0xDEADBEEF 43 Posted January 6, 2019 Share Posted January 6, 2019 SHA256: 1f15a3e297b9017c40276ad1c32d606c8beebbf432227b47360f3674bfb60127 already 30/70 detected in VT but still pass through all defense layers by ESET Link to comment Share on other sites More sharing options...
itman 1,541 Posted January 6, 2019 Share Posted January 6, 2019 (edited) Appears this is BlackRouter ransomware. Originally it was being distributed via a RDP tool: https://gbhackers.com/blackrouter-ransomware-attack/ . This leads me to believe me that a legit app is dropped on the device. However, its installer is hacked and runs the ransomware .exe; i.e. blackrouter.exe. TrendMicro has a more detailed analysis here: https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/ . Of note is Eset does detect this variant. So this must be a new variant that is bypassing Eset DNA signatures. More justification to this assumption since Trend is also not detecting the new variant. Edited January 6, 2019 by itman Link to comment Share on other sites More sharing options...
novice 20 Posted January 6, 2019 Share Posted January 6, 2019 (edited) 6 hours ago, itman said: So this must be a new variant that is bypassing Eset DNA signatures ESET is supposed to have an "Anti-ransomware shield" If ESET's ransomware detection is still based on "signatures" (DNA or not), well that may explain the mediocre result in AV Comparatives and the frequency of posts like this : "Ransomware not detected by ESET but 30/70 detection in Virus total" Even Microsoft detected it, with its basic engine.... https://www.virustotal.com/#/file/1f15a3e297b9017c40276ad1c32d606c8beebbf432227b47360f3674bfb60127/detection Edited January 6, 2019 by novice Link to comment Share on other sites More sharing options...
itman 1,541 Posted January 7, 2019 Share Posted January 7, 2019 This is one clever ransomware. Appears the attacker created his initial files as hidden desktop items. Then executed them from a .Net program using something like this: Process.Start(@"C:\Users\xxxxx\Desktop\Translator.exe.lnk"); Also execution could be done via shell. Link to comment Share on other sites More sharing options...
novice 20 Posted January 7, 2019 Share Posted January 7, 2019 (edited) 19 minutes ago, itman said: This is one clever ransomware. OK , clever, but how come it was detected by Microsoft , which is being considered a below basic antivirus and not detected by ESET with its HIPS, behavior blocker built in HIPS, anti-ransomware shield, "DNA signatures", Live Grid .... Now, somebody is going to provide a sophisticated "explanation" about why this happened, (always is not ESETs fault, there is an explanation for that) and the thread is going to be closed for further comments. And tomorrow is another day , like nothing happened! Edited January 7, 2019 by novice Link to comment Share on other sites More sharing options...
ESET Insiders aranud87 6 Posted January 7, 2019 ESET Insiders Share Posted January 7, 2019 23 minutes ago, novice said: OK , clever, but how come it was detected by Microsoft , which is being considered a below basic antivirus and not detected by ESET with its HIPS, behavior blocker built in HIPS, anti-ransomware shield, "DNA signatures", Live Grid .... Now, somebody is going to provide a sophisticated "explanation" about why this happened, (always is not ESETs fault, there is an explanation for that) and the thread is going to be closed for further comments. And tomorrow is another day , like nothing happened! Hi, Sorry for bad english ! On VT https://www.virustotal.com/faq/#antivirus-file-scans: A given antivirus in VirusTotal detects a file and its equivalent commercial version does not VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product. We can imagine, Eset VT havent Livegrid or PUA or not HIPS...just basic basic signature detection ? i don't know... Link to comment Share on other sites More sharing options...
novice 20 Posted January 7, 2019 Share Posted January 7, 2019 6 minutes ago, aranud87 said: VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. This would be a valid explanation if some other big players would have missed the ransomware, but , after rechecking is only ESET and Vipre. So no, I do not believe it; is ESET related and nothing else. Link to comment Share on other sites More sharing options...
Reza Shamsudin 2 Posted January 7, 2019 Share Posted January 7, 2019 Yes, we too like the explanation from Eset IT Specialist. vishals231221 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,706 Posted January 7, 2019 Administrators Share Posted January 7, 2019 5 minutes ago, Reza Shamsudin said: Yes, we too like the explanation from Eset IT Specialist. It's detected, just re-scan it. There's nothing like 100% malware protection; the file was first seen yesterday on less than 10 machines worldwide. Having said that, we'll draw this topic to a close. Link to comment Share on other sites More sharing options...
Recommended Posts