Updates Trend Micro Signed Malware Vulnerability

McMcbrad

Level 23
Oct 16, 2020
1,272
When vulnerability is thrown in the mix, one usually expects to read about privilege escalation/arbitrary code execution, etc.
However, if we define vulnerability as design or implementation error that can compromise the confidentiality, integrity or availability of information, this broadens the scope.

I am creating this thread after I have noticed that 2 samples successfully bypassed all layers of Trend Micro (except web-protection/anti-spam, as I have downloaded from a malware repository).
Both samples were Parralax RAT which is quite malicious and works by injecting/process hollowing Notepad.exe.

1610366209035.png


It also drops a copy of itself in %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\citrix.exe


Today's sample SHA2 is 723cb0067010b79e0cc780ea786fef8c6c17b68c383acc8183b2ae7332e95abf.
VT 49/70.

Normally Trend Micro issues a prompt when executing something not-so-trustworthy, which looks like this:
1610365701438.png


The blocked program contains the following code, which can't be malicious, meaning the prompt is most likely based on signature and file prevalence:
C++:
int main()
{
    cout << "Hello World!\n";
    int mem[3] = { 1,2,3 };
    for (int i = 0; i < 3; ++i) {
        cout<< mem[i]<<endl;

    }

}

However in the signed malware case, this alert is not presented and behavioural blocking does nothing to stop the malware in question.

I have contacted Trend Micro and will update this thread when I have more information.

Though it does good job blocking many other vectors, signed malware is a growing problem and is not to be overlooked.
 
Last edited:

Nagisa

Level 7
Verified
Jul 19, 2018
327
It's a bit unrelated from what has been talked here but I noticed something interesting about TM, It doesn't use Control Flow Guard. MD and Avast both use CFG. Furthermore Avast is running its scan engine under medium integrity level. I have no clue how big its importance though.
 

McMcbrad

Level 23
Oct 16, 2020
1,272
It's a bit unrelated from what has been talked here but I noticed something interesting about TM, It doesn't use Control Flow Guard. MD and Avast both use CFG. Furthermore Avast is running its scan engine under medium integrity level. I have no clue how big its importance though.
I believe more important would be whether the scan engine is emulating in user mode or kernel mode in terms of possibility for arbitrary code execution, but more experienced programmer will have to provide an opinion on that.
 

McMcbrad

Level 23
Oct 16, 2020
1,272
Thank you very much for your efforts!

Have you used TM Password Manager? What do you think of it?
Tbh I Don't like it. You have to install a whole program with services and thing, just for passwords. It also lacks 2FA (something they will fix soon) and doesn't always work as expected. Changes will be coming to it, but for now there are bigger issues. McAfee TrueKey is the best in my opinion.
 
Last edited:
  • Like
Reactions: tipo and venustus

The Cog in the Machine

Level 26
Verified
May 10, 2019
1,535
You have to install a whole program with services and thing, just for passwords.
Then there is no way I am going to install this. I got rid of Enpass and Sticky Password for the same reason. Now I am using Dashlane (Standalone extension).
It also lacks 2FA (something they will fix soon)
I believe they introduced it in the latest update. Here is a screenshot from App Store
14CD50E3-24D0-4806-8C17-F7A6013015E0.jpeg
McAfee TrueKey is the best in my opinion.
Why so? I see it as a barebone password manager. It does not support all the browsers (can only work in Edge, Chrome and Firefox but not in Vivaldi and Brave and other chromium browsers). It does not support generating OTP codes and as far as I remember, it does not scan your passwords for leaked info. Am I missing sth here?
 

McMcbrad

Level 23
Oct 16, 2020
1,272
Then there is no way I am going to install this. I got rid of Enpass and Sticky Password for the same reason. Now I am using Dashlane (Standalone extension).

I believe they introduced it in the latest update. Here is a screenshot from App Store
View attachment 253915

Why so? I see it as a barebone password manager. It does not support all the browsers (can only work in Edge, Chrome and Firefox but not in Vivaldi and Brave and other chromium browsers). It does not support generating OTP codes and as far as I remember, it does not scan your passwords for leaked info. Am I missing sth here?
The best from AV providers, I should've specified. Yes, it doesn't scan for leaks and the 2FA works by you approving the log-in on the mobile app. It is now just an extension for the browser with no backend software, so it does work in Brave, not sure about Vivaldi.
It has a very nice and clean UI and is very easy to use. It also allows import from various browsers, such as Chrome, something that TM Password Manager doesn't do.

With one license, McAfee allows 5 TrueKey accounts, which may be great for families. Everyone can have their own TrueKey, unlike Norton for example that allows only a single account.

1612870613316.png
 
  • Like
Reactions: venustus

The Cog in the Machine

Level 26
Verified
May 10, 2019
1,535
The best from AV providers, I should've specified. Yes, it doesn't scan for leaks and the 2FA works by you approving the log-in on the mobile app. It is now just an extension for the browser with no backend software, so it does work in Brave, not sure about Vivaldi.
It has a very nice and clean UI and is very easy to use. It also allows import from various browsers, such as Chrome, something that TM Password Manager doesn't do.

With one license, McAfee allows 5 TrueKey accounts, which may be great for families. Everyone can have their own TrueKey, unlike Norton for example that allows only a single account.

View attachment 253937
I believe Kaspersky Password Manager is the best among AV providers password managers. Unfortunately, it does not work in vivaldi. It only works in the three major browsers.


With one license, McAfee allows 5 TrueKey accounts,
Can I add all the 5 keys to one account?
 
  • Like
Reactions: venustus
Top