Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
WHHLight - simplified application control for Windows Home and Pro.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1075857" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">WHHLight vs. Signed Malware</span></strong></p><p>(Smart App Control set to OFF)</p><p></p><p>In WHHLight, the default WDAC settings are focused on blocking an initial EXE/MSI malware downloaded/executed by the user. The execution is often done with the SmartScreen backend and in most cases WDAC ISG allows files accepted by SmartScreen (even if the same files are blocked by WDAC ISG without SmartScreen backend).</p><p></p><p><span style="color: rgb(41, 105, 176)"><strong>There is an important question: How effective can be SmartScreen against initial EXE/MSI malware?</strong></span></p><p></p><p>The answer is not easy because most EXE samples are not initial malware but payloads. Initial malware samples are more frequently signed compared to payloads. The unsigned malware has close to 0 chances to get a positive SmartScreen reputation. The signed files can get it via a highly reputable certificate.</p><p></p><p><strong><span style="color: rgb(184, 49, 47)">Attack flow:</span></strong></p><p><strong>malspam ----> email attachment ----> user opens an attachment and executes GuLoader (EXE file) ----> GuLoader downloads/executes payloads</strong></p><p></p><p>GuLoader examples from the past:</p><p>[URL unfurl="tfalse"]https://asec.ahnlab.com/en/55978/[/URL]</p><p>[URL unfurl="false"]https://www.crowdstrike.com/blog/guloader-malware-analysis/[/URL]</p><p>[URL unfurl="false"]https://www.trellix.com/blogs/research/guloader-the-nsis-vantage-point/[/URL]</p><p></p><p>The attack can be easily stopped by WDAC ISG when the file does not have a Mark of the Web (MotW), because the SmartScreen backend is not triggered. In such a case ISG uses a very restrictive reputation. In another case (EXE file with MotW), ISG will use the SmartScreen reputation, and malware signed with a highly reputable certificate can bypass WDAC ISG.</p><p></p><p>In my test, I chose the recent samples of GuLoader malware. It is used often as an initial malware to download/execute well-known malware (Remcos, Agent Tesla, Formbook, Lokibot, NanoCore, and more).</p><p><strong><span style="color: rgb(0, 168, 133)">I was surprised because 75% of GuLoader samples (<strong>35 total samples </strong>from February 2024) were digitally signed. Another surprise was that all samples were blocked by SmartScreen (when MotW was added by me) and by WDAC ISG (files with or without MotW).</span></strong></p><p><strong><span style="color: rgb(0, 168, 133)">I checked the certificates. Each sample used a different certificate and all certificates were fake.</span></strong></p><p><strong></strong></p><p><strong>Conclusion.</strong></p><p><strong>The default WDAC ISG settings in WHHLight can be very efficient in blocking EXE malware (also digitally signed) used in widespread attacks.</strong></p><p><strong>It does not mean that similarly high efficiency will be for highly targeted attacks on Enterprises, because of using highly reputable certificates.</strong></p><p><strong></strong></p><p><strong>Edit.</strong></p><p><strong>After adding 24 new samples, the result did not change much (59 total samples, 78% signed, all blocked, all signed with fake certificates).</strong></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1075857, member: 32260"] [B][SIZE=5]WHHLight vs. Signed Malware[/SIZE][/B] (Smart App Control set to OFF) In WHHLight, the default WDAC settings are focused on blocking an initial EXE/MSI malware downloaded/executed by the user. The execution is often done with the SmartScreen backend and in most cases WDAC ISG allows files accepted by SmartScreen (even if the same files are blocked by WDAC ISG without SmartScreen backend). [COLOR=rgb(41, 105, 176)][B]There is an important question: How effective can be SmartScreen against initial EXE/MSI malware?[/B][/COLOR] The answer is not easy because most EXE samples are not initial malware but payloads. Initial malware samples are more frequently signed compared to payloads. The unsigned malware has close to 0 chances to get a positive SmartScreen reputation. The signed files can get it via a highly reputable certificate. [B][COLOR=rgb(184, 49, 47)]Attack flow:[/COLOR] malspam ----> email attachment ----> user opens an attachment and executes GuLoader (EXE file) ----> GuLoader downloads/executes payloads[/B] GuLoader examples from the past: [URL unfurl="tfalse"]https://asec.ahnlab.com/en/55978/[/URL] [URL unfurl="false"]https://www.crowdstrike.com/blog/guloader-malware-analysis/[/URL] [URL unfurl="false"]https://www.trellix.com/blogs/research/guloader-the-nsis-vantage-point/[/URL] The attack can be easily stopped by WDAC ISG when the file does not have a Mark of the Web (MotW), because the SmartScreen backend is not triggered. In such a case ISG uses a very restrictive reputation. In another case (EXE file with MotW), ISG will use the SmartScreen reputation, and malware signed with a highly reputable certificate can bypass WDAC ISG. In my test, I chose the recent samples of GuLoader malware. It is used often as an initial malware to download/execute well-known malware (Remcos, Agent Tesla, Formbook, Lokibot, NanoCore, and more). [B][COLOR=rgb(0, 168, 133)]I was surprised because 75% of GuLoader samples ([B]35 total samples [/B]from February 2024) were digitally signed. Another surprise was that all samples were blocked by SmartScreen (when MotW was added by me) and by WDAC ISG (files with or without MotW). I checked the certificates. Each sample used a different certificate and all certificates were fake.[/COLOR] Conclusion. The default WDAC ISG settings in WHHLight can be very efficient in blocking EXE malware (also digitally signed) used in widespread attacks. It does not mean that similarly high efficiency will be for highly targeted attacks on Enterprises, because of using highly reputable certificates. Edit. After adding 24 new samples, the result did not change much (59 total samples, 78% signed, all blocked, all signed with fake certificates).[/B] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
