Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 975059" data-attributes="member: 32260"><p>Post updated.</p><p></p><p><strong><span style="font-size: 18px">SWH vs. HTML ---> ISO ---> scripts</span></strong></p><p>[URL unfurl="true"]https://isc.sans.edu/forums/diary/Malicious+ISO+Embedded+in+an+HTML+Page/28282/[/URL]</p><p>[URL unfurl="true"]https://isc.sans.edu/forums/diary/CinaRAT+Delivered+Through+HTML+ID+Attributes/28330/[/URL]</p><p></p><p>The above examples have very low detection on Virus Total.</p><p></p><p><strong>The infection chain (delivery stage in blue):</strong></p><p><strong><span style="color: rgb(41, 105, 176)">email ---> HTML attachment ---> ISO created ---> VBScript file dropped ---> </span></strong><span style="color: rgb(184, 49, 47)">malicious script executed by the user</span></p><p></p><p>The user is instructed to open the HTML attachment and next allow to mount the ISO file to run the script.</p><p>The ISO image file is created by the Javascript code embedded in the HTML attachment when the HTML file is opened by the user in the web browser. It mimics downloading the ISO file by the web browser, but in fact, the ISO file is already embedded in the HTML file and dropped to disk. The intermediate ISO file is often used to fool SmartScreen, MS Office, or Adobe Reader because even if the ISO is downloaded from the Internet, the file embedded in the ISO image does not have the MOTW. If the embedded file is MS Office or Adobe Reader document it will not be opened in Protected View and usually, the macros will be allowed in MS Office.</p><p></p><p>SWH in default settings can block the attack at the delivery stage by blocking the VBScript file.</p><p></p><p>I have seen similar infection chains with archives (also blocked by SWH):</p><ul> <li data-xf-list-type="ul">email ---> ISO ---> Archive ---> payload</li> <li data-xf-list-type="ul">email ---> ISO ---> self extracting EXE ---> scripts</li> </ul><p>But, the below infection chain would be beyond the scope of SWH default settings:</p><p>email ---> ISO ---> final EXE payload</p><p><s>One could block it in SWH by adding the ISO extension to the Designated File Types - currently (SWH ver. 1.1.1.1), this extension is blocked with Paranoid Extensions.</s></p><p></p><p><strong>As we know, SWH intentionally does not block <span style="color: rgb(184, 49, 47)">EXE/MSI</span> files, so in such cases, one has to rely on the AV.</strong></p><p>Fortunately, the AV detection of EXE files is usually much better compared to fileless attacks.</p><p></p><p>Edit.</p><p>Unfortunately, the opening of the ISO files is managed by the Windows built-in handler that does not support SRP.</p><p>But, ISO files can be still protected by SRP when they are opened by 3rd party applications like WinISO or Deamon Tools.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 975059, member: 32260"] Post updated. [B][SIZE=5]SWH vs. HTML ---> ISO ---> scripts[/SIZE][/B] [URL unfurl="true"]https://isc.sans.edu/forums/diary/Malicious+ISO+Embedded+in+an+HTML+Page/28282/[/URL] [URL unfurl="true"]https://isc.sans.edu/forums/diary/CinaRAT+Delivered+Through+HTML+ID+Attributes/28330/[/URL] The above examples have very low detection on Virus Total. [B]The infection chain (delivery stage in blue): [COLOR=rgb(41, 105, 176)]email ---> HTML attachment ---> ISO created ---> VBScript file dropped ---> [/COLOR][/B][COLOR=rgb(184, 49, 47)]malicious script executed by the user[/COLOR] The user is instructed to open the HTML attachment and next allow to mount the ISO file to run the script. The ISO image file is created by the Javascript code embedded in the HTML attachment when the HTML file is opened by the user in the web browser. It mimics downloading the ISO file by the web browser, but in fact, the ISO file is already embedded in the HTML file and dropped to disk. The intermediate ISO file is often used to fool SmartScreen, MS Office, or Adobe Reader because even if the ISO is downloaded from the Internet, the file embedded in the ISO image does not have the MOTW. If the embedded file is MS Office or Adobe Reader document it will not be opened in Protected View and usually, the macros will be allowed in MS Office. SWH in default settings can block the attack at the delivery stage by blocking the VBScript file. I have seen similar infection chains with archives (also blocked by SWH): [LIST] [*]email ---> ISO ---> Archive ---> payload [*]email ---> ISO ---> self extracting EXE ---> scripts [/LIST] But, the below infection chain would be beyond the scope of SWH default settings: email ---> ISO ---> final EXE payload [S]One could block it in SWH by adding the ISO extension to the Designated File Types - currently (SWH ver. 1.1.1.1), this extension is blocked with Paranoid Extensions.[/S] [B]As we know, SWH intentionally does not block [COLOR=rgb(184, 49, 47)]EXE/MSI[/COLOR] files, so in such cases, one has to rely on the AV.[/B] Fortunately, the AV detection of EXE files is usually much better compared to fileless attacks. Edit. Unfortunately, the opening of the ISO files is managed by the Windows built-in handler that does not support SRP. But, ISO files can be still protected by SRP when they are opened by 3rd party applications like WinISO or Deamon Tools. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
