silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,165
This worm spreads a fileless version of the Trojan Bladabindi
- Thread starter silversurfer
- Start date
It says in the Trend Micro report:
Restrict and secure the use of removable media or USB functionality, or tools like PowerShell (particularly on systems with sensitive data), and proactively monitor the gateway, endpoints, networks, and servers for anomalous behaviors and indicators such as C&C communication and information theft.
* * * * *
Gee, thanks Microsoft for making Windows so trivial to smash.
Restrict and secure the use of removable media or USB functionality, or tools like PowerShell (particularly on systems with sensitive data), and proactively monitor the gateway, endpoints, networks, and servers for anomalous behaviors and indicators such as C&C communication and information theft.
* * * * *
Gee, thanks Microsoft for making Windows so trivial to smash.
- Dec 23, 2014
- 8,129
The malicious code in Autoit creates a standard shortcut in the root of the removable drive, that points to the executable hidden on the same drive in SSS folder. So, the infection is not automatic, it requires running the shortcut by the user. The propagation scenario is pretty standard.
The fileless execution idea and persistence method have been known known since the Poweliks trojan. It is only slightly modificated, because the malware uses PowerShell to get the .NET Framework class System.Reflection.Assembly, which loads the malicious code from the Registry key to PowerShell memory and next the code is executed (filelessly).
The malc0ders used AutoIt to compile the encoded payload and the main script, into a single executable. This can be harder to detect by non-signature AV modules. Such technique was used in the past to hide the python ransomware in the InnoSetup installer.
Generally, that sort of malware can be stopped by applying Constrained Language Mode to PowerShell or restricting the execution from removable drives.
The fileless execution idea and persistence method have been known known since the Poweliks trojan. It is only slightly modificated, because the malware uses PowerShell to get the .NET Framework class System.Reflection.Assembly, which loads the malicious code from the Registry key to PowerShell memory and next the code is executed (filelessly).
The malc0ders used AutoIt to compile the encoded payload and the main script, into a single executable. This can be harder to detect by non-signature AV modules. Such technique was used in the past to hide the python ransomware in the InnoSetup installer.
Generally, that sort of malware can be stopped by applying Constrained Language Mode to PowerShell or restricting the execution from removable drives.
Similar threads
