit which is patched for several months.

Actually, any possibility CS could test this malware with H_C ?

The H_C blocks MSI files via SRP. This can work well against the malware designed to be run by the user unintentionally as a movie, photo, document, etc. But in this particular attack, the user is convinced to run the fake update and expects that it can be blocked, so he/she will turn off the H_C protection and be infected anyway. This issue is similar to using Comodo Firewall.

 

[Moonhorse]

Yes. If you want to be protected against such (so far) rare threats then, additional protection is required.
There are several well-known options for Defender (based on the file reputation lookup): CatchPulse (SecureaPlus), Comodo Firewall with @cruelsister settings, Crystal Security (???), Hard_Configurator (Recommended_Settings), SWH + RunBySmartScreen, VoodooShield. I am not sure if I can recall all.
Another option is using a very aggressive solution like WiseVector StopX or skip Defender and use a paid AV like KIS (@harlan4096 settings) or Norton.
In all the above cases, one has to face the problem of false positives. So, some discipline is required and a wise method to manage the blocked/detected files.

Here is video also appcheck blocking this variant... but no idea how hard/easy it is to bypass such protection

 

[wat0114]

This article is not related to the Magniber sample used in the video. It used an exploit which is patched for several months.

I know the sample CS used was probably different and even modified, but I just wanted to use something that was at least somewhat relevant.

The H_C blocks MSI files via SRP. This can work well against the malware designed to be run by the user unintentionally as a movie, photo, document, etc. But in this particular attack, the user is convinced to run the fake update and expects that it can be blocked, so he/she will turn off the H_C protection and be infected anyway. This issue is similar to using Comodo Firewall.

CS' approach of using something like CF or SBie to contain is rather powerful; it uses blanket treatment of everything, no matter how harmful or even harmless it might be, and no matter what steps it uses, or how it may be modified by the attacker, including LOLBins utilized in its attack. It simply contains it, stopping the malware dead in its tracks from committing malicious modification to the target system.

The SRP approach can be powerful too, but only if a true default-deny setup is used, which of course has the drawback of requiring the end user to manage rules on a mostly ongoing basis, carefully crafting allow rules where necessary, without compromising security in the process. Micro-management of this approach can be painstaking and undesirable for many. I do like how you utilize it in H_C though

Finally as you said, if the user is simply going to disable protection, no matter what is used, then it's all a moot point anyway.

 

[Andy Ful]

...
The SRP approach can be powerful too, but only if a true default-deny setup is used, which of course has the drawback of requiring the end user to manage rules on a mostly ongoing basis, carefully crafting allow rules where necessary, without compromising security in the process. Micro-management of this approach can be painstaking and undesirable for many. I do like how you utilize it in H_C though

Using CF in CS settings is similarly painful to using the H_C Strict_Recommended_Settings. In CF the list of trusted vendors is disabled or highly shortened, so one has to often whitelist the software installations/updates or add the new vendors to the list. A bigger problem is when the software is unsigned because CF blocks also DLLs, so whitelisting is more complicated. Of course, that should not be a big problem for semi-advanced users who want to use tweaked CF or H_C.
My wife uses the max H_C settings (with blocked Sponsors) on SUA and she is very happy. In these settings, she could not run the Magniber ransomware at all. She would be probably happy too when using CF with CS settings.

 

[wat0114]

Using CF in CS settings is similarly painful to using the H_C Strict_Recommended_Settings. In CF the list of trusted vendors is disabled or highly shortened, so one has to often whitelist the software installations/updates or add the new vendors to the list. A bigger problem is when the software is unsigned because CF blocks also DLLs, so whitelisting is more complicated.

From what I understand, the CS method of using CF is mostly trouble-free, but maybe there is some user interaction required occasionally. This I don't know. I used CF some months ago using a combination of containment plus HIPS in Paranoid mode, as well as firewall rules restricting inbound and outbound, and I can tell you that was very panful to manage, but CF restricted in a way that's analogous to Fort Knox encircled within ADX Florence

 

[cruelsister]

Of course we don't yet know if CS' test resulted in the malware gaining elevated privileges,

Hi Wat! Indeed the malware requested beaucoup elevations, including for TCB (Trusted Computer Base) which pretty much opens the system to all sorts of potential nastiness. Also as is getting typical of ransomware, SeBackupPrivilege (to allow file Reads) and SeRestorePrivilege which will grant write access can be seen. By the way, UAC at the maximum level does not peep at all, including on initial run (should have included this tidbit in the video but it slipped my mind as I hate UAC!).

Also a fun fact- see the Windows Installer box that pops up on running the file? That is actually pretty much a fake as another copy is spawned elsewhere in the system that actually runs. So clicking Cancel for that Installer box just will kill the Fake while the actual malware is happily trashing the system.

I used CF some months ago using a combination of containment plus HIPS in Paranoid mode, as well as firewall rules restricting inbound and outbound

I also would have gotten rid of CF i I had to use those settings! The hardest thing to understand about CF is that Simple is Best, and that is almost counter-intuitive in the Security field.