Jump to content

Here's One Eset Is Not Detecting By Sig


itman
 Share

Recommended Posts

SHA-256   855d3c8e7685b1854e573543b8bab893ddd3519a482dd6a39b5c2b1b0b6a0ac4

Malicious Powershell execution imbedded in a .chm file.

Further ref. here: https://www.bleepingcomputer.com/news/security/malicious-chm-files-being-used-to-install-brazilian-banking-trojans/

Edited by itman
Link to comment
Share on other sites

10 hours ago, persian-boy said:

thanks for the share,
That's why I need to use Hips.

How exactly do you use HIPS for this detection?

Link to comment
Share on other sites

If you tweak the Hips and don't let it allow every operation for a process then it will alert for almost everything.
Also, you can use it in policy mode and set rules for PowerShell? there are more ways.

Edited by persian-boy
Link to comment
Share on other sites

A  number of ways:

1. Monitor all startup activity of hh.exe in System32/SysWOW32 directory.

2.  Monitor all startup activity of hh.exe from MS Office executables.

3. Monitor powershell.exe startup activity as @persian-boy mentioned.

Note that this is only marginally effective since attacker could run Powershell ver. 2.0 if it is installed on Win 7+ OS versions. Attacker can also download and run ver. 2.0 if it isn't installed. Attacker could download to and run Powershell from memory. Attacker could run Powershell remotely. And finally, attacker could run Powershell assemblies via a .Net program and/or C/C++ program. 

-EDIT- See my below posting.

Edited by itman
Link to comment
Share on other sites

1 hour ago, persian-boy said:

If you tweak the Hips and don't let it allow every operation for a process then it will alert for almost everything.
Also, you can use it in policy mode and set rules for PowerShell? there are more ways.

That I understand, but how do you figure out that  a HIPS alert is malicious or not?

Link to comment
Share on other sites

As clever as this attack was, it still used javascript to run Powershell as noted in the bleepingcomputer.com article:

Quote

The malicious CHM's HTML below will attach an object to a button that when clicked will launch the PowerShell command. It then adds a small javascript call to automatically click that button when the html is viewed in the Microsoft HTML Help program. 

This is necessary since you can't directly run an executable from a .chm file.

If you employed Eset's recommended Endpoint HIPS anti-ransomware rules given here: https://support.eset.com/kb6119/?viewlocale=en_US , you would have received a HIPS alert when Powershell attempted to execute via the javascript execution. I personally monitor the execution of all Win script engines; CScript, Wscript, and Powershell using a custom HIPS rule.

As far as this particular attack goes in deciding if the Powershell alert was legit activity, there is no reason why any executable let alone Powershell should be running from a .chm file via hh.exe.  

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...