Question Steamunlocked malware?

Please provide comments and solutions that are helpful to the author of this topic.

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,861
UDS is a behavior based detection.
It's not actually. It's mainly used for cloud-based early blacklisting which can be both automated and manual. It can automatically be derived from behavior blocking & ML models metadata, big data analysis but can be totally unrelated also. There were cases when even Kaspersky analyst manually created UDS signatures for samples I sent to them.
eg:
1693504813809.png
 

Xeno1234

Level 14
Jun 12, 2023
684
It's not actually. It's mainly used for cloud-based early blacklisting which can be both automated and manual. It can automatically be derived from behavior blocking & ML models metadata, big data analysis but can be totally unrelated also. There were cases when even Kaspersky analyst manually created UDS signatures for samples I sent to them.
eg:
View attachment 278331
PDF’s always have weird detections, I see them have heuristic detections when it’s a signature. Anyways, the object was detected via automatic methods as opentip says it’s a Behavioral Stream Signature detection.


I believe according to their website and other people I’ve asked, UDS is a cloud based detection when malware is detected via other methods. For files like these, Ive never seen a UDS Signature, only automated detections.
 
Last edited:
  • Like
Reactions: oldschool

Xeno1234

Level 14
Jun 12, 2023
684
I've seen a PDF trigger PDM.Exploit. but that's their ML catching an adobe exploit.
Yes, completely possible for that to happen. I’ve never seen a signature have a UDS detection besides documents, and the one that they sent. Majority of the times it’s a automatic system in which PDM systems pickup an object, sending it to processing in KSN then creating a preventative cloud detection for the file.
 
  • Like
Reactions: oldschool

cartaphilus

Level 10
Verified
Well-known
Mar 17, 2023
499
Well, in that case, it definitely is evasive, bypassing Opentip, Intellix, and a lot of human researchers.

I myself don’t know how to code, nor really know how malware works, but how could it bypass human researchers?

Also, which file was it? I checked the opentip link someone sent and it’s currently listed as clean on Opentip with 1,000 users.
Because no human actually took a look?

Maybe that company runs a triaged system?
I. E.
If only single file is received then direct to internal sandbox that's more sensitive than the public one. If the sandbox says Clean then inform the user that it's clean. Meanwhile flag the file for review with importance LOW

If more than 1 user but less than x reports it then perform the same as above but set importance to Normal

If major IT corporation or more than x users report it then inform the users to standby while the file is analyzed then flag the file with High Importance Requires Human in the loop
 

Xeno1234

Level 14
Jun 12, 2023
684
Because no human actually took a look?

Maybe that company runs a triaged system?
I. E.
If only single file is received then direct to internal sandbox that's more sensitive than the public one. If the sandbox says Clean then inform the user that it's clean. Meanwhile flag the file for review with importance LOW

If more than 1 user but less than x reports it then perform the same as above but set importance to Normal

If major IT corporation or more than x users report it then inform the users to standby while the file is analyzed then flag the file with High Importance Requires Human in the loop
Ahh, didnt know thats how it works.
 

cartaphilus

Level 10
Verified
Well-known
Mar 17, 2023
499
Ahh, didnt know thats how it works.
For us we think we are the most important people and our submissions should take priority. But for the person receiving your file they don't know you from a panicking old lady that saw a naked dude suddenly jump on her screen and being a good US bible belt evangelist she could not stand for such lude behavior from her computer! So she sent her whole download folder to the antivirus company for them to analyze. :)

AV corporations receive thousands of emails daily with suspicious attachments. Only fraction of them are actually suspicious. But yet it's their duty to look at them all. So what to they do? They let the machines do the dirty work. Prime example: Stutnex was in the wild and part of the detection cloud for months. Before a curious analyst received an infected laptop and lo and behold Stutnex was one of the infections. Only then they decided to escalate and analyze and bam multi million dollar sabotage software was busted.
 
Last edited:
  • Applause
Reactions: oldschool

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Hello there. I have not much time this weekend. But just from checking this file vs the original version's entry point, it is clearly patched. The patched code is unreadable because it manipulates the stack pointer. The original NvStTest in contrast is clearly readable. This patch alone is reason enough to declare it as malware because it is a modification that has nothing to do there and the file hasn't been signed by the publisher. @SkeletalDemise is very spot on with observations and analysis.

Entry point of clean NvStTest:

mainfun_clean.png


Entry point of manipulated NvStTest (cannot be decompiled):

mainfun_mal.png


BinDiff of both files

bindiff.png


Diff for both files of PortEx, black byteplot on the left means same code/data. It is mostly the code near the entry point and some resources and the (missing) certificate that have been changed.

diff_portex.png


If this was a legitimate software update, you would expect something different:
  1. not only entry point code changes
  2. certificate would be there
  3. code would be readable
  4. many functions with small differences due to recompilation (this file was not recompiled, some of the sections even have the same hash)


This blacksoul rule detects msvcp140.dll. I would not take it seriously.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top