Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Microsoft Defender vs Magniber
Message
<blockquote data-quote="Andy Ful" data-source="post: 995910" data-attributes="member: 32260"><p>According to some articles about the last Magniber campaign, the malware was delivered as follows:</p><p></p><p>[URL unfurl="true"]https://blog.360totalsecurity.com/en/win11-users-beware-magniber-ransomware-has-been-upgraded-again-aiming-at-win11/[/URL]</p><p></p><p>The targets can be home users who are convinced & motivated to use pirated content. Such users are not well protected by Microsoft Defender even with ConfigureDefender MAX settings. They will not be well protected by any AV, too. I do not think that Magniber campaigns can be dangerous for most home users, but some features are dangerous for businesses. A similar attack vector was used by the <strong>Raspberry Robin worm:</strong></p><p>[URL unfurl="true"]https://malwaretips.com/threads/simple-windows-hardening.102265/post-995348[/URL]</p><p></p><p>Such fileless combinations like:</p><ul> <li data-xf-list-type="ul">shortcut + MSI & malicious DLL</li> <li data-xf-list-type="ul">disk image with embedded MSI & malicious DLL</li> </ul><p>are not well covered by Microsoft Defender, because ASR rules are kinda blind to MSI files + DLL sideloading (no file reputation or prevalence check). Also, running DLLs by some rarely used LOLBins is not covered by ASR rules. In this way, many 0-day ransomwares can be delivered and executed. Furthermore, the protection mentioned in my previous post (Block At First Sight + post-execution detections) is inefficient in the targetted attacks.</p><p></p><p>My own experience with bypassing Defender's protection is as follows:</p><ol> <li data-xf-list-type="ol">If the method is rarely used, then Microsoft ignores it and uses signatures or BAFS to detect the malware.</li> <li data-xf-list-type="ol">If the malware is more prevalent, then behavior-based detection for the sample is added or the ASR rules are updated.</li> <li data-xf-list-type="ol">If the malware is prevalent and dangerous, then Microsoft adds behavioral detection for the whole attack method. This point also includes blocking many UAC bypasses like Fodhelper, DiskCeanup, etc.</li> </ol><p>For now, Microsoft claims that the method used in the wild is properly detected. But, the Magniber group declared that they can easily change the method to successfully bypass Defender (I believe them).</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 995910, member: 32260"] According to some articles about the last Magniber campaign, the malware was delivered as follows: [URL unfurl="true"]https://blog.360totalsecurity.com/en/win11-users-beware-magniber-ransomware-has-been-upgraded-again-aiming-at-win11/[/URL] The targets can be home users who are convinced & motivated to use pirated content. Such users are not well protected by Microsoft Defender even with ConfigureDefender MAX settings. They will not be well protected by any AV, too. I do not think that Magniber campaigns can be dangerous for most home users, but some features are dangerous for businesses. A similar attack vector was used by the [B]Raspberry Robin worm:[/B] [URL unfurl="true"]https://malwaretips.com/threads/simple-windows-hardening.102265/post-995348[/URL] Such fileless combinations like: [LIST] [*]shortcut + MSI & malicious DLL [*]disk image with embedded MSI & malicious DLL [/LIST] are not well covered by Microsoft Defender, because ASR rules are kinda blind to MSI files + DLL sideloading (no file reputation or prevalence check). Also, running DLLs by some rarely used LOLBins is not covered by ASR rules. In this way, many 0-day ransomwares can be delivered and executed. Furthermore, the protection mentioned in my previous post (Block At First Sight + post-execution detections) is inefficient in the targetted attacks. My own experience with bypassing Defender's protection is as follows: [LIST=1] [*]If the method is rarely used, then Microsoft ignores it and uses signatures or BAFS to detect the malware. [*]If the malware is more prevalent, then behavior-based detection for the sample is added or the ASR rules are updated. [*]If the malware is prevalent and dangerous, then Microsoft adds behavioral detection for the whole attack method. This point also includes blocking many UAC bypasses like Fodhelper, DiskCeanup, etc. [/LIST] For now, Microsoft claims that the method used in the wild is properly detected. But, the Magniber group declared that they can easily change the method to successfully bypass Defender (I believe them). [/QUOTE]
Insert quotes…
Verification
Post reply
Top
