Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
WHHLight - simplified application control for Windows Home and Pro.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1073469" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">WHHLight vs. LODEINFO (spear-phishing attacks)</span></strong></p><p>[URL unfurl="false"]https://malwaretips.com/threads/lodeinfo-fileless-malware-evolves-with-anti-analysis-and-remote-code-tricks.128638/#post-1073323[/URL]</p><p></p><p><strong>DOWNIISSA shellcode:</strong></p><p>[URL unfurl="false"]https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/[/URL]</p><p></p><p></p><p></p><p>This is not a typical attack against home users, but I used it to show how the WHHLight package can help prevent/mitigate some interesting attack vectors.</p><p></p><p><strong><span style="font-size: 18px"><span style="color: rgb(184, 49, 47)">Attack flow</span></span><em><span style="font-size: 18px">:</span></em></strong></p><p>[ATTACH=full]281217[/ATTACH]</p><p>The attack can be stopped/mitigated by the WHHLight package on several infection stages.</p><p>The recommended way is based on hardening MS Office applications.</p><p></p><p>[ATTACH=full]281219[/ATTACH]</p><p></p><p>This can be done manually or by using the DocumentsAntiExploit tool (included in the package).</p><p>When using that tool, the VBA code is blocked and the user cannot allow it from the configuration panel of MS Office applications. The attack is prevented at the early infection stage.</p><p></p><p>In the case of allowed macros, the attack can be prevented by the FirewallHardening settings when blocking outbound connections of MS Office applications.</p><p></p><p>[ATTACH=full]281220[/ATTACH]</p><p></p><p>In this particular case, the macro injects the shellcode into the running Word process (WINWORD.exe). Next, the shellcode uses the URLDownloadToFileA() API function to download the payloads. The download will fail when outbound connections of Word are blocked.</p><p></p><p>If the shellcode is not mitigated, it decrypts the payload, drops three files in the user Temp folder, and executes one of them (as a child process of WINWORD.exe) to apply DLL Hijacking. This can be blocked if the user applies ConfigureDefender with a HIGH Protection Level (ASR rule blocks the child process).</p><p></p><p>If the user does not use DocumentsAntiExploit, FireWallHardening, or ConfigureDefender then WHHLight should be configured with <strong><span style="color: rgb(0, 168, 133)">SUPER_SAFE</span></strong> or <span style="color: rgb(0, 168, 133)"><strong>TWO_ACCOUNTS</strong></span> setup. If so, then the DLL Hijacking can be blocked by WDAC.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1073469, member: 32260"] [B][SIZE=5]WHHLight vs. LODEINFO (spear-phishing attacks)[/SIZE][/B] [URL unfurl="false"]https://malwaretips.com/threads/lodeinfo-fileless-malware-evolves-with-anti-analysis-and-remote-code-tricks.128638/#post-1073323[/URL] [B]DOWNIISSA shellcode:[/B] [URL unfurl="false"]https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/[/URL] This is not a typical attack against home users, but I used it to show how the WHHLight package can help prevent/mitigate some interesting attack vectors. [B][SIZE=5][COLOR=rgb(184, 49, 47)]Attack flow[/COLOR][/SIZE][I][SIZE=5]:[/SIZE][/I][/B] [ATTACH type="full" alt="1706470674315.png"]281217[/ATTACH] The attack can be stopped/mitigated by the WHHLight package on several infection stages. The recommended way is based on hardening MS Office applications. [ATTACH type="full" alt="1706472224095.png"]281219[/ATTACH] This can be done manually or by using the DocumentsAntiExploit tool (included in the package). When using that tool, the VBA code is blocked and the user cannot allow it from the configuration panel of MS Office applications. The attack is prevented at the early infection stage. In the case of allowed macros, the attack can be prevented by the FirewallHardening settings when blocking outbound connections of MS Office applications. [ATTACH type="full" alt="1706472441170.png"]281220[/ATTACH] In this particular case, the macro injects the shellcode into the running Word process (WINWORD.exe). Next, the shellcode uses the URLDownloadToFileA() API function to download the payloads. The download will fail when outbound connections of Word are blocked. If the shellcode is not mitigated, it decrypts the payload, drops three files in the user Temp folder, and executes one of them (as a child process of WINWORD.exe) to apply DLL Hijacking. This can be blocked if the user applies ConfigureDefender with a HIGH Protection Level (ASR rule blocks the child process). If the user does not use DocumentsAntiExploit, FireWallHardening, or ConfigureDefender then WHHLight should be configured with [B][COLOR=rgb(0, 168, 133)]SUPER_SAFE[/COLOR][/B] or [COLOR=rgb(0, 168, 133)][B]TWO_ACCOUNTS[/B][/COLOR] setup. If so, then the DLL Hijacking can be blocked by WDAC. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
