Serious Discussion The sooner the better.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,817
The sooner the better.
asec.ahnlab.com

CoinMiner Malware Distributed via USB - ASEC

Overview AhnLab SEcurity intelligence Center (ASEC) has recently identified a case in which cryptocurrency-mining malware was being distributed via USB in South Korea. Lately, malware that mines cryptocurrencies by utilizing PC resources without user consent has been actively distributed as...
asec.ahnlab.com

In the example below, we can see how many dangerous actions can be avoided just by blocking the starting element in the infection chain (LNK file).
Why do the attackers use such long infection chains?


1740577444702.png


The suspicious actions are split among many events/executables, and most AVs cannot link such actions to one attack. In this way, they can survive below the threshold level.
If one executable would do a similar amount of suspicious actions, it would be easily detected as malicious.
 
Last edited:
  • Like
  • Hundred Points
  • +Reputation
Reactions: roger_m, simmerskool, piquiteco and 5 others
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,785
Attackers use long infection chains to evade detection. By spreading out suspicious actions across many events, they can stay under the radar of most antivirus software. The sooner these initial elements in the chain are blocked, the better for preventing potential security breaches.
 
bazang

bazang

Level 12
Jul 3, 2024
551
Andy Ful said:
The sooner the better.

The suspicious actions are split among many events/executables, and most AVs cannot link such actions to one attack. In this way, they can survive below the threshold level.
Click to expand...
By default, Windows does not need PowerShell, other interpreters, and script execution capabilities to be enabled. Most users that need PowerShell, other interpreters, and script execution would trivially be able to enable them.

Microsoft does not disable all the easily abused Windows components by default because of the small minority of users that will complain if something they are attempting to do is blocked by default secure configuration of Windows.

It is those same types of users that are apt to turn around and complain that Microsoft does not do enough to protect users.
 
  • Like
Reactions: piquiteco, Nevi and roger_m

Similar threads

Victor M
    • Like
  • Poll
Serious Discussion Malware or Hacking ?
Replies
0
Views
573
General Security Discussions
Victor M
Victor M
Trident
    • Like
    • Applause
    • +Reputation
  • Poll
Serious Discussion Pre-execution vs post-execution protections explained
Replies
6
Views
1,493
General Security Discussions
Trident
Trident
Trident
    • Like
    • +Reputation
    • Thanks
Serious Discussion Decoding the Trend Micro Components and Protection Model
Replies
24
Views
3,956
Other security for Windows, Mac, Linux
Mahesh Sudula
Mahesh Sudula

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top