Jump to content

SOREBRECT "fileless" Ransomware


Recommended Posts

Out of curiousity does ESET protect against SOREBRECT and other fileless code-injection threats by default? Or is there some seperate HIPS rule i'd have to setup in order to ensure that our org is protected against these sorts of threats.

Thanks,

 

Jdashn

Edited by jdashn
edit topic for clarity
Link to comment
Share on other sites

Note the below excerpt. Suggest you read the full article also.

For starters unless you're a corp. user, you shouldn't have PsExec installed. If you're a non-technical  home user and PsExec is installed in C:\Windows\System32 directory, you should remove it.

By default, Win home users have RDP disabled. And if enabled, it's not the full more powerful versions installed on the Pro and Enreprise versions of Windows.

Finally, PsExec requires admin privileges to run. So if you use a standard user account, it can't run. If you run as a limited admin, you should UAC to the maximum level. This will force an UAC alert even if PsExec tries to run in hidden mode.

SOREBRECT’s attack chain involves the abuse of PsExec, a legitimate, Windows command-line utility that lets system administrators execute commands or run executable files on remote systems. The misuse of PsExec to install SOREBRECT indicates that administrator credentials have already been compromised, or remote machines were exposed or brute-forced. SOREBRECT isn’t the first family to misuse PsExec—SAMSAM, Petya, and its derivative, PetrWrap (RANSOM_SAMSAM and RANSOM_PETYA, respectively), for instance, use PsExec to install the ransomware on compromised servers or endpoints.

Ref: https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/

Link to comment
Share on other sites

itman, definitely a corporate user, SOREBRECT uses PSEXEC to spread, we've got that covered as an org - as well as some pretty strict rules, and prohibitions on Admin access for all but a few, along with a few other items that stop this particular threat in a few other spots in it's attack cycle... but people fail, unfortunately the regulations on my industry do not allow for failure. Multiple layers!

Thanks for the link, i've read that article, and a few others as well.

this write-up (especially the Technical Details) is particularly helpful:

https://www.symantec.com/security_response/writeup.jsp?docid=2017-061913-4515-99&tabid=2

My question was specifically if ESET can detect and protect against this kind of threat (or even this threat specifically if a few of our other procedures and systems fail). Does ESET not detect the malicious code injection into a trusted process (where it injects it's code into svchost.exe, then encrypts files, deletes logs, adds registry keys, etc)? Even a dictionary/hash based detection? 

Thanks!

 

Jdashn

Edited by jdashn
Link to comment
Share on other sites

Sorry to bump, being pressured to find an answer to this. 

Am I asking in the wrong area, Should this be a support ticket? 

Thanks a ton!!

 

Jdashn

 

Link to comment
Share on other sites

On ‎6‎/‎20‎/‎2017 at 10:05 AM, jdashn said:

My question was specifically if ESET can detect and protect against this kind of threat (or even this threat specifically if a few of our other procedures and systems fail). Does ESET not detect the malicious code injection into a trusted process (where it injects it's code into svchost.exe, then encrypts files, deletes logs, adds registry keys, etc)? Even a dictionary/hash based detection? 

My own testing has shown the Eset HIPS is very effective against memory based reflective .dll injection that many other security products can't detect. This include process hollowing type activity. That said, the HIPS by default does not monitor system processes like svchost.exe; you have to create manual rules. Alternatively; you can set the HIPS to training mode. After the training period expires, you can switch to interactive mode which will generate an alert for any process activity for which a HIPS rule was not created during the training period.

Eset's primary detection is via reputation scanning; then sandboxing and examining the suspect process via heuristics. Eset on Win 10 through use of its ELAM driver, loads as a protected kernel mode process. This allows the Eset kernel to be able to monitor other protected processes; something only a few other security solutions can do.

Finally, Eset does have advanced memory scanning capability, a post execution mitigation, to detect suspicious memory based activity after a processes has begun execution. Eset has not published a detailed technical analysis on how AMS works but appears its primary purpose is exploit mitigation. Eset lab test scores for exploit mitigation have been consistently excellent. Additionally, Eset has scored in the top tier for ransomware detection on all recent AV Labs tests for same.

Edited by itman
Link to comment
Share on other sites

itman, and whomever may be curious: it appears that ESET does already detect this threat as Filecoder.AESNI.B according to support ticket raised.

Makes sense as they're using the same encoder, just odd that the detection would work for both the ones identified in may and the new ones in june. Honestly just glad I can provide an actual answer to those who've asked me. 

 

Jdashn

 

Link to comment
Share on other sites

3 hours ago, jdashn said:

itman, and whomever may be curious: it appears that ESET does already detect this threat as Filecoder.AESNI.B according to support ticket raised.

Makes sense as they're using the same encoder, just odd that the detection would work for both the ones identified in may and the new ones in june

Eset uses YARA like generic signatures: https://virustotal.github.io/yara/  They refer to them as "DNA signatures." Such signatures are extremely effective in detecting variants of a given malware. The signatures are also very effective in detecting polymorphic ransomware that changes its hash value on each download of it to try to bypass conventional signature detection.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...