Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
WHHLight - simplified application control for Windows Home and Pro.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1075382" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">WHHLight vs. DarkMe (New SmartScreen bypass, patched in February 2024).</span></strong></p><p>[URL unfurl="false"]https://malwaretips.com/threads/darkme-malware-targets-traders-using-microsoft-smartscreen-zero-day-vulnerability.128999/post-1075365[/URL]</p><p>[URL unfurl="false"]https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html[/URL]</p><p></p><p>The previous patch does not cover the attack when an Internet shortcut points to another Internet shortcut.</p><p></p><p><strong><span style="color: rgb(184, 49, 47)">Attack flow:</span></strong></p><p><strong>Spearphishing link -----> Compromised Server with <strong>Internet_shortcut1 on </strong>WebDav share ---> <span style="color: rgb(226, 80, 65)">Internet_shortcut1 points to another Internet_shortcut2</span> -----> <strong>Internet_shortcut2 downloads/runs </strong>CMD script -----> malicious DLL downloaded and executed by LOLBin (RunDll32) ----> DLL downloads and runs secondary payloads</strong></p><p></p><p>The attack can be prevented/mitigated as follows:</p><ol> <li data-xf-list-type="ol">If < WDAC > is set to ON, the attack can be prevented because the WDAC policy in WHHLight blocks WebDav. Furthermore, any SmartScreen bypass based on skipping MOTW can only increase the WDAC ISG protection (ISG is more restrictive without the SmartScreen backend).</li> <li data-xf-list-type="ol">WHHLight can fully mitigate this attack via SWH default settings (CMD script blocked).</li> <li data-xf-list-type="ol">The attack can be fully mitigated by FirewallHardening (Recommended H_C settings), because the malicious DLL runs in the context of RunDLL32, and FirewallHardening settings block outbound connections of RunDLL32.</li> </ol></blockquote><p></p>
[QUOTE="Andy Ful, post: 1075382, member: 32260"] [B][SIZE=5]WHHLight vs. DarkMe (New SmartScreen bypass, patched in February 2024).[/SIZE][/B] [URL unfurl="false"]https://malwaretips.com/threads/darkme-malware-targets-traders-using-microsoft-smartscreen-zero-day-vulnerability.128999/post-1075365[/URL] [URL unfurl="false"]https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html[/URL] The previous patch does not cover the attack when an Internet shortcut points to another Internet shortcut. [B][COLOR=rgb(184, 49, 47)]Attack flow:[/COLOR] Spearphishing link -----> Compromised Server with [B]Internet_shortcut1 on [/B]WebDav share ---> [COLOR=rgb(226, 80, 65)]Internet_shortcut1 points to another Internet_shortcut2[/COLOR] -----> [B]Internet_shortcut2 downloads/runs [/B]CMD script -----> malicious DLL downloaded and executed by LOLBin (RunDll32) ----> DLL downloads and runs secondary payloads[/B] The attack can be prevented/mitigated as follows: [LIST=1] [*]If < WDAC > is set to ON, the attack can be prevented because the WDAC policy in WHHLight blocks WebDav. Furthermore, any SmartScreen bypass based on skipping MOTW can only increase the WDAC ISG protection (ISG is more restrictive without the SmartScreen backend). [*]WHHLight can fully mitigate this attack via SWH default settings (CMD script blocked). [*]The attack can be fully mitigated by FirewallHardening (Recommended H_C settings), because the malicious DLL runs in the context of RunDLL32, and FirewallHardening settings block outbound connections of RunDLL32. [/LIST] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
