Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
"pyrate", Behavior Blocker Bypass POC #3
Message
<blockquote data-quote="MacDefender" data-source="post: 879771" data-attributes="member: 83059"><p>well not exactly, this attack brings along a copy of Portable Python and executes it with a 7Zip SFX action. This can be a Trojan installer or even just disguised as a fake copy of Python. For example the “bonus” test just launches a Python IDE that simply encrypts your data in the background. My goal was actually to not make an EXE that’s malicious itself because most behavior blockers in my previous tests are very effective at stopping malicious EXE behavior.</p><p></p><p>I actually downloaded the exploit via Edge to the VM. I am aware that many behavior blockers like DeepGuard take into consideration how the file is introduced into the VM. So I host my exploits from a Public folder of my OneDrive. It’s meant to simulate being tricked by someone into downloading something deceptive. You might believe it’s a Python IDE with a bunch of difficult to install scientific computing packages built in.... but in reality it’s ransomware.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 879771, member: 83059"] well not exactly, this attack brings along a copy of Portable Python and executes it with a 7Zip SFX action. This can be a Trojan installer or even just disguised as a fake copy of Python. For example the “bonus” test just launches a Python IDE that simply encrypts your data in the background. My goal was actually to not make an EXE that’s malicious itself because most behavior blockers in my previous tests are very effective at stopping malicious EXE behavior. I actually downloaded the exploit via Edge to the VM. I am aware that many behavior blockers like DeepGuard take into consideration how the file is introduced into the VM. So I host my exploits from a Public folder of my OneDrive. It’s meant to simulate being tricked by someone into downloading something deceptive. You might believe it’s a Python IDE with a bunch of difficult to install scientific computing packages built in.... but in reality it’s ransomware. [/QUOTE]
Insert quotes…
Verification
Post reply
Top