SeriousHoax

I'm 100% certain that this @adulwahabis a fake account aka bot that was created just to post a positive comment on this thread. It has to be either from ESET or Intel. The ChatGPT like writing style, the picture and the fact that it was the first and only post from that account so far is a clear giveaway. If you do an image search, you'll find this image on a random Indian website. It's also not hard (for me at least) to guess this person's religion just by looking at the photo which doesn't match with the name. Really poor and unnecessary marketing attempt. Regarding my Intel TDT experience, "I'm an AMD user".

Hi @Marcos! Wondering what this particular malicious script does? Does it redirect to malvertisements or something else?

This is a very good find 👍

Watch the G-Data analyst video again where he showed an example. Besides, BD can detect it by their behavior blocker, so it doesn't matter anyway. Everyone makes hash detection for samples now and then. It's necessary sometimes. ESET also did for a few of the samples mentioned in this thread. Anyway, it's not important what other products are doing. The issue is that ESET is not detecting the samples by real-time protection which should be addressed by them.

The file can be extracted with 7zip with ASAR plugin installed. So it's nothing special.

Yes I'm sure. In this case, changing the hash of this original exe doesn't alter the unpacked content. It works just fine. The data collected from Chrome can be seen on temp. I also tested the changed hash sample with Bitdefender GravityZone EDR product and with the help of EDR sensor, the cloud console shows the whole process chain including files that was accessed by the malware like cookie and logindata inside Chrome's profile folder. So the sample works just as usual. Just ESET is not detecting it even after having signatures probably due to real-time protection ignoring ASAR files.

I only changed the hash of the main 63 MB sample, didn't change the javascript. The file would've been detected via a scan/if it was uploaded to LiveGuard. I used an app to change the hash, zipped it, dragged and dropped into the ESET VM, extracted it and ran it. So it wasn't downloaded and maybe that's why it wasn't sent to LiveGuard. But then again, we also have to remember about Nod32 and EIS users, since they don't have LiveGuard. Most of ESET's home users probably use EIS. BTW, it's a bit confusing for which file ESET has added detection. I mean, I extracted the contents of the ASAR file and nothing from that was detected by ESET even on scan. But if I scan the ASAR file itself, then it's detected by ESET. So if detection was added for the ASAR file itself then it seems ESET's real time protection doesn't scan ASAR file which is not surprising since it's a zip like archive format. So I think this is the main reason why ESET is not detecting it on execution. Bitdefender added detection for the ASAR files themselves also after my submission of a few samples, but they can detect the ASAR file by its real-time protection when the malware unpack itself in the temp folder, which indicates that they scan ASAR files on creation or on access. Bitdefender can also detect by its behavior blocker, but not all variants. I also did more experiments. For another variant, I sent BD one encrypted js file inside the ASAR file only, not the full sample. They added detection and later when tested, their real-time protection could even detect the js file, inside the ASAR file after running the sample. I was really surprised by this. So they not only detect the ASAR file, but also unpack it and scan its contents in real-time. It seems they scan a lot by their real-time protection. They could already detect this hash changed sample by behavior blocker but detecting the js file resulted in an early detection. I still think overall ESET's real-time protection scans more file formats than any other AVs I've used and tested, it's just that it doesn't scan ASAR files since it's an archive format. Maybe ESET should also start scanning ASAR files on creation? Or maybe Deep Behavioral Inspection should be made more useful? I'm not so sure about that. I'm just highlighting an issue that ESET should work on to come up with a workable solution.

I checked this malware again. It's auto blocked by LiveGuard due to being analyzed before. So I changed the hash of the exe and ran it and there was no reaction from ESET. So, nothing has been done yet to tackle the issue of detecting this/similar malware. If you say, LiveGuard would detect it if it was uploaded I would argue that LiveGuard is not available in products like Nod32 and EIS. Also, if the malware authors increases the size of these samples above 64 MB, they won't be sent to LiveGuard anyway. Original sample: https://www.virustotal.com/gui/file/d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb/detection

Not even post-execution detection for this malware. I mean if you directly run that script then it will detect it but that's not what's happening here. The method of using this javascript by the malware, whether by process injection or some other ways, is bypassing all ESET's protection layers. These malwares are very successful at bypassing AV products. So I think they'll just keep coming.

