Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 980775" data-attributes="member: 32260"><p>Post updated.</p><p></p><p><strong><span style="font-size: 18px">SWH + RunBySmartscreen vs. phishing attack to plant Vidar infostealer</span></strong></p><p>[URL unfurl="true"]https://malwaretips.com/threads/microsoft-help-files-disguise-vidar-malware.112971/post-980693[/URL]</p><p>[URL unfurl="true"]https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/[/URL]</p><p></p><p>It is not a good example for showing how SWH works because this attack is not fileless, so it is beyond the protective boundaries of SWH. Anyway, it is a good example of showing the usefulness of the RunBySmartscreen tool.</p><p></p><p><strong>The infection chain</strong> (delivery stage in blue)<strong>:</strong></p><p><span style="color: rgb(41, 105, 176)"><strong>email ----> ISO attachment (spoofed as .doc document) ---> two payloads dropped (CHM and EXE) ---></strong></span><strong><span style="color: rgb(184, 49, 47)"> EXE payload directly executed by the user or by opening the CHM file</span></strong></p><p></p><p>Such attacks can be in theory prevented via SWH by adding ISO extension to the "Protected SRP Extensions" when files are opened by 3rd party application (not by Windows built-in handler). Anyway, most users will not do it because it would be inconvenient. But, they can use the RunBySmartscreen tool instead.</p><p></p><p><strong><span style="color: rgb(0, 168, 133)">After opening the attachment in the email client we can see in the Explorer two files. We do not know if they are benign or malicious, so we do not open them directly but use the right-click Explorer context menu option "Run By SmartScreen".</span></strong> For the first payload we will see the alert (file blocked):</p><p></p><p>[ATTACH=full]265240[/ATTACH]</p><p></p><p>So, we can see that it is the CHM file and it is not commonly used in email correspondence - commonly used files are ignored by RunBySmartscreen.</p><p></p><p>For the second payload we will see the SmartScreen block:</p><p></p><p>[ATTACH=full]265241[/ATTACH]</p><p></p><p>RunBySmartscreen tool does not show alerts for the common files (movies, photos, music, etc.) and will execute safe EXE/MSI files if they will pass the SmartScreen. RunBySmartscreen will block opening/execution of files similarly to Paranoid extensions in SWH.</p><p></p><p>For PDF documents and MS Office documents with macros the alerts are also shown:</p><p></p><p>Word document with macro (DOCM) will be blocked:</p><p></p><p>[ATTACH=full]265243[/ATTACH]</p><p></p><p>Word document without macros will be opened after the alert:</p><p></p><p>[ATTACH=full]265242[/ATTACH]</p><p></p><p>PDF document will be opened after the alert:</p><p></p><p>[ATTACH=full]265244[/ATTACH]</p><p></p><p></p><p>*******************************************************************************</p><p></p><p><strong>So what can happen after opening the payloads in the standard way?</strong></p><p></p><p>The CHM payload will be blocked by SWH, anyway. <strong><span style="color: rgb(184, 49, 47)">The EXE payload will be executed without a SmartScreen alert.</span></strong> But wait, these payloads were downloaded from the Internet, so why there is no SmartScreen alert?</p><p>The ISO was downloaded from the Internet so it has got the MOTW. Unfortunately, files embedded in the ISO images (and other images too) do not have MOTW attached, so Windows (and Microsoft Defender too) cannot recognize them as downloaded from the Internet.</p><p></p><p>Edit.</p><p>RunBySmartscreen can be found here:</p><p>[URL unfurl="true"]https://github.com/AndyFul/Run-By-Smartscreen[/URL]</p><p>We have also a dedicated thread on MT:</p><p>[URL unfurl="true"]https://malwaretips.com/threads/run-by-smartscreen-utility.65145/[/URL]</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 980775, member: 32260"] Post updated. [B][SIZE=5]SWH + RunBySmartscreen vs. phishing attack to plant Vidar infostealer[/SIZE][/B] [URL unfurl="true"]https://malwaretips.com/threads/microsoft-help-files-disguise-vidar-malware.112971/post-980693[/URL] [URL unfurl="true"]https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/[/URL] It is not a good example for showing how SWH works because this attack is not fileless, so it is beyond the protective boundaries of SWH. Anyway, it is a good example of showing the usefulness of the RunBySmartscreen tool. [B]The infection chain[/B] (delivery stage in blue)[B]:[/B] [COLOR=rgb(41, 105, 176)][B]email ----> ISO attachment (spoofed as .doc document) ---> two payloads dropped (CHM and EXE) --->[/B][/COLOR][B][COLOR=rgb(184, 49, 47)] EXE payload directly executed by the user or by opening the CHM file[/COLOR][/B] Such attacks can be in theory prevented via SWH by adding ISO extension to the "Protected SRP Extensions" when files are opened by 3rd party application (not by Windows built-in handler). Anyway, most users will not do it because it would be inconvenient. But, they can use the RunBySmartscreen tool instead. [B][COLOR=rgb(0, 168, 133)]After opening the attachment in the email client we can see in the Explorer two files. We do not know if they are benign or malicious, so we do not open them directly but use the right-click Explorer context menu option "Run By SmartScreen".[/COLOR][/B] For the first payload we will see the alert (file blocked): [ATTACH type="full" alt="1648157085798.png"]265240[/ATTACH] So, we can see that it is the CHM file and it is not commonly used in email correspondence - commonly used files are ignored by RunBySmartscreen. For the second payload we will see the SmartScreen block: [ATTACH type="full" alt="1648157312664.png"]265241[/ATTACH] RunBySmartscreen tool does not show alerts for the common files (movies, photos, music, etc.) and will execute safe EXE/MSI files if they will pass the SmartScreen. RunBySmartscreen will block opening/execution of files similarly to Paranoid extensions in SWH. For PDF documents and MS Office documents with macros the alerts are also shown: Word document with macro (DOCM) will be blocked: [ATTACH type="full" alt="1648158628668.png"]265243[/ATTACH] Word document without macros will be opened after the alert: [ATTACH type="full" alt="1648158391224.png"]265242[/ATTACH] PDF document will be opened after the alert: [ATTACH type="full" alt="1648161653641.png"]265244[/ATTACH] ******************************************************************************* [B]So what can happen after opening the payloads in the standard way?[/B] The CHM payload will be blocked by SWH, anyway. [B][COLOR=rgb(184, 49, 47)]The EXE payload will be executed without a SmartScreen alert.[/COLOR][/B] But wait, these payloads were downloaded from the Internet, so why there is no SmartScreen alert? The ISO was downloaded from the Internet so it has got the MOTW. Unfortunately, files embedded in the ISO images (and other images too) do not have MOTW attached, so Windows (and Microsoft Defender too) cannot recognize them as downloaded from the Internet. Edit. RunBySmartscreen can be found here: [URL unfurl="true"]https://github.com/AndyFul/Run-By-Smartscreen[/URL] We have also a dedicated thread on MT: [URL unfurl="true"]https://malwaretips.com/threads/run-by-smartscreen-utility.65145/[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
