Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
WHHLight - simplified application control for Windows Home and Pro.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1073746" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">WHHLight vs. Ars Technica campaign.</span></strong></p><p>[URL unfurl="false"]https://malwaretips.com/threads/ars-technica-used-in-malware-campaign-with-never-before-seen-obfuscation.128722/post-1073729[/URL]</p><p>[URL unfurl="false"]https://arstechnica.com/security/2024/01/ars-technica-used-in-malware-campaign-with-never-before-seen-obfuscation/[/URL]</p><p></p><p>Update February 2024:</p><p>[URL unfurl="true"]https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware[/URL]</p><p></p><p>In this post, I will focus on the early stages of the infection flow (malware's new features will not be visible). The initial attack vector is very popular and the Ars Technica campaign is one of many examples.</p><p></p><p><strong><span style="color: rgb(184, 49, 47)">Attack flow </span><span style="color: rgb(0, 168, 133)">(initial part)</span><span style="color: rgb(184, 49, 47)">:</span></strong></p><p><strong><span style="color: rgb(0, 168, 133)">The user opens a shortcut from the infected flash drive ----> the shortcut runs a PS1 script hidden on the flash drive</span> ----> the script decrypts and manages intermediate payloads ----> EMPTYSPACE downloader is dropped and executed</strong></p><p></p><p></p><p></p><p>The default SWH settings in WHHLight prevent the attack by blocking LNK shortcuts in UserSpace. Furthermore, if the shortcut was skipped in the attack, the PS1 script would be blocked anyway.</p><p>Unfortunately, I could not find the PS1 samples, so I am not sure if the Powershell Constrained Language restrictions could prevent the script from creating intermediate payloads (decryption methods are usually blocked).</p><p><strong><span style="color: rgb(184, 49, 47)">Update February 2024</span></strong>: The recent code of explorer.ps1 can be found in the Madiant article. It uses the invocation method [System.Text.encoding]::UTF8.getstring(), which is blocked by Constrained Language mode. So, the script cannot even decode its active content and the attack fails. </p><p></p><p></p><p><strong>Full attack flow:</strong></p><p></p><p>[ATTACH=full]281285[/ATTACH]</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1073746, member: 32260"] [B][SIZE=5]WHHLight vs. Ars Technica campaign.[/SIZE][/B] [URL unfurl="false"]https://malwaretips.com/threads/ars-technica-used-in-malware-campaign-with-never-before-seen-obfuscation.128722/post-1073729[/URL] [URL unfurl="false"]https://arstechnica.com/security/2024/01/ars-technica-used-in-malware-campaign-with-never-before-seen-obfuscation/[/URL] Update February 2024: [URL unfurl="true"]https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware[/URL] In this post, I will focus on the early stages of the infection flow (malware's new features will not be visible). The initial attack vector is very popular and the Ars Technica campaign is one of many examples. [B][COLOR=rgb(184, 49, 47)]Attack flow [/COLOR][COLOR=rgb(0, 168, 133)](initial part)[/COLOR][COLOR=rgb(184, 49, 47)]:[/COLOR] [COLOR=rgb(0, 168, 133)]The user opens a shortcut from the infected flash drive ----> the shortcut runs a PS1 script hidden on the flash drive[/COLOR] ----> the script decrypts and manages intermediate payloads ----> EMPTYSPACE downloader is dropped and executed[/B] The default SWH settings in WHHLight prevent the attack by blocking LNK shortcuts in UserSpace. Furthermore, if the shortcut was skipped in the attack, the PS1 script would be blocked anyway. Unfortunately, I could not find the PS1 samples, so I am not sure if the Powershell Constrained Language restrictions could prevent the script from creating intermediate payloads (decryption methods are usually blocked). [B][COLOR=rgb(184, 49, 47)]Update February 2024[/COLOR][/B]: The recent code of explorer.ps1 can be found in the Madiant article. It uses the invocation method [System.Text.encoding]::UTF8.getstring(), which is blocked by Constrained Language mode. So, the script cannot even decode its active content and the attack fails. [B]Full attack flow:[/B] [ATTACH type="full" alt="1706701745479.png"]281285[/ATTACH] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
