- Apr 5, 2021
- 620
Incredible! This malware sample was lethal in several ways
This stands to reason. CF is powerful with all options utilized, but it carries a steep price in user management in both time and effort.
Microsoft Defender vs Magniber
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Incredible! This malware sample was lethal in several ways
This stands to reason. CF is powerful with all options utilized, but it carries a steep price in user management in both time and effort.
I must have missed it but which LOLBIN was used in this attack?
Thanks
ok I see it now. msiexec.
Thanks
ok I see it now. msiexec.
- Dec 23, 2014
- 8,510
The examples of Magniber activity:
malpedia.caad.fkie.fraunhofer.de
Most examples are related to exploiting the vulnerabilities, except for the latest attacks (April 2022). The sample in this thread is related to the latest attacks and is based on the socio-technic method of malware delivery via fake updates (MSI files) distributed from fake warez and crack sites.
Magniber (Malware Family)
According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new...
malpedia.caad.fkie.fraunhofer.de
Most examples are related to exploiting the vulnerabilities, except for the latest attacks (April 2022). The sample in this thread is related to the latest attacks and is based on the socio-technic method of malware delivery via fake updates (MSI files) distributed from fake warez and crack sites.
- Aug 22, 2013
- 885
- Dec 23, 2014
- 8,510
Comodo Firewall with CS settings is very powerful because it properly handles the attacks via unknown Portable Executable files (like *.exe, *.dll, etc.). After many years, Microsoft is going to include (optionally) similarly strong protection in Windows 11, which is called Smart App Control (SAC). Unfortunately, SAC is far less usable (for now) compared to CF.
Both SAC and CF can be probably defeated by the special fileless attacks which use custom script loaders to execute Portable Executable payloads or shellcode (avoiding standard APIs to create processes or load DLLs). I noticed that some MT members use additionally the SWH to prevent such types of fileless attacks, but it seems unnecessary at home. Such attacks are rare and almost absent in the attacks on home users. Currently, most fileless attacks can beprevented mitigated by the CF (CS settings) alone.
Both SAC and CF can be probably defeated by the special fileless attacks which use custom script loaders to execute Portable Executable payloads or shellcode (avoiding standard APIs to create processes or load DLLs). I noticed that some MT members use additionally the SWH to prevent such types of fileless attacks, but it seems unnecessary at home. Such attacks are rare and almost absent in the attacks on home users. Currently, most fileless attacks can be
Last edited:
- Apr 17, 2021
- 454
No. BAFS does not work for the Magniber MSI file. The Microsoft cloud-based automatic analysis system cannot detect even if the BAFS feature blocks the MSI for several seconds. Many Chinese users whose PCs are infected with Magniber are using Microsoft Defender.Magniber ransomware is contained in the DLL which does not have MOTW. So, it is beyond the scope of BAFS. But the initial MSI file can be detected via BAFS if directly downloaded from the Internet via Chrome web browsers (it will be also blocked by SmartScreen for Explorer). Unfortunately, in-the-wild samples are mostly downloaded in archives or disk images and BAFS (SmartScreen) does not work, anyway.
So, BAFS is triggered due to the delivery method. The same will be true for any ransomware (malware) delivered in this way. See for example:
Raspberry Robin gets the worm early
Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.redcanary.com
- Dec 23, 2014
- 8,510
I do not say that is impossible, but I cannot see any evidence for that (from your posts).
The MSI file is blocked for up to 1 minute and the automatic cloud-based analysis + postinfection detections can take even several minutes. So with fully working BAFS, there can be sometimes a several-minute window when the malware can infect the users.
Yes, that can happen with fully working BAFS. The ransomware attack usually uses many different initial samples, so even if one sample would infect only one user, there still can be several infected users with fully working BAFS. Anyway, the BAFS is still efficient if it can prevent one sample from infecting many users.
In some scenarios, BAFS + postinfection detection will not be efficient for example, when a hacker prepares one sample for one target - there is no gain from BAFS because, after the infection, one infected target is equal to 100% infected victims.
By the way how many infected users were confirmed?
Last edited:
You're wasting your time, move on.
This Magniber variant is months old and we all aware MD cannot defend you against it (as shown by CS video), no need to waste time arguing with delusional people.
This specific variant was targeted at W11 with MD enabled (so yes, it affects home users).
Last edited:
- Dec 23, 2014
- 8,510
Anthony Qian,
Although I cannot see any evidence that BAFS did not work in the Magniber campaign, I also cannot say how efficient was BAFS against this malware. From some reports, we know that Kaspersky and Comodo were more efficient. Kaspersky was able to recover the files and Comodo was able to contain the malware. It means that in theory both Kaspersky and Comodo could be 100% efficient. The Defender's efficiency was smaller for sure, even with fully working BAFS.
Edit.
@SeriousHoax sent me a sample (not Magniber) that was already recognized as malicious in the Defender's cloud, but BAFS did not work for it. I submitted it to Microsoft (waiting for an answer). So it is true that in some rare cases BAFS can skip something.
