New Update Simple Windows Hardening

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699
SWH vs. Magniber JavaScript variant
https://malwaretips.com/threads/mag...ers-via-javascript-files.117780/#post-1007487
https://threatresearch.ext.hp.com/m...geting-home-users-with-fake-software-updates/

Previously Magniber was primarily spread through MSI and EXE files, but in September 2022 we started seeing campaigns distributing the ransomware in JavaScript files.

The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. This technique bypasses detection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system. The .NET code decodes shellcode and injects it into another process. The ransomware code runs from this process – first deleting shadow copy files and disabling Windows’ backup and recovery features, before encrypting the victim’s files (Figure 2).

1665762415771.png

Figure 2 – Magniber infection chain
Interestingly, the Magniber sample we analyzed in September support different versions of Windows 11, including pre-release versions. This suggests that home users rather than enterprises were the intended targets of the campaign, since enterprises tend to use older operating systems.

Like in the previous Magniber campaign (CPL file), this one is easily blocked by SWH. But, the rest will depend on the user, because Magniber is often promoted as the system (software) update/upgrade, so many users can be fooled to turn off the protection. This is probable especially when they are looking for pirated content.
 

czesetfan

Level 3
Dec 3, 2021
116
I made some research. The block is for WindowsPackageManagerServer.exe. It can be important for developers who are going to submit their applications to Microsoft Store. When opening, the Microsoft Store tries to access it.
This block can be ignored by home users. The updates and installations of UWP apps are not impacted.
Anyway, it would be good to get rid of it. :unsure:
Hi. Has there been any progress on this?
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699
Hi. Has there been any progress on this?
I am still not sure if the progress is necessary, here. The developer tools can be used by attackers, just like some other LOLBins.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699
Hello Andy! I saw you talking about H_C not working on Windows 11 22H2. So is it the same for Simple Windows Hardening?
To be precise, currently, the SRP settings in H_C (and SWH) will work on Windows 11 22H2 when:
  • Windows is upgraded from Windows 10.
  • Windows is updated from Windows 11 21H2 (or the prior version).
For now, SRP does not work when
  • Windows 22H2 has been installed (clean install).
  • Windows 22H2 has been refreshed.
All other settings in H_C (SWH) which are not related to SRP will work as usual.
There is no info from Microsoft if the SRP issue is a bug or not.
I noticed a close relationship between this issue and the installation of Smart App Control. When SRP works on Windows 11 22H2, the SAC is not installed.

Edit.
I updated the info in the OP.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699
SWH vs. Batloader
https://www.microsoft.com/en-us/sec...to-deliver-royal-ransomware-various-payloads/
https://malwaretips.com/threads/dangerous-batloader-malware-dropper.118627/post-1011278
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

1670454018935.png

Figure 4: Comparing ZLoader (most recent campaign) and BatLoader attack chain

SWH can block such attacks in default settings via PowerShell restrictions (blocked script execution) or SRP restrictions for BAT scripts (level 2 in Figure 4).
The Batloader can execute PowerShell malware embedded in the MSI file, but it does not execute the PowerShell code in memory via CmdLine. The malware uses the MSI PowerShellScriptInline custom action, so the malicious PowerShell script code is dropped to disk as PS1 script and executed during software installation.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699
SWH ver. 2.1.1.1 beta.


No need to remove the older SWH settings.

What is new:
  1. Added support for Windows 11 ver. 22H2
  2. Added the ONE extension (OneNote document) to the Paranoid extensions set.
  3. Removed the OFF2 option in the DocumentsAntiExploit tool. Now, ON2 settings include all ON1 settings.
    ON2 settings (if already applied) require resetting (ON2 --> OFF --> ON2) after the current update.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699
SWH vs. Horabot
https://blog.talosintelligence.com/new-horabot-targets-americas/
https://malwaretips.com/threads/new-horabot-campaign-targets-the-americas.123594/

I like the examples posted by @silversurfer. :)
They usually present a complex infection chain that can evade the protection of AVs. The Horabot campaign was started in November 2020 and has been ongoing through the year 2023. So, one can say that it was successful.


1685719062627.png


In purpose to evade AV protection, the attackers adopted the initial fileless attack vector. But, SWH settings are adjusted to prevent such attacks. In this concrete example, the attack will fail just after unpacking the initial script (CMD). But, in many cases, SWH is not required. Many attacks can be prevented by simple hardening, for example:
  • blocking batch scripts (BAT, CMD),
  • blocking the outbound connections of popular LOLBins (powershell.exe, wscript.exe, cscript.exe, mshta.exe ...) or simply blocking the execution of popular LOLBins.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699
SWH ver. 2.1.1.1 beta 4.

No new features, just one GUI improvement to make SWH more idiot-proof.:)
This will most probably be the stable version when I sign it with a new certificate (at the end of June).

Edit.
Currently, I work on the new version which will be finished after a few months. It will include some new options:
  1. Block User Folders via SRP (Desktop, Downloads).
  2. Block non-system drives via WDAC.
  3. Set SmartScreen to Block.
These new features will be integrated with RunBySmartscreen.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699

Gandalf_The_Grey

Level 73
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,202
Thanks @Andy Ful for keeping developing and updating your tools, much appreciated (y)
New version running great and without any issues here.

Can you add NanaZip to the supported archiver applications?

Is the new Outlook beta (olk.exe) a supported email client?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699
Thanks @Andy Ful for keeping developing and updating your tools, much appreciated (y)

Can you add NanaZip to the supported archiver applications?

Is the new Outlook beta (olk.exe) a supported email client?
It is not necessary.
NanaZip uses the same temporary folder as 7-ZIP so it is automatically supported in SWH.
Outlook (olk.exe) does not allow opening EXE/MSI attachments, so the protection is applied even without enabling SWH option *Attachments and Archives*.:) (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,699

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top