Question Simple Windows Hardening

[Andy Ful]

SWH vs. Magniber JavaScript variant
https://malwaretips.com/threads/mag...ers-via-javascript-files.117780/#post-1007487
https://threatresearch.ext.hp.com/m...geting-home-users-with-fake-software-updates/

Previously Magniber was primarily spread through MSI and EXE files, but in September 2022 we started seeing campaigns distributing the ransomware in JavaScript files.

The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. This technique bypasses detection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system. The .NET code decodes shellcode and injects it into another process. The ransomware code runs from this process – first deleting shadow copy files and disabling Windows’ backup and recovery features, before encrypting the victim’s files (Figure 2).

Figure 2 – Magniber infection chain​

Interestingly, the Magniber sample we analyzed in September support different versions of Windows 11, including pre-release versions. This suggests that home users rather than enterprises were the intended targets of the campaign, since enterprises tend to use older operating systems.

Like in the previous Magniber campaign (CPL file), this one is easily blocked by SWH. But, the rest will depend on the user, because Magniber is often promoted as the system (software) update/upgrade, so many users can be fooled to turn off the protection. This is probable especially when they are looking for pirated content.

 

[czesetfan]

I made some research. The block is for WindowsPackageManagerServer.exe. It can be important for developers who are going to submit their applications to Microsoft Store. When opening, the Microsoft Store tries to access it.
This block can be ignored by home users. The updates and installations of UWP apps are not impacted.
Anyway, it would be good to get rid of it.

Hi. Has there been any progress on this?

 

[Andy Ful]

Hi. Has there been any progress on this?

I am still not sure if the progress is necessary, here. The developer tools can be used by attackers, just like some other LOLBins.

 

[SeriousHoax]

Hello Andy! I saw you talking about H_C not working on Windows 11 22H2. So is it the same for Simple Windows Hardening?

 

[Andy Ful]

Hello Andy! I saw you talking about H_C not working on Windows 11 22H2. So is it the same for Simple Windows Hardening?

To be precise, currently, the SRP settings in H_C (and SWH) will work on Windows 11 22H2 when:

• Windows is upgraded from Windows 10.
• Windows is updated from Windows 11 21H2 (or the prior version).

For now, SRP does not work when

• Windows 22H2 has been installed (clean install).
• Windows 22H2 has been refreshed.

All other settings in H_C (SWH) which are not related to SRP will work as usual.
There is no info from Microsoft if the SRP issue is a bug or not.
I noticed a close relationship between this issue and the installation of Smart App Control. When SRP works on Windows 11 22H2, the SAC is not installed.

Edit.
I updated the info in the OP.

 

[Andy Ful]

SWH vs. Batloader
https://www.microsoft.com/en-us/sec...to-deliver-royal-ransomware-various-payloads/
https://malwaretips.com/threads/dangerous-batloader-malware-dropper.118627/post-1011278
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

Figure 4: Comparing ZLoader (most recent campaign) and BatLoader attack chain

SWH can block such attacks in default settings via PowerShell restrictions (blocked script execution) or SRP restrictions for BAT scripts (level 2 in Figure 4).
The Batloader can execute PowerShell malware embedded in the MSI file, but it does not execute the PowerShell code in memory via CmdLine. The malware uses the MSI PowerShellScriptInline custom action, so the malicious PowerShell script code is dropped to disk as PS1 script and executed during software installation.