Malware Analysis "pyrate", Behavior Blocker Bypass POC #3

[Andy Ful]

BTW regarding:

Theoretically the "IDLE" exploit can be packaged as a ZIP file and that does not trigger smartscreen. Running IDLE.exe also does not trigger the default SmartScreen because IDLE is a digitally signed and safe reputation program.

I only packaged it as a 7z SFX EXE (which makes SmartScreen catch it) because it would be a 35MB zip file vs a 20MB 7z archive, and I didn't want to force all my testers here to get 7zip to unzip the exploit.

Python is actually often distributed as a self contained zip file, so unzipping and executing Python out of a downloaded archive is not necessarily far-fetched.

(but as Andy pointed out before, you can use the H_C config to force a SmartScreen popup to tell you about IDLE.exe regardless of it being signed. But that says nothing about the fact that I tainted a Python library buried deep within the archive....)

It seems that Python 3.8.2 (from python.org) uses idle.bat to open Python Shell on Windows:

@echo off
rem Start IDLE using the appropriate Python interpreter
set CURRDIR=%~dp0
start "IDLE" "%CURRDIR%..\..\pythonw.exe" "%CURRDIR%idle.pyw" %1 %2 %3 %4 %5 %6 %7 %8 %9

Is idle.exe made by you or it is a part of Python?

 

[MacDefender]

It seems that Python 3.8.2 (from python.org) uses idle.bat to open Python Shell on Windows:

@echo off
rem Start IDLE using the appropriate Python interpreter
set CURRDIR=%~dp0
start "IDLE" "%CURRDIR%..\..\pythonw.exe" "%CURRDIR%idle.pyw" %1 %2 %3 %4 %5 %6 %7 %8 %9

Is idle.exe made by you or it is a part of Python?

It's a part of the "WPy32" distribution of Python, from winpython.github.io

The EXE on VirusTotal (Kind of interesting that it was used by malware in the past, check out the relations)

VirusTotal

VirusTotal

www.virustotal.com

WinPython comes with a bunch of EXE launcher stubs that all have good SmartScreen reputation, but seem ripe for abuse:

 

[Andy Ful]

It's a part of the "WPy32" distribution of Python, from winpython.github.io

The EXE on VirusTotal (Kind of interesting that it was used by malware in the past, check out the relations)

VirusTotal

VirusTotal

www.virustotal.com

WinPython comes with a bunch of EXE launcher stubs that all have good SmartScreen reputation, but seem ripe for abuse:

View attachment 239386

I tried the WinPython 3.7.7.0 and 3.8.2.0. The Python installers and all executables were unsigned, but the installers and executable "IDLE (Python GUI).exe" was accepted by SmartScreen (no alert).
The below executables use "Noshell.vbs" to run:
IDLE (Python GUI).exe, IDLEX.exe, IPython Qt Console.exe, Pyzo.exe, Qt Designer.exe, Qt Linguist.exe, Spyder reset.exe, Spyder.exe, VS Code.exe, WinPython Control Panel.exe,
The rest use some BAT scripts: winipython_notebook.bat, winjupyter_lab.bat, cmd.bat, cmd_ps.bat, winpython.bat.
So, all of them will be blocked by H_C. SysHardener settings can also block the "IDLE (Python GUI).exe" and some other files that use "Noshell.vbs" to run.

 

[MacDefender]

I tried the WinPython 3.7.7.0 and 3.8.2.0. The Python installers and all executables were unsigned, but the installers and executable "IDLE (Python GUI).exe" was accepted by SmartScreen (no alert).
The below executables use "Noshell.vbs" to run:
IDLE (Python GUI).exe, IDLEX.exe, IPython Qt Console.exe, Pyzo.exe, Qt Designer.exe, Qt Linguist.exe, Spyder reset.exe, Spyder.exe, VS Code.exe, WinPython Control Panel.exe,
The rest use some BAT scripts: winipython_notebook.bat, winjupyter_lab.bat, cmd.bat, cmd_ps.bat, winpython.bat.
So, all of them will be blocked by H_C. SysHardener settings can also block the "IDLE (Python GUI).exe" and some other files that use "Noshell.vbs" to run.