Yeah, this one is very similar. Electron based malware hiding malicious scripts in ASAR files has been around since 2021 at least. For ESET, the issue is that it's not detecting them after running, even after creating signatures for the main file. It has to be addressed.

Interesting find. But this one is probably not loading in GPU/VRAM. The malware comes bundled up with Electron framework and loads a fake game Window to deceive the user into thinking they have run a game. Probably the gpu process, renderer related activities are related to the fake game screen which is being loaded using Electron.

This one is different from the ones I shared. My shared ones can steal data, cookies from any installed Chromium browsers like Edge, Chrome, Opera, Brave, Vivaldi and also from apps like Discord, Steam and some more apps if installed. There are a variety of stealers. Each one learns from and steal malicious techniques from the other one, improve them and then sell it. So some techniques might be similar but not the whole thing. There are multiple groups on Telegram. Some even have publicly accessible website for selling their malware. I checked those a few weeks ago. The sites were blacklisted by Bitdefender only.

Thanks. But according to the G-Data analyst Karsten Hahn also, these javascripts are where the main malicious code remains. The code is encrypted and when decrypted, it can be easily seen what it does. Check the video if you haven't checked yet. So ESET's signature is correct in that case. Now how these malwares use the code in context is a thing I don't know about. The javascript file itself never touches the disk I think. It's in the ASAR file and remains there it seems. Something happens in memory or whatever method the malware use is something I don't have the expertise to understand. The ESET team must do something about it. Current signature based method to detect these is incomplete.

Yeah, they are now detected indeed. Thanks for helping in sending to the malware analysts. But just now I tested again and turns out, if I run the samples then they can still "Steal" the data anyway. There was no reaction from ESET. It's only detected if I scan the file instead of running it. So, the flaw of ESET not detecting these via real-time protection remains. Sooner or later after execution real-time protection needs to catch it. Can you test on your end? If you can reproduce, then report the issue to the responsible team.

Redline stealers are well known and already covered by most vendors. But the stealers I shared are very different. Those are Electron based and the main malicious component hides in a place where many junior analysts may not look as shown in the analysis video. That would be ideal, but the victims of these attacks are not security aware people, so it's fair to say that they won't do this. It's a legit gaming site for indie games. Some malicious actors are using it to spread malware. ESET or any AV won't blacklist the site, I think. The people maintaining the site should be more responsible. Their security procedure is clearly very weak.

ESET added detections for the samples in my main post, but these two in my quoted comment are not detected. Maybe the added detections are very basic file based detection which is simply not enough. No deeper analysis was done by an ESET malware analyst. I posted it during the weekends, so I hope in the next couple of days during weekdays, these samples will be properly analyzed and ESET will be able to find a way to stop all similar stealer samples like Kaspersky. Along with the two above, here's one more. No detection from ESET after running, and not detected by LiveGuard either. It's basically the same as some others but just with a different hash. BTW, I can actually see the data it's stealing (Browser cookies, passwords, autofill, credit card info). So these are working perfectly fine in a VM. No VM evasion techniques were used by them. ESET also need to blacklist the malware C2C connections. https://www.virustotal.com/gui/file/67f86d940e8e8eb73c09c9b37bef9248ed7e0ee0ec317fc118678ad44f69a63e/detection

It's not just UDS. They have multiple signatures for this, including PDM detections, which are post execution behavior based. I tried changing hash which eliminates the UDS detections, but they are still detected after running. Their Big Data Analysis system which can co-relate similar file hashes and behavior automatically is doing a good job against this malware at the moment. https://opentip.kaspersky.com/d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb/results?tab=lookup

