Security News PowerShell Obfuscation Ups the Ante on Antivirus

[silversurfer]

Content source

https://threatpost.com/powershell-obfuscation-ups-the-ante-on-antivirus/137403/

A new obfuscation technique has been spotted that uses the features of PowerShell, a tool that comes built in to Microsoft Windows. Analysis from Cylance shows that the tactic succeeds in bypassing most antivirus products.

Cylance researchers stumbled across a malware file using a PowerShell obfuscation method while looking into a set of malicious scripts that had low antivirus detection. The file was a ZIP file containing both a PDF document and VBS script, and it was flagged by just three antivirus products.

It takes a page from other common obfuscation techniques, which include using packers to compress a malware program; encryption to hide its unique strings of code; or techniques that mutate malware cosmetics, such as the overall number of bytes in the program. All of these alter the hash and the signature of the malware so that common antivirus tools won’t flag it as a known malicious agent.

“Obfuscation is a term of art that describes a set of techniques used to evade antivirus products that rely heavily on signatures,” explained researchers at Cylance, in a technical analysis posted Wednesday on the tactic. “These techniques change the overall structure of a piece of malware without altering its function. Often, this has the overall result of creating layers which act to bury the ultimate payload, like the nested figures in a Russian doll.”

 

[509322]

But Cylance disables script protections in the Home User version ? It disables the protection for those that need it most.

The face of stupidity.

 

[ForgottenSeer 69673]

But Cylance disables script protections in the Home User version ? It disables the protection for those that need it most.

The face of stupidity.

That is where Appguard & Voodooshield come in handy.

 

[509322]

That is where Appguard & Voodooshield come in handy.

Most home users won't even know to use a SRP or anti-executable. Hell, they won't even know that they're getting no script protection from Cylance Smart. Cylance ain't so smart and can use a little bit of common sense.

 

[Michyon]

Disable powershell, unless needed. And use ERP.

 

[artek]

I was gonna say the only thing missing from a Cylance thread is Lockdown, but he beat me to the punch.

 

[Deleted Member 3a5v73x]

Nice analysis. But yeah, if there isn't someone techy in family, regular users won't know how to disable these attack vectors. Only little education what files with what extensions shouldn't be run might help elders. I vote for SRP myself and Hard_Configurator by Andy, but I understand that elders won't have a clue, my best suggestion is just to use Windows Defender or some most popular AV suite, older people shouldn't use Cylance.

 

[artek]

 

[Deleted Member 3a5v73x]

It will always be a users fault. Better is to educate yourself and your family members around who use PC's. Cylance alone isn't a solution, nor SRP, nor Anti-exe. Stupid will get infected anyway.

 

[Deleted member 178]

The file was a ZIP file containing both a PDF document and VBS script, and it was flagged by just three antivirus products.

the idiot tested it on VT ROFL

Now in real world (not VT), go find me an AV without some sort of BB/HIPS to block the dropper...Immunet maybe LOOOL

Again, the shady Cylance deceptive marketing via bashing other AVs, , seems they need pushing their sales LOL

 

[Deleted member 178]

I was gonna say the only thing missing from a Cylance thread is Lockdown, but he beat me to the punch.

i was going to say, what was also missed in the thread was Artek's off-topic comments on Lockdown's comments, but he beat me to the punch. LOL

itwt

 

[Solarquest]

Interesting to see that on 17-8 only 3 detected it on VT (the downloader)...Zonealarm but not Kaspersky....
PowerShell Obfuscation Using SecureString

Now 25 AV detect it according to VT but not Cilance.
VirusTotal

The binary on last VT scan on 7-9

VirusTotal