This Trojan exploits antivirus software to steal your data

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
But you can do it, see from 3:54 in her configuration video:

Im aware of that, thanks. Never just bothered with it when using cf

On topic: i wouldnt block bitsadmin.exe due windows updates

Sorry for the dumb question. But can you please explain to me how they will stop the malware? Does syshardener disable wmic/bitsadmin? And does OSA monitor wmic and bitsadmin? H_C at default-deny should stop the execution of the malicious.ink shortcut file, right?
yes, i wouldnt worry about this too much (y)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Sorry for the dumb question. But can you please explain to me how they will stop the malware? Does syshardener disable wmic/bitsadmin? And does OSA monitor wmic and bitsadmin? H_C at default-deny should stop the execution of the malicious.ink shortcut file, right?
All can block wmic.exe . H_C in the Recommended settings do not block wmic.exe, but will block the malware from the start, by blocking the shortcut in the UserSpace (Download folder).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Assuming only administrative tasks happen as admin and no bypass for the native mechanisms it becomes a question whether the below leaves anything open

UAC+ASR+SRP(incl shortcuts)+Powershell constrained mode

I don’t think it does but ofc it needs a thorough analysis of the attack vectors to confirm or reject the statement

A weaken version of this is

UAC+ASR+SRP(without shortcuts)+Powershell constrained & only signed+block only Powershell in Windows Firewall
...
If something malicious could run PowerShell, then Constrained Language mode and Firewall rules can be bypassed to download and execute DLL payload, by using BITS via cmdlet (not bitsadmin.exe) and sponsors. So, you have to block PowerShell (also mshta.exe and hh.exe), or restrict the possibility to run command lines.
Blocking the shortcuts (not only .lnk), removes one attack vector that uses command lines.
 
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
If something malicious could run PowerShell, then Constrained Language mode and Firewall rules can be bypassed to download and execute DLL payload, by using BITS via cmdlet (not bitsadmin.exe) and sponsors. So, you have to block PowerShell (also mshta.exe and hh.exe), or restrict the possibility to run command lines.
Blocking the shortcuts (not only .lnk), removes one attack vector that uses command lines.

Would that be stopped though if child processes for Powershell are blocked via Exploit Guard?
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
Another perfect example of how malware is evolving and becoming sophisticated and why users should be taught about safe surfing habits and be given security knowledge. :confused:
Another reason to create a HIPS and Firewall rule in my ESET IS to monitor the execution of bitsadmin. :p

What HIPS rules you created? Can you share them?
 
  • Like
Reactions: oldschool

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
You can choose to block both or not, depending on whether a process affects functionality. Here is what i have, othes enable nearly all the options successfully.

All enabled here works a little bit like HIPs without much intrusion. Blocking mmc requires some whitelisting.

Sandboxie free is easy to use, doesnt slow anything down. I used it with basilisk browser and was working pretty well. Have you completely gotten rid of qihoo 360 ? I liked qihoo sandbox when i tried it

No Moonhorse. Not using 360 TS anymore, even though I like it too. I switched to F-C for the web filtering. Also, the ads and bulk of 360 got to me after 5 years. It felt light to work with and well engineered, although it does use 300 MB or so of RAM if I recall. Doesn't feel like wasted use of RAM, though. I miss the sandbox...

Quick comment on Comodo plus OSArmor. For me this is a very good combination, especially with HIPs disabled. OSArmor is like having good auto-block/alert HIPs rules basically. Amazing how few interruptions it creates.
 

notabot

Level 15
Verified
Oct 31, 2018
703
If something malicious can run PowerShell, then it can run sponsors without using PowerShell.
So, you will not have any child processes spawned by PowerShell.

I see your point, the intent of the ASR rule would be to stop other sponsors (script engines) from both executing something they downloaded.

Assumption is we’re discussing the use case of clicking a link file and not having link coverage in SRP - otherwise if we assume that already arbitrary code can be run, then the computer is already compromised, while it’s entire fair to see how to contain the damage , the question I’m trying to address is what is the minimal set of native mechanisms that prevents a compromise
After a minimal set has been determined one can add more layers and see how to mitigate a compromise
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I see your point, the intent of the ASR rule would be to stop other sponsors (script engines) from both executing something they downloaded.

