Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
WHHLight - simplified application control for Windows Home and Pro.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1078093" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">WHHLight vs. Python-based Snake Info Stealer</span></strong></p><p>[URL unfurl="false"]https://malwaretips.com/threads/new-python-based-snake-info-stealer-spreading-through-facebook-messages.129411/post-1078071[/URL]</p><p>[URL unfurl="false"]https://www.cybereason.com/blog/unboxing-snake-python-infostealer-lurking-through-messaging-service[/URL]</p><p></p><p><strong><span style="color: rgb(184, 49, 47)">Attack Flow (1):</span></strong></p><p><strong>Facebook message ----> archive downloaded (RAR/ZIP) ----> user opens archive and executes the content (BAT/CMD/VBS script) ----> script uses LOLBins (CURL/PowerShell) to download/install/execute secondary payloads or (and) Python-based malware</strong></p><p></p><p>Such attacks cannot be a challenge for WHHLight, because they use Windows scripts that are blocked by the default SWH settings.</p><p>Even without blocking scripts, the attack can be prevented by FirewallHardening (outbound connections of CURL/PowerShell would be blocked).</p><p></p><p><strong><span style="color: rgb(184, 49, 47)">Attack Flow (2):</span></strong></p><p><strong>Facebook message ----> archive downloaded (RAR/ZIP) ----> user opens archive and executes the content (malicious MSI loader) ----></strong></p><p><strong>the loader downloads/installs/executes secondary payloads or (and) Python-based malware</strong></p><p></p><p>If the user tries to execute the archive content without unpacking, the default SWH settings will block the execution of the MSI loader.</p><p>If the archive is first unpacked by Windows build-in unpacker and then the MSI loader is executed, the file can be blocked by SmartScreen.</p><p>If the user unpacks the archive by using 3rd part unpacker that skips MotW, then the attack can be prevented when using <strong><span style="color: rgb(0, 168, 133)">RunBySmartscreen</span></strong> or activating <span style="color: rgb(0, 168, 133)"><strong>WDAC</strong></span> in WHHLight.</p><p></p><p>The second attack could be a challenge for WHHLight only in some targeted attacks when the attacker would use a highly reputable certificate. In such a case the protection can be applied via the AV, and WHHLight restrictions can mitigate the later stages of the attack if Windows scripts or advanced PowerShell CmdLines are used.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1078093, member: 32260"] [B][SIZE=5]WHHLight vs. Python-based Snake Info Stealer[/SIZE][/B] [URL unfurl="false"]https://malwaretips.com/threads/new-python-based-snake-info-stealer-spreading-through-facebook-messages.129411/post-1078071[/URL] [URL unfurl="false"]https://www.cybereason.com/blog/unboxing-snake-python-infostealer-lurking-through-messaging-service[/URL] [B][COLOR=rgb(184, 49, 47)]Attack Flow (1):[/COLOR] Facebook message ----> archive downloaded (RAR/ZIP) ----> user opens archive and executes the content (BAT/CMD/VBS script) ----> script uses LOLBins (CURL/PowerShell) to download/install/execute secondary payloads or (and) Python-based malware[/B] Such attacks cannot be a challenge for WHHLight, because they use Windows scripts that are blocked by the default SWH settings. Even without blocking scripts, the attack can be prevented by FirewallHardening (outbound connections of CURL/PowerShell would be blocked). [B][COLOR=rgb(184, 49, 47)]Attack Flow (2):[/COLOR] Facebook message ----> archive downloaded (RAR/ZIP) ----> user opens archive and executes the content (malicious MSI loader) ----> the loader downloads/installs/executes secondary payloads or (and) Python-based malware[/B] If the user tries to execute the archive content without unpacking, the default SWH settings will block the execution of the MSI loader. If the archive is first unpacked by Windows build-in unpacker and then the MSI loader is executed, the file can be blocked by SmartScreen. If the user unpacks the archive by using 3rd part unpacker that skips MotW, then the attack can be prevented when using [B][COLOR=rgb(0, 168, 133)]RunBySmartscreen[/COLOR][/B] or activating [COLOR=rgb(0, 168, 133)][B]WDAC[/B][/COLOR] in WHHLight. The second attack could be a challenge for WHHLight only in some targeted attacks when the attacker would use a highly reputable certificate. In such a case the protection can be applied via the AV, and WHHLight restrictions can mitigate the later stages of the attack if Windows scripts or advanced PowerShell CmdLines are used. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
