Administrators Marcos 5,286 Posted November 21, 2019 Administrators Share Posted November 21, 2019 Peter Randziak, Aryeh Goretsky, JamesR and 1 other 4 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted November 24, 2019 Most Valued Members Share Posted November 24, 2019 On 11/21/2019 at 10:18 AM, Marcos said: This is interesting to be honest, wondering what is the message behind this. Is it stupid because they can bypass easily? Or is it stupid because they can't bypass easily? Or they simply sending challenge messages to Malware Analyzers Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted November 24, 2019 Author Administrators Share Posted November 24, 2019 They wouldn't bother sending messages to lame analysts who would not be able to find the message at all Obviously it's because our detection and protection is hard or impossible to bypass. Nightowl 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted November 24, 2019 Most Valued Members Share Posted November 24, 2019 (edited) 9 minutes ago, Marcos said: They wouldn't bother sending messages to lame analysts who would not be able to find the message at all Obviously it's because our detection and protection is hard or impossible to bypass. This is great , but in the same time it will add more challenge to ESET , because they might try their best to break the defense/protection. Edited November 24, 2019 by Rami Link to comment Share on other sites More sharing options...
itman 1,754 Posted November 24, 2019 Share Posted November 24, 2019 The malware code comment can be interpreted two ways. The first is as commented upon in this thread. That is the malware author has issues with bypassing Eset's protections. The second interpretation is the opposite. The malware author has no issues bypassing Eset. Without clarification from the malware author, it is impossible to determine what he meant by the code comment. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 24, 2019 ESET Insiders Share Posted November 24, 2019 @Marcos pls check this one, since i can't download it to send it via ESEThttps://www.virustotal.com/gui/file/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0/detection Link to comment Share on other sites More sharing options...
itman 1,754 Posted November 24, 2019 Share Posted November 24, 2019 (edited) 1 hour ago, BALTAGY said: @Marcos pls check this one, since i can't download it to send it via ESEThttps://www.virustotal.com/gui/file/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0/detection Looks like someone is trying to impersonate equi.exe. Detailed analysis here: https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0?environmentId=100 Interesting that Eset doesn't detect it. Edited November 24, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 24, 2019 ESET Insiders Share Posted November 24, 2019 13 minutes ago, itman said: Looks like someone is trying to impersonate equi.exe. Detailed analysis here: https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0?environmentId=100 Interesting that Eset doesn't detect it. Ya, sadly i can't download it to see if it will run while ESET installed Link to comment Share on other sites More sharing options...
itman 1,754 Posted November 24, 2019 Share Posted November 24, 2019 2 minutes ago, BALTAGY said: Ya, sadly i can't download it to see if it will run while ESET installed It's definitely ransomware. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 24, 2019 ESET Insiders Share Posted November 24, 2019 6 minutes ago, itman said: It's definitely ransomware. Yes it's WannaCashhttps://twitter.com/thyrex2002/status/1198543193266106368 Link to comment Share on other sites More sharing options...
itman 1,754 Posted November 24, 2019 Share Posted November 24, 2019 Note that to drop an .exe to C:\ in Win 10, you need full admin privileges. So either a UAC bypass was deployed or user is tricked into manually elevating. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted November 25, 2019 Most Valued Members Share Posted November 25, 2019 13 hours ago, itman said: Note that to drop an .exe to C:\ in Win 10, you need full admin privileges. So either a UAC bypass was deployed or user is tricked into manually elevating. What about PowerShell scripts that elevate admin privileges without Windows/AV understanding what is happening behind the scene? , could that be used for the ransomware? Link to comment Share on other sites More sharing options...
itman 1,754 Posted November 25, 2019 Share Posted November 25, 2019 4 hours ago, Rami said: What about PowerShell scripts that elevate admin privileges without Windows/AV understanding what is happening behind the scene? , could that be used for the ransomware? Actually these use a Windows "living of the land" trusted executable to perform hidