Decker2124

Downloading a sample of the stealer from a malware feed, Eset detects it;

I was informed that incidents may sometimes be created without detections. You can delete them. If this happens more frequently, please raise a support ticket as it would require further investigation by ESET HQ.

Unfortunately, co-management is currently unavailable. For more information, please read https://help.eset.com/protect_hub/customer/en-US/co-management.html
Currently, co-management is unavailable because the migration and onboarding of resellers to ESET PROTECT Hub are still in progress. The feature will become accessible once resellers have successfully migrated to ESET PROTECT Hub.

Akiradecryptor.org are Complete scammers. Paid them and they completely went silent. Once paid they stopped responding. Do not trust! Was really relying on them. Hopefully they respond, but once they were paid they have not said a word for 5 days. We went back and forth. They even made a move that instilled added trust. But once paid they have gone dark. Don’t use akiradecryptor.org I guarantee you will regret it.

We tried akiradecryptor.org. We paid them, but after payment never received any replies to our apps anymore. So seems like a scam.

So likely worth investigating further. Thanks for the 2nd opinion.

It has not been 100% confirmed yet so please take the above post with a grain of salt. Internal discussions are still ongoing.

Hi,
I saw Ransomware Remediation as a new feature on the main page. Will this feature also be available in the Ultimate version?
 
Greetings
 

The issue is being investigated. We'll keep you posted.
We apologize for the inconvenience.

Thanks ! I was hoping to control all of that from within ESET PROTECT :/ I believe some BYOD might have Win 11 not-Pro too. MAnaging and receiving alerts in PROTECT would make this so much more efficient.

Folder Guard is supposed to protect you from actual ransomware. The ransowmare does not run FAR which you have and probably you're using an older version which is already trusted and therefore file modification is allowed. However, this is not what FG is supposed to block. Of course, we plan to improve FG further via HIPS module updates. The upcoming HIPS module 1481 will bring further hardening to FG.

I didn't even see that. That's very interesting.
Do they want to make ESET look bad on purpose?

Bitdefender 10/15/2024
Malwarebytes 10/14/2024
Kaspersky 10/11/2024
ESET 05/29/2024

Thank you for your response! I appreciate the suggestion to use the ESET log Collector. I will collect the logs from the affected machine and upload them shortly for further analysis.
In the meantime, I’ve reconfigured ESET PROTECT to apply a more aggressive scanning approach and initiated another full scan. While I wait for the results, I’ll also work on gathering the necessary logs for better diagnostics.
Could you also guide me on how to retrieve and interpret the detailed results from a full scan in ESET PROTECT? I want to ensure I don’t miss any information that might help identify residual threats.
Thank you for your assistance!

I've heard from a colleague that the button opens a wrong link, we are currently working on a fix.

I can see many ways how YARA rules could improve EI. 😄 One approach that we are exploring is integrating osquery into Inspect, which does support running YARA rules and has additional features that could nicely supplement current Inspect capabilities. However, it's too early to tell if it'll ever make it onto roadmap.
I would suggest pairing Inspect with Velociraptor if you need additional DFIR capabilities. You can deploy velociraptor agent on-demand with Protect by using the Software Install task (Installation of third-party software).
If @itman is correct, this could still be possible to through ESET Inspect XML rule with a slightly different approach. You can use ModuleDrop operation to monitor dropped Driver files (isNative) which are signed by "Microsoft Windows Hardware Compatibility Publisher" and have low LiveGrid Popularity. These drivers won't be very common, I checked all the drivers mentioned in the Mandiant blog post and all of them have a very low LiveGrid Popularity. I haven't tested how noisy this rule is in production, but for threat hunting purposes I believe something like this could work:
<definition> <operations> <operation type="ModuleDrop"> <operator type="AND"> <condition component="Module" property="IsNative" condition="is" value="true"/> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows Hardware Compatibility Publisher"/> <condition component="LiveGrid" property="Popularity" condition="lessOrEqual" value="3"/> </operator> </operation> </operations> </definition>  
 

Per the Mandiate article, attestation signed kernel mode drivers are positively identified by examining EKU in issuing CA cert. per below screen shot;

My experience to date has been "Microsoft Windows Hardware Compatibility Publisher 2014" issuing CA cert. is enough to positively identify an attestation signed kernel mode driver.

What the OP is interested in is using Mandiant YARA rules for detection of attestation signed drivers as noted here: https://forum.eset.com/topic/43619-malware/#findComment-194325 .

The way I interpret this is steam.exe is creating an executable using previously stolen nVidia code signing certificate/s. A strong indicator that the executable is probably malicious.
I would update Steam to its latest vendor sourced version.

I’m also encountering this issue right now. I’ve dealt with similar symptoms—bogus AVs, PUAs, and a persistent process hogging CPU resources. Even after running a full scan with ESET PROTECT and removing CoinMiner threats, the problematic service continues to drain resources.
I’ve tried reconfiguring ESET to run a more aggressive scan as well, but I’m still searching for a permanent fix. Have you found a reliable way to completely eliminate the "Alructisit" process and service?

I too congratulate ESET on achieving such a prestigious award.  It is indicative of the expertise and dedication of the entire ESET organization.
Take a bow, everyone.  Well deserved.
Though not tested or rated by AV-Comparatives, I would also like to commend, in particular, @Marcos and @itman , for the tremendous customer support they provide on the ESET Forums.  No question goes unanswered.  Thank you, gentlemen.
Have a great day.
Regards,
Phil

What appears to be the source of this is AlructisitApp.exe that is the update/network connectivity mechanism for this coinminer. The attacker not content with mining coin anymore decided "to up the ante" and drop some malware.
Luckily, what was dropped was malware that Eset had a sig. for resulting in Eset detecting and deleting it. However, what if this was a backdoor or malware not detected by Eset?
This event is a great example of why all modifications made by malware need to be eliminated.

I just came across this excellent article by Mandiant I was not aware of about attestation signed malware including drivers: https://cloud.google.com/blog/topics/threat-intelligence/hunting-attestation-signed-malware . In the article, they give a YARA rule for detection of attestation signed drivers. This means that security solutions could detect these drivers if they chose to do so.

Below is the latest version of amdi2c.sys available for Win 10 from the Win Update Catalog. Notice that this driver is indeed WHQL signed; 

 

I reviewed the video again and the author was looking for pinaview.exe which this coinmining malware also often deploys.
Pinaview is legit proxy software: https://pinaview.com/ that is frequently misused by attackers. As such, it is classified as a PUA by many AVs including Eset;
If deployed by this coinminer, a folder is created in C:\Users\xxxxxxx\AppData\Local\Programs and pinaview.exe created in that folder as a hidden file.
-EDIT- As shown previously, pinaview.exe can be renamed to Barousel.exe; Eset current detection at VirusTotal, or Stopabit.exe. These .exe's could also be created in C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs folder.

My preference is to run all Eset real-time settings at Aggressive level.
Are you still receiving Eset detections after a system restart with PUA setting enabled? If this is the case, it appears from this video: -EDIT- appears the link I saved doesn't direct to the video anymore, C:\Program Files (x86)\AlructisitApplication folder has to be manually deleted in Safe mode.