Jump to content
Sign in to follow this  
0xDEADBEEF

Ransomware Undetected

Recommended Posts

SHA256: 1f15a3e297b9017c40276ad1c32d606c8beebbf432227b47360f3674bfb60127

already 30/70 detected in VT but still pass through all defense layers by ESET

Share this post


Link to post
Share on other sites
Posted (edited)

Appears this is BlackRouter ransomware.

Originally it was being distributed via a RDP tool: https://gbhackers.com/blackrouter-ransomware-attack/ . This leads me to believe me that a legit app is dropped on the device. However, its installer is hacked and runs the ransomware .exe; i.e. blackrouter.exe. TrendMicro has a more detailed analysis here: https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/ . Of note is Eset does detect this variant. So this must be a new variant that is bypassing Eset DNA signatures. More justification to this assumption since Trend is also not detecting the new variant.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)
6 hours ago, itman said:

So this must be a new variant that is bypassing Eset DNA signatures

ESET is supposed to have an "Anti-ransomware shield"

If ESET's ransomware detection is still based on "signatures" (DNA  or not), well that may explain the mediocre result in AV Comparatives and the frequency of  posts like this : "Ransomware not detected by ESET but 30/70 detection in Virus total"

 

Even Microsoft detected it, with its basic engine....

https://www.virustotal.com/#/file/1f15a3e297b9017c40276ad1c32d606c8beebbf432227b47360f3674bfb60127/detection

Edited by novice

Share this post


Link to post
Share on other sites

This is one clever ransomware.

Appears the attacker created his initial files as hidden desktop items. Then executed them from a .Net program using something like this:

Process.Start(@"C:\Users\xxxxx\Desktop\Translator.exe.lnk");

Also execution could be done via shell.

Share this post


Link to post
Share on other sites
Posted (edited)
19 minutes ago, itman said:

This is one clever ransomware.

OK , clever, but how come it was detected by Microsoft , which is being considered a below basic antivirus  and not detected by ESET with its HIPS, behavior blocker built in HIPS, anti-ransomware shield, "DNA signatures",  Live Grid  ....

 

Now, somebody is going to provide a sophisticated "explanation" about why this happened, (always is not ESETs fault, there is an explanation for that) and the thread is going to be closed for further comments.

And tomorrow is another day , like nothing happened!

Edited by novice

Share this post


Link to post
Share on other sites
23 minutes ago, novice said:

OK , clever, but how come it was detected by Microsoft , which is being considered a below basic antivirus  and not detected by ESET with its HIPS, behavior blocker built in HIPS, anti-ransomware shield, "DNA signatures",  Live Grid  ....

 

Now, somebody is going to provide a sophisticated "explanation" about why this happened, (always is not ESETs fault, there is an explanation for that) and the thread is going to be closed for further comments.

And tomorrow is another day , like nothing happened!

 

Hi,

Sorry for bad english !

On VT  https://www.virustotal.com/faq/#antivirus-file-scans:

A given antivirus in VirusTotal detects a file and its equivalent commercial version does not

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

 

We can imagine, Eset VT havent Livegrid or PUA or not HIPS...just basic basic signature detection ? i don't know...

 

Share this post


Link to post
Share on other sites
6 minutes ago, aranud87 said:

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions.

This would be a valid explanation if some other big players would have missed the ransomware, but , after rechecking is only ESET and Vipre.

So no, I do not believe it; is ESET related and nothing else.

Share this post


Link to post
Share on other sites
5 minutes ago, Reza Shamsudin said:

Yes, we too like the explanation from Eset IT Specialist. 

It's detected, just re-scan it. There's nothing like 100% malware protection; the file was first seen yesterday on less than 10 machines worldwide.

Having said that, we'll draw this topic to a close.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×