Missed script malware by signature analysis
- Thread starter Parkinsond
- Start date
- Featured
- Status
So almost all of AVs detect the downloaded exe; what really matters, which one will detect the copied command before execution filelessly.
Although I do not like B in general, but the paid version has done well this time.
We are missing the first part from goo.su that executes the disable defender functions). The one that user copy-pastes.
Not many, such detection will be Nightmare on Windows Street and will be jam packed with false positives.
The real problem MD has not reach such stage to detect the payload; the script execution disabled MD first.
I do like to watch a video testing the resilience of major AVs to deactivation of fileless scripts.
OK, Shadowra sent me the video now.
The video advises users to disable the AV because “files are completely clean”.
Though Defender still could be disabled (or exclusion could be added), the attacker did not apply this method.
This social engineering can be applied with any product.
.SU domain, man it's been awhile but that has always been hella shady. So much bad stuff used to happen with that domain but I thought it died! Maybe not.
This is the first clue for the users. Usage of .su TLD are mostly being utilized by Cybercriminals.
Hard to spot if target users are kids/gamers which don't have an idea what it is.
Yeah, the attacker relies on videos with loads of tags. They need “stable” architecture with very little control and this URL shortener (goo.su) probably has inefficient abuse reporting and very little control. Otherwise the attacker will have to edit all video descriptions on daily basis once a URL shortener blocks their accounts.
However, the attacker also relies on GitHub.
The account after I (and potentially other people before me) reported the abuse has been deleted.
It is unlikely that goo.su links can be updated so that’s a whole bunch of work, gone down the drain.
However, the attacker also relies on GitHub.
The account after I (and potentially other people before me) reported the abuse has been deleted.
It is unlikely that goo.su links can be updated so that’s a whole bunch of work, gone down the drain.
Without livegrid did u test it?
MD Home is a sitting duck against such disabler scripts. The Enterprise edition fares well. I believe this is a deliberate oversight by Microsoft.
It is not an oversight, disabling Defender requires admin privileges. It is a common philosophy that any action authorised by the admin is the responsibility of the admin.
So this is not considered a programatic attack, it falls into the admin with malicious intent category.
Microsoft doesn’t protect against that.
Automating Defender management through PS can be used for legit purposes, but I am not sure why Microsoft doesn’t ship a setting “Enable automation through PowerShell CMDLets” so users not in a need of it can switch it off.
Anyway, other cmdlets like the WMI-related ones are soon gonna be phased out so an entire class of persistence will soon disappear.
So this is not considered a programatic attack, it falls into the admin with malicious intent category.
Microsoft doesn’t protect against that.
Automating Defender management through PS can be used for legit purposes, but I am not sure why Microsoft doesn’t ship a setting “Enable automation through PowerShell CMDLets” so users not in a need of it can switch it off.
Anyway, other cmdlets like the WMI-related ones are soon gonna be phased out so an entire class of persistence will soon disappear.
Vt maybe doesn't get livegrid feeds.
Another sample; B blocked connection of mshta.exe to a url; typed such url in address field and enter: downloaded an hta file (initially was blocked by SS, and after download MD asked to upload for analysis); however, scan by MD is negative.
Uploaded to VT (detected by K and Avast).
View attachment 292802
Nice job by GenD K and B to detect this RHADAMANTHYS' latest persistence mechanism truly showing their effectiveness against zero day malware.
Nevermind B detected Rhadamanthys persistence but unable to disinfect completely. GenD and K might do better
Last year, it took Avast more than 3 months to finally detect a false negative fake 360, which had been VT 30+ or maybe more for a long time, as malware.
This time we talk about MD. Although not been that long until now. It has been a few weeks since I submitted the following false negative fake APP to Microsoft, and I resubmitted it again this week, but MD just missed it. Is it common, and does it happen often to all vendors?
The sample: VirusTotal
Anyrun report: Analysis https://wormhole.app/E42JRQ#A821lv6tQ3BAfdyFfM30HQ Malicious activity -...
This time we talk about MD. Although not been that long until now. It has been a few weeks since I submitted the following false negative fake APP to Microsoft, and I resubmitted it again this week, but MD just missed it. Is it common, and does it happen often to all vendors?
The sample: VirusTotal
Anyrun report: Analysis https://wormhole.app/E42JRQ#A821lv6tQ3BAfdyFfM30HQ Malicious activity -...
I am now more concerned about protective mechanisms against deactivation by malware than missing few samples; could not find a comparative video for major AVs in this regard.Here is another post about AVG missing a malwareLast year, it took Avast more than 3 months to finally detect a false negative fake 360, which had been VT 30+ or maybe more for a long time, as malware.
This time we talk about MD. Although not been that long until now. It has been a few weeks since I submitted the following false negative fake APP to Microsoft, and I resubmitted it again this week, but MD just missed it. Is it common, and does it happen often to all vendors?
The sample: VirusTotal
Anyrun report: Analysis https://wormhole.app/E42JRQ#A821lv6tQ3BAfdyFfM30HQ Malicious activity -...
Hi, have a nice weekend.
Are you concerned because you are not using a Standard Account and want to continue using an Administrator Account?
- Status
You may also like...
-
-
Services to check file security online- Started by CyberDevil
- Replies: 38
-
The Necessity of Simulating the Full Malware Infection Chain for Security Suite Testing- Started by harlan4096
- Replies: 3
-
Another Evasive Discord Token Stealer Disguised as PC game 🎮☠️- Started by Kongo
- Replies: 32
-