Assumption is we’re discussing the use case of clicking a link file and not having link coverage in SRP - otherwise if we assume that already arbitrary code can be run, then the computer is already compromised, while it’s entire fair to see how to contain the damage , the question I’m trying to address is what is the minimal set of native mechanisms that prevents a compromise
After a minimal set has been determined one can add more layers and see how to mitigate a compromise
I answered your question in the H_C thread. It is slightly off topic here.(y)
 
F

ForgottenSeer 72227

I guess this is what Tavis Ormandy from Google's project zero has been talking about for some time now, malware taking advantage of vulnerabilities in AV's. It makes total sense and would be very lucrative for hackers as AV's have very deep hooks into the OS, so they are prime for exploitation. I wonder if the AV was sandboxed if the malware could still get though? Be interesting to see if the like of WD being sandboxed would have mitigated this? I'm curious to see if other AV's will start sandboxing their programs to help prevent their products from being exploited due to un-patched vulnerabilities.

Not to goo too far off topic, but I was listening to a Security Now podcast a while ago when MS announced that they were sandboxing WD and Steve Gibson mentioned that only MS would ever be able to successfully implement a sandbox for the AV, i guess due to the way the OS works. Is this the case that no other company can successfully do this as well, or does it mean that they have to some how take advantage of appcontainer to sandbox their product like the browsers due?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Is this the case for the Windows Firewall only? Or is this the same for every third party firewall?
As @Andy Ful explained so well in his post shortly after yours, the problem is that bitsadmin.exe doesn't download under its own name. So AFAIK this will be sufficient to confuse any firewall.
 

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
I guess this is what Tavis Ormandy from Google's project zero has been talking about for some time now, malware taking advantage of vulnerabilities in AV's. It makes total sense and would be very lucrative for hackers as AV's have very deep hooks into the OS, so they are prime for exploitation. I wonder if the AV was sandboxed if the malware could still get though? Be interesting to see if the like of WD being sandboxed would have mitigated this? I'm curious to see if other AV's will start sandboxing their programs to help prevent their products from being exploited due to un-patched vulnerabilities.

Not to goo too far off topic, but I was listening to a Security Now podcast a while ago when MS announced that they were sandboxing WD and Steve Gibson mentioned that only MS would ever be able to successfully implement a sandbox for the AV, i guess due to the way the OS works. Is this the case that no other company can successfully do this as well, or does it mean that they have to some how take advantage of appcontainer to sandbox their product like the browsers due?
A very good point raised. I would also love to see how WD Sandboxed reacts to this malware.
 

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
Can this be considered as a truly fileless malware? The malware downloads files with .jpg, .png or extensionless file but if an antivirus is configured to scan all file types MAYBE the malware will get detected upon launch provided the AV has a signature for it.
 

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
What HIPS rules you created? Can you share them?
Deny all applications from launching wscript and cscript.
Deny all applications from launching powershell(since I don't use it).
Block execution of WMIC and BitsAdmin.
Ask before launching cmd and mmc.
Block Excel, Word, Powerpoint, Access, SumatraPDF and Chrome from starting, modifying or intercepting svchost.exe.(Experimental)
Deny access to the Hosts file.

I just wish the HIPS could be configured to protect the MBR and the DNS Settings but for now, ESET HIPS do not cover these two aspects.
 

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
...
...
Update February 13 2019 20:00 EST:Article updated post-publication with additional comments from Avast:

We learned today about this particular Astaroth trojan variant analyzed in Cybereason’s report. Since this is not an exploit, there is no obligation for them to provide formal or advance communication. The authors misuse a trusted binary to run the malware, in this case they used an Avast process, probably due to the size of our user base in the target country of Brazil. One important thing to consider is that this is neither an injection nor a privilege escalation. Installed Avast binaries have self-protection mechanisms in place to avoid injections. In this instance, they are using an Avast file to run a binary in a similar way that a DLL using Windows’ rundll32.exe can run. We had previously issued a detection for the malware so all Avast users are protected from this variant. Additionally, we will be implementing changes to our environment to ensure the same process cannot be misused in this way the future.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top