Thank you for the analysis! I wonder why they decided to make tiny little EXE stubs like that which then just either run batch files or VBS.

It does make me want to go look for better executables that can be used to run actions. The use of IDLE (Python GUI) was by accident after realizing that two of my test AVs didn't respond at all to double clicking these kinds of payloads in Windows Explorer. Looks like Visual Studio Code is an interesting target -- their extensions might be easier to bug.

 

[MacDefender]

So ESET responded by adding signature detection for the main workhorse script, "pyrate.py":

I made a very small change to the script, renaming two functions:

--- pyrate.py   2020-05-11 16:02:57.354937100 +0000
+++ "pyrate - Copy.py"  2020-05-04 20:34:50.040466800 +0000
@@ -11,7 +11,7 @@

     return buf.value

-def enc(src, dst):
+def encrypt(src, dst):
     print("Encrypting " + dst)
     srcfile = open(src, 'rb')
     dstfile = open(dst, 'wb')
@@ -19,10 +19,10 @@
     srcfile.close()
     dstfile.close()
     os.remove(src)
-def ran(dir):
+def ransom(dir):
     for filename in os.listdir(dir):
         if not filename.endswith(".enc"):
-            enc(dir+filename, dir+filename+".enc")
+            encrypt(dir+filename, dir+filename+".enc")


-ran(find_mydocs()+"\\test\\")
+ransom(find_mydocs()+"\\test\\")

No detection anymore. And this is the problem with trying to use signatures to respond to scriptors -- there are so many ways to mutate a script and this isn't even using any fancy form of obfuscation.

 

[Outpost]

So ESET responded by adding signature detection for the main workhorse script, "pyrate.py":

I don't understand the meaning or the utility. It would not have been better to check the behavior?

 

[MacDefender]

I don't understand the meaning or the utility. It would not have been better to check the behavior?

I am in agreement. I do not believe signature detection is the right thing to do, and I'm kind of surprised that this one wasn't marked as a "hoax" like my last few.

BTW, the signature for this file is very specific. This change alone (from single quotes to 3 quotes) results in no detection:

-            encrypt(dir+filename, dir+filename+""".enc""")
+            encrypt(dir+filename, dir+filename+".enc")

In my opinion it's almost a waste of time for ESET to be adding signatures for this script. Signature detections are not the right approach here. Maybe a Python sandbox or better, runtime behavior detection.


EDIT: What I would really like is an explanation for why their Ransomware Shield isn't working against this sample. ESET says Ransomware Shield | ESET Glossary | ESET Online Help

Ransomware Shield is a behavior-based detection technique that monitors behavior of applications and processes that try to modify files in the way common for ransomware/filecoders. If an application´s behavior is considered malicious, or the reputation-based scanning shows an application to be suspicious, the application is blocked and process is stopped, or the user will be asked to block or allow it.

This sounds like a behavior blocker and similar to how WiseVector stops ALL variants of this attack, and how KSW and some other behavior blockers can stop the start.bat variant.

 

[RoboMan]

Update on ESET's hands on the matter:

So far, they've added a signature; and they're investigating for a deeper analysis on how to fight back these kind of malware

 

[RoboMan]

So ESET responded by adding signature detection for the main workhorse script, "pyrate.py":

View attachment 239482


I made a very small change to the script, renaming two functions:

--- pyrate.py   2020-05-11 16:02:57.354937100 +0000
+++ "pyrate - Copy.py"  2020-05-04 20:34:50.040466800 +0000
@@ -11,7 +11,7 @@

     return buf.value

-def enc(src, dst):
+def encrypt(src, dst):
     print("Encrypting " + dst)
     srcfile = open(src, 'rb')
     dstfile = open(dst, 'wb')
@@ -19,10 +19,10 @@
     srcfile.close()
     dstfile.close()
     os.remove(src)
-def ran(dir):
+def ransom(dir):
     for filename in os.listdir(dir):
         if not filename.endswith(".enc"):
-            enc(dir+filename, dir+filename+".enc")
+            encrypt(dir+filename, dir+filename+".enc")


-ran(find_mydocs()+"\\test\\")
+ransom(find_mydocs()+"\\test\\")

View attachment 239484

No detection anymore. And this is the problem with trying to use signatures to respond to scriptors -- there are so many ways to mutate a script and this isn't even using any fancy form of obfuscation.