Yeah, everyone has issues with these stealers. Only Kaspersky's automation and behavior analysis seems to have found a way to detect these well enough. Here's two more similar ones: https://www.virustotal.com/gui/file/d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb/detection https://www.virustotal.com/gui/file/55a53bc3effd29452d1582cee94f4541123b3c34a3d69cfc0a7db93570b884d8/detection A user from the malwaretips forum are finding these on the game platform https://itch.io/ A friend of mine also found a few stealer campaigns on telegram. They are constantly updating their samples to bypass detections. ESET researchers probably should check out the campaign of uploading samples pretending to be games on the itch.io platform. I'm tagging Mr. @Aryeh Goretsky just in case since he's part of ESET's R&D team.

The main exe sample file just under 64 MB. LiveGuard can upload it. It's 150 MB only after unpacking which he needed to do for his analysis.

Yeah it's Quasar. ESET detected a PowerShell code via its AMSI and Command Line Scanner at one point. I have saved screenshots for that. But I don't understand how come LiveGuard couldn't detect it? It should be detected by their Sandbox. Couple of the stealers didn't employ any sandbox evasion tactics. It's a bit different type of stealers. New variants by different groups keep coming regularly. It was discussed in the Malwaretips forum. G-Data analysts Karten Hahn even made video about it after the forum discussion and his analysis. You can check that out here: https://youtu.be/kGwa9poV8OU At the moment only Kaspersky is doing a decent job at detecting these stealers by their behavior blocker.

Here are some stealer samples not detected by ESET yet. The size of these samples are too big to be sent to ESET mail as attachments. LiveGuard considered these safe. I sent VT links of two of these samples to ESET more than once but my submissions were ignored as usual, so I'm sharing here: https://www.virustotal.com/gui/file/fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4/detection https://www.virustotal.com/gui/file/962c6df0b8ca065bd5df52e06c744c7795867aaacf856798e78cf27fecf3ea9d/detection https://www.virustotal.com/gui/file/812c1bc73253ea51ba829be98d7c1af22c52fe8308014eca7d0dd6940dd3608c/detection https://www.virustotal.com/gui/file/e5d1b8d1d38678d6333804c98802a2d7bc4917ab1a07aa85868e6e2e9284ddd6/detection This one is a Backdoor. ESET detect after execution at a later stage via AMSI and Command Line Scanner. But for some reason, LiveGuard marks it safe. A signature would be better: https://www.virustotal.com/gui/file/99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc/detection This file is used by a couple of these samples. Kaspersky and Bitdefender detect these as PUP. Maybe ESET should consider creating a PUP/PUA detection for it as well. https://www.virustotal.com/gui/file/53314136803bee54998b66527ced96f94ab72873b2f1f6d9ed1d4756953e5200/detection

It's normal as it's a script to disable Defender. It's detected by many AV products similar to Defender Control.

Disabling Microsoft Defender is not necessary. But one can also use Defender Control to do it. Has to disable Real-time and Tamper Protection first. So should be done before installing a third-party AV. https://www.sordum.org/9480/defender-control-v2-1/ Another option can be is to use this script following the instruction: https://github.com/TairikuOokami/Windows/blob/main/Microsoft Defender Disable.bat

At what location does ESET Online Scanner installs? I don't know that. Can you install that and run a scan?

Yeah, I checked those too last night and they are indeed present in VT. Maybe one wasn't? I forgot. But the two MD5 they shared on their site are not present in VT. WoW that's a big claim. I don't know about it being a scam. But why would they show ESET's detection? About sample not being in VT is not uncommon. Specially if the vendors also sell threat intelligence service. For example, ESET have not always shared their researched samples on VT but it's understandable. ESET is also a well-known and respected company while I don't know much about Uptycs. But releasing scam research where everyone but one didn't detect wouldn't go unnoticed in other vendors eyes. So, I can't comment on that.