Updates Trend Micro Signed Malware Vulnerability

[McMcbrad]

When vulnerability is thrown in the mix, one usually expects to read about privilege escalation/arbitrary code execution, etc.
However, if we define vulnerability as design or implementation error that can compromise the confidentiality, integrity or availability of information, this broadens the scope.

I am creating this thread after I have noticed that 2 samples successfully bypassed all layers of Trend Micro (except web-protection/anti-spam, as I have downloaded from a malware repository).
Both samples were Parralax RAT which is quite malicious and works by injecting/process hollowing Notepad.exe.

It also drops a copy of itself in %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\citrix.exe


Today's sample SHA2 is 723cb0067010b79e0cc780ea786fef8c6c17b68c383acc8183b2ae7332e95abf.

VirusTotal

VirusTotal

www.virustotal.com

VT 49/70.

Normally Trend Micro issues a prompt when executing something not-so-trustworthy, which looks like this:

The blocked program contains the following code, which can't be malicious, meaning the prompt is most likely based on signature and file prevalence:

int main()
{
    cout << "Hello World!\n";
    int mem[3] = { 1,2,3 };
    for (int i = 0; i < 3; ++i) {
        cout<< mem[i]<<endl;

    }

}

However in the signed malware case, this alert is not presented and behavioural blocking does nothing to stop the malware in question.

I have contacted Trend Micro and will update this thread when I have more information.

Though it does good job blocking many other vectors, signed malware is a growing problem and is not to be overlooked.

 

[Nagisa]

It's a bit unrelated from what has been talked here but I noticed something interesting about TM, It doesn't use Control Flow Guard. MD and Avast both use CFG. Furthermore Avast is running its scan engine under medium integrity level. I have no clue how big its importance though.

 

[McMcbrad]

It's a bit unrelated from what has been talked here but I noticed something interesting about TM, It doesn't use Control Flow Guard. MD and Avast both use CFG. Furthermore Avast is running its scan engine under medium integrity level. I have no clue how big its importance though.

I believe more important would be whether the scan engine is emulating in user mode or kernel mode in terms of possibility for arbitrary code execution, but more experienced programmer will have to provide an opinion on that.

 

[McMcbrad]

Update:

I have received a response from Trend Micro that they are testing a solution aimed at fixing this vulnerability. Other improvements will also be made.

 

[The Cog in the Machine]

Any updates?

 

[McMcbrad]

Any updates?

They said they are testing a fix, I am assuming it will take some time... I am in a constant contact with them and will update this thread instantly when I have news.

 

[The Cog in the Machine]

They said they are testing a fix, I am assuming it will take some time... I am in a constant contact with them and will update this thread instantly when I have news.

Thank you very much for your efforts!

Have you used TM Password Manager? What do you think of it?

 

[McMcbrad]

Thank you very much for your efforts!

Have you used TM Password Manager? What do you think of it?

Tbh I Don't like it. You have to install a whole program with services and thing, just for passwords. It also lacks 2FA (something they will fix soon) and doesn't always work as expected. Changes will be coming to it, but for now there are bigger issues. McAfee TrueKey is the best in my opinion.

 

[The Cog in the Machine]

You have to install a whole program with services and thing, just for passwords.

Then there is no way I am going to install this. I got rid of Enpass and Sticky Password for the same reason. Now I am using Dashlane (Standalone extension).

It also lacks 2FA (something they will fix soon)

I believe they introduced it in the latest update. Here is a screenshot from App Store

McAfee TrueKey is the best in my opinion.

Why so? I see it as a barebone password manager. It does not support all the browsers (can only work in Edge, Chrome and Firefox but not in Vivaldi and Brave and other chromium browsers). It does not support generating OTP codes and as far as I remember, it does not scan your passwords for leaked info. Am I missing sth here?

 

[McMcbrad]

Then there is no way I am going to install this. I got rid of Enpass and Sticky Password for the same reason. Now I am using Dashlane (Standalone extension).

I believe they introduced it in the latest update. Here is a screenshot from App Store
View attachment 253915

Why so? I see it as a barebone password manager. It does not support all the browsers (can only work in Edge, Chrome and Firefox but not in Vivaldi and Brave and other chromium browsers). It does not support generating OTP codes and as far as I remember, it does not scan your passwords for leaked info. Am I missing sth here?

The best from AV providers, I should've specified. Yes, it doesn't scan for leaks and the 2FA works by you approving the log-in on the mobile app. It is now just an extension for the browser with no backend software, so it does work in Brave, not sure about Vivaldi.
It has a very nice and clean UI and is very easy to use. It also allows import from various browsers, such as Chrome, something that TM Password Manager doesn't do.

With one license, McAfee allows 5 TrueKey accounts, which may be great for families. Everyone can have their own TrueKey, unlike Norton for example that allows only a single account.

 

[The Cog in the Machine]

The best from AV providers, I should've specified. Yes, it doesn't scan for leaks and the 2FA works by you approving the log-in on the mobile app. It is now just an extension for the browser with no backend software, so it does work in Brave, not sure about Vivaldi.
It has a very nice and clean UI and is very easy to use. It also allows import from various browsers, such as Chrome, something that TM Password Manager doesn't do.

With one license, McAfee allows 5 TrueKey accounts, which may be great for families. Everyone can have their own TrueKey, unlike Norton for example that allows only a single account.

View attachment 253937

I believe Kaspersky Password Manager is the best among AV providers password managers. Unfortunately, it does not work in vivaldi. It only works in the three major browsers.

With one license, McAfee allows 5 TrueKey accounts,

Can I add all the 5 keys to one account?

 

[McMcbrad]

Can I add all the 5 keys to one account?

You mean to extend the license duration this way? if that's the case, then no.

 

[The Cog in the Machine]

You mean to extend the license duration this way? if that's the case, then no.

It worked with F-Secure Key.