Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
WHHLight - simplified application control for Windows Home and Pro.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1076124" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">WHHLight vs. Bumblebee phishing campaign (observed in February 2024)</span></strong></p><p>[URL unfurl="false"]https://malwaretips.com/threads/bumblebee-malware-returns-with-new-tricks-targeting-u-s-businesses.129006/[/URL]</p><p>[URL unfurl="false"]https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black[/URL]</p><p></p><p>The targets of that campaign were businesses in the U.S. The Word documents used in the attacks spoofed the consumer electronics company Humane.</p><p></p><p><strong><span style="color: rgb(184, 49, 47)">Attack flow:</span></strong></p><p><strong>phishing email with OneDrive URL ----> MS Word document with macro ----> macro creates/executes the VBScript ----> the script executes PowerShell CmdLine ----> CmdLine downloads & executes the second PowerShell CmdLine ----> Bumblebee DLL payload downloaded & executed (via RunDll LOLBin)</strong></p><p></p><p>WHHLight package contains the DocumentsAntiExploit tool that is recommended for hardening MS Office and Adobe Acrobat applications. The applied settings block macros and some other features usually abused by the attackers.</p><p>But in this thread, I will show how the <strong>WHHLight SWH</strong> settings can also prevent the attack.</p><ol> <li data-xf-list-type="ol">One of the SWH restrictions is blocking Windows Script Host (except whitelisted scripts), so the VBScript file created by the macro is also blocked.</li> <li data-xf-list-type="ol">Independently of point 1, both PowerShell CmdLines are restricted by Constrained Language Mode (the download method is blocked).</li> </ol><p>The attack can be also prevented by the FirewallHardening settings (blocked PowerShell outbound connections).</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1076124, member: 32260"] [B][SIZE=5]WHHLight vs. Bumblebee phishing campaign (observed in February 2024)[/SIZE][/B] [URL unfurl="false"]https://malwaretips.com/threads/bumblebee-malware-returns-with-new-tricks-targeting-u-s-businesses.129006/[/URL] [URL unfurl="false"]https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black[/URL] The targets of that campaign were businesses in the U.S. The Word documents used in the attacks spoofed the consumer electronics company Humane. [B][COLOR=rgb(184, 49, 47)]Attack flow:[/COLOR] phishing email with OneDrive URL ----> MS Word document with macro ----> macro creates/executes the VBScript ----> the script executes PowerShell CmdLine ----> CmdLine downloads & executes the second PowerShell CmdLine ----> Bumblebee DLL payload downloaded & executed (via RunDll LOLBin)[/B] WHHLight package contains the DocumentsAntiExploit tool that is recommended for hardening MS Office and Adobe Acrobat applications. The applied settings block macros and some other features usually abused by the attackers. But in this thread, I will show how the [B]WHHLight SWH[/B] settings can also prevent the attack. [LIST=1] [*]One of the SWH restrictions is blocking Windows Script Host (except whitelisted scripts), so the VBScript file created by the macro is also blocked. [*]Independently of point 1, both PowerShell CmdLines are restricted by Constrained Language Mode (the download method is blocked). [/LIST] The attack can be also prevented by the FirewallHardening settings (blocked PowerShell outbound connections). [/QUOTE]
Insert quotes…
Verification
Post reply
Top