Ayyyy lmao, you're faster than light

 

[RoboMan]

Well, once again there goes ESET playing victims and comparing themselves with the competition to stand out better. :/

 

[blackice]

Well, once again there goes ESET playing victims and comparing themselves with the competition to stand out better. :/

View attachment 239850

I think their PR and community teams are just trained for their response. I’m sure the teams that work on threats and signatures want to play it close to the vest how they are approaching different threats (though it seems kind of obvious what they’re doing). I just hope the info is getting passed to the right teams and not stopping at the community managers when something like this is submitted.

He’s basically just saying if you want protection from advanced threats then implement a default deny setup?

 

[MacDefender]

Yeah I have to say, the biggest surprise is that it is a lot of the small newcomers like @WiseVector and to some extent Emsisoft that have had the most productive and transparent responses to these kinds of POCs.

I'm not even demanding that every AV responds to my proof of concepts. WiseVector months ago said they would try to look into improving their product because Kaspersky's BB worked better and it sure looks like they followed up on that promise. Emsisoft said roughly that they don't consider behavior blocking as useful as they once did, and these days by the time ransomware gets on your machine, trying to stop it is a lost cause because of their arsenal of evasion techniques. And I respect that too.

ESET is just.... erratic for a lack of a better term. First it's "we don't detect it because this isn't real malware, and writing real malware is unethical". Then the second exploit they added a HOAX/FAKE signature for it. This time they added a real signature without the fake/hoax label but it was so easily bypassable. Meanwhile their website basically advertises a dynamic behavior blocker. Which one is it?

My personal interpretation of ESET is that they focus on in the wild threats and addressing them primarily by signature scanning. If that's their belief too, I would 100% respect it if they just owned up to that and stated their reasons why they believe their approach is right.

Instead, their current responses make me feel like they are just inventing contradicting excuses, and sometimes their excuses aren't even legitimate. There are many respectable AV programs that at least detect some variants of this attack. ESET basically detects none of them.

 

[fabiobr]

@MacDefender Can you test Bitdefender? With safe files/ATP?

Well, once again there goes ESET playing victims and comparing themselves with the competition to stand out better. :/

View attachment 239850

That is exact what we are doing here

Compare with Kaspersky, Norton, Bitdefender or any other big player, they will do better on THIS than ESET because of dynamic detection.

ESET seems stuck with this because they already are a big player on EU endpoint, they only will change anything if they come down. There is no other explanation about it, they got money, they are big, they could have a great dynamic detection.

 

[MacDefender]

That is exact what we are doing here

Compare with Kaspersky, Norton, Bitdefender or any other big player, they will do better on THIS than ESET because of dynamic detection.

ESET seems stuck with this because they already are a big player on EU endpoint, they only will change anything if they come down. There is no other explanation about it, they got money, they are big, they could have a great dynamic detection.

Yeah the stubbornness bewilders me. Their signatures are simply the best in the industry. But it seems like even if they add an average-quality behavior blocker, they would be the slam-dunk winner. Most behavior blockers can be independently disabled so there doesn't even need to be a tradeoff between performance vs behavior blocking.

It's just no matter how great your signatures are, it's still unsettling that a true zero day can have all the hallmarks of being malicious but nonetheless cause complete compromise.

ESET is my favorite on-demand scanner. I really want them to become my favorite realtime protection too but not in its current state.

 

[Chakuz]

Great Thread...
Can I get the samples too?