itman 1,659 Posted October 6, 2017 Share Posted October 6, 2017 (edited) SHA-256 855d3c8e7685b1854e573543b8bab893ddd3519a482dd6a39b5c2b1b0b6a0ac4 Malicious Powershell execution imbedded in a .chm file. Further ref. here: https://www.bleepingcomputer.com/news/security/malicious-chm-files-being-used-to-install-brazilian-banking-trojans/ Edited October 6, 2017 by itman Link to comment Share on other sites More sharing options...
persian-boy 22 Posted October 6, 2017 Share Posted October 6, 2017 thanks for the share, That's why I need to use Hips. Link to comment Share on other sites More sharing options...
novice 20 Posted October 7, 2017 Share Posted October 7, 2017 10 hours ago, persian-boy said: thanks for the share, That's why I need to use Hips. How exactly do you use HIPS for this detection? Link to comment Share on other sites More sharing options...
persian-boy 22 Posted October 7, 2017 Share Posted October 7, 2017 (edited) If you tweak the Hips and don't let it allow every operation for a process then it will alert for almost everything. Also, you can use it in policy mode and set rules for PowerShell? there are more ways. Edited October 7, 2017 by persian-boy Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 7, 2017 Author Share Posted October 7, 2017 (edited) A number of ways: 1. Monitor all startup activity of hh.exe in System32/SysWOW32 directory. 2. Monitor all startup activity of hh.exe from MS Office executables. 3. Monitor powershell.exe startup activity as @persian-boy mentioned. Note that this is only marginally effective since attacker could run Powershell ver. 2.0 if it is installed on Win 7+ OS versions. Attacker can also download and run ver. 2.0 if it isn't installed. Attacker could download to and run Powershell from memory. Attacker could run Powershell remotely. And finally, attacker could run Powershell assemblies via a .Net program and/or C/C++ program. -EDIT- See my below posting. Edited October 7, 2017 by itman Link to comment Share on other sites More sharing options...
novice 20 Posted October 7, 2017 Share Posted October 7, 2017 1 hour ago, persian-boy said: If you tweak the Hips and don't let it allow every operation for a process then it will alert for almost everything. Also, you can use it in policy mode and set rules for PowerShell? there are more ways. That I understand, but how do you figure out that a HIPS alert is malicious or not? Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 7, 2017 Author Share Posted October 7, 2017 (edited) As clever as this attack was, it still used javascript to run Powershell as noted in the bleepingcomputer.com article: Quote The malicious CHM's HTML below will attach an object to a button that when clicked will launch the PowerShell command. It then adds a small javascript call to automatically click that button when the html is viewed in the Microsoft HTML Help program. This is necessary since you can't directly run an executable from a .chm file. If you employed Eset's recommended Endpoint HIPS anti-ransomware rules given here: https://support.eset.com/kb6119/?viewlocale=en_US , you would have received a HIPS alert when Powershell attempted to execute via the javascript execution. I personally monitor the execution of all Win script engines; CScript, Wscript, and Powershell using a custom HIPS rule. As far as this particular attack goes in deciding if the Powershell alert was legit activity, there is no reason why any executable let alone Powershell should be running from a .chm file via hh.exe. Edited October 7, 2017 by itman Link to comment Share on other sites More sharing options...
Recommended Posts