Although I cannot see any evidence that BAFS did not work in the Magniber campaign, I also cannot say how efficient was BAFS against this malware. From some reports, we know that Kaspersky and Comodo were more efficient. Kaspersky was able to recover the files and Comodo was able to contain the malware. It means that in theory both Kaspersky and Comodo could be 100% efficient. The Defender's efficiency was smaller for sure, even with fully working BAFS.
Edit.
@SeriousHoax sent me a sample (not Magniber) that was already recognized as malicious in the Defender's cloud, but BAFS did not work for it. I submitted it to Microsoft (waiting for an answer). So it is true that in some rare cases BAFS can skip something.
Last edited:
- Sep 2, 2021
- 2,586
Chill guys
Personally I like @Andy Ful , because his tools are already quite good and his safety tips help a lot.
I also like @Anthony Qian (even if we shouted at each other when I was new here, with McAfee ^^ ) who follows Magniber closely and we discuss a lot in PM (thanks to you for the samples during my vacations, so I can play on VM too ^^ )
Concerning Microsoft Defender, I already managed to encrypt a VM with Magniber in MSI with the anti-ransomware.
I don't know what BAFS is, so I won't go into it.
Even if Kaspersky and ESET are the 2 AVs I see the most on VT (you can also put Comodo, but Sandbox), the other AVs are slow to block it.
I've already seen editors add it, but only in files... just change some parts of the malware or re-build it to bypass detection...
I think Magniber will be detected sooner or later, like any Ransomware (we remember the Locky wave in 2016, or GandCrab in 2017/2018) . It's enough that the editors will have found a strategy that lasts on the long term. Either in Remediation, or in AI Machine Learning with a clean detection.
Personally I like @Andy Ful , because his tools are already quite good and his safety tips help a lot.
I also like @Anthony Qian (even if we shouted at each other when I was new here, with McAfee ^^ ) who follows Magniber closely and we discuss a lot in PM (thanks to you for the samples during my vacations, so I can play on VM too ^^ )
Concerning Microsoft Defender, I already managed to encrypt a VM with Magniber in MSI with the anti-ransomware.
I don't know what BAFS is, so I won't go into it.
Even if Kaspersky and ESET are the 2 AVs I see the most on VT (you can also put Comodo, but Sandbox), the other AVs are slow to block it.
I've already seen editors add it, but only in files... just change some parts of the malware or re-build it to bypass detection...
I think Magniber will be detected sooner or later, like any Ransomware (we remember the Locky wave in 2016, or GandCrab in 2017/2018) . It's enough that the editors will have found a strategy that lasts on the long term. Either in Remediation, or in AI Machine Learning with a clean detection.
- Feb 25, 2017
- 2,585
Block at First Sight - Comparable to ESET's LiveGuard.
- Sep 2, 2021
- 2,586
Thanks
(we can also mention the "PDM:Trojan.Win32.Generic" detections of Kaspersky when it detects a malicious action)
Enable block at first sight to detect malware in seconds - Microsoft Defender for Endpoint
Turn on the block at first sight feature to detect and block malware within seconds.
docs.microsoft.com
- Dec 23, 2014
- 8,510
You can think about BAFS as vaccinating by telepathy.
So, you can be infected by some pathogen and even die after a day. But, before you die your organism warns others by telepathy. So, in a short time, all people connected with you will be vaccinated against this particular pathogen.
In some cases this protection will be inefficient:
- The attacker prepared the pathogen that could kill only you.
- The pathogen mutates too quickly.
- Some users can be still infected in places where telepathy cannot work.
- The symptoms of the infection are too weak (you live long; no telepathy warnings).
Last edited:
- Apr 28, 2015
- 8,910
In case of Kaspersky, I would say UDS detections (Urgent Detection System + KSN Untrusted marks)...
- Apr 5, 2021
- 620
Seems like the brain might be the best defense against Magniber and its variants? Just don't download from shady sites or plug in unknown usb drives?
Tell that to the fact that pirated/cracked/torrented and other illegal software is the most common way home users get infected nowadays, its the biggest infection vector for ransomware and at times, all trojan infections.Seems like the brain might be the best defense against Magniber and its variants? Just don't download from shady sites or plug in unknown usb drives?
- Dec 23, 2014
- 8,510
Seems like the brain might be the best defense against Magniber and its variants? Just don't download from shady sites or plug in unknown usb drives?
It is hard to protect people that want/need to use pirated content. They are exposed to sociotechnical attacks and there is no protection that could save most of them in the longer term.
- Apr 13, 2013
- 3,224
Any security application should aspire to protect ALL types of users (no matter the intellect) from ALL types of malware (no matter the source). In my opinion blaming product failure on the user is neither wise nor productive.Seems like the brain might be the best defense against Magniber and its variants? Just don't download from shady sites or plug in unknown usb drives?
- Apr 5, 2021
- 620
Of course and understood, even when I made the post. And certainly nothing derogatory intended against users who download pirated software and torrents, because I'm sure most are fully aware of the potential consequences with this type of "Risk/Reward" online activity. Heck, I've been burned this way years ago in my Windows XP days, but of course I knew what I was getting into.
Similar threads
