Reply to thread

Message

<blockquote data-quote="Andy Ful" data-source="post: 973934" data-attributes="member: 32260">SWH vs. MSI --&gt; Scripts (Solarmarker Malware)I am trying hard to be on time with @[USER=26718]silversurfer[/USER] posts about current attacks in the wild.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile&nbsp; &nbsp; :)" loading="lazy" data-shortname=":)" />Here is another interesting case:[URL unfurl=&quot;false&quot;]https://malwaretips.com/threads/solarmarker-malware-uses-novel-techniques-to-persist-on-hacked-systems.112249/[/URL][URL unfurl=&quot;false&quot;]https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/[/URL]Infection chain (delivery stage in blue):MSI Installer ---&gt; legal application + malicious PowerShell script ----&gt; create/install malware and get persistence (.lnk shortcut in the User Startup folder + &quot;custom file open handler&quot; )It is funny that this attack could be mitigated by SWH in several ways.<ol>
<li data-xf-list-type="ol">PowerShell script would be blocked by the option * Admin PowerShell Scripts *.</li>
<li data-xf-list-type="ol">If this option is not Restricted, then the payload decryption would be blocked anyway by Constrained Language Mode (CLM) in PowerShell due to SRP settings.</li>
<li data-xf-list-type="ol">Even if the malware could somehow skirt around points 1-2 and get persistence, then the novel persistence technique via &quot;custom file open handler&quot; would fail because it uses PowerShell commands forbidden in Constrained Language Mode (IoFile.ReadAllBytes and ReflectionAssembly.Load) to read/decrypt and reflectively load a payload.</li>
</ol>Post edited.SWH does not block shortcuts in the User Startup folder (they are blocked in H_C).</blockquote>

[QUOTE="Andy Ful, post: 973934, member: 32260"] [B][SIZE=5]SWH vs. MSI --> Scripts (Solarmarker Malware)[/SIZE][/B] I am trying hard to be on time with @[USER=26718]silversurfer[/USER] posts about current attacks in the wild.:) Here is another interesting case: [URL unfurl="false"]https://malwaretips.com/threads/solarmarker-malware-uses-novel-techniques-to-persist-on-hacked-systems.112249/[/URL] [URL unfurl="false"]https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/[/URL] Infection chain (delivery stage in blue): [B][COLOR=rgb(41, 105, 176)]MSI Installer ---> legal application + malicious PowerShell script ---->[/COLOR][/B] [COLOR=rgb(184, 49, 47)][B]create/install malware and get persistence (.lnk shortcut in the User Startup folder + "custom file open handler" )[/B][/COLOR] It is funny that this attack could be mitigated by SWH in several ways. [LIST=1] [*][B][COLOR=rgb(41, 105, 176)][B]PowerShell script would be blocked by the option * Admin PowerShell Scripts *.[/B][/COLOR][/B] [*][B][COLOR=rgb(41, 105, 176)][B]If this option is not Restricted, then the payload decryption would be blocked anyway by Constrained Language Mode (CLM) in PowerShell due to SRP settings.[/B][/COLOR][/B] [*]Even if the malware could somehow skirt around points 1-2 and get persistence, then the novel persistence technique via "custom file open handler" would fail because it uses PowerShell commands forbidden in Constrained Language Mode (IoFile.ReadAllBytes and ReflectionAssembly.Load) to read/decrypt and reflectively load a payload. [/LIST] Post edited. SWH does not block shortcuts in the User Startup folder (they are blocked in H_C). [/QUOTE]

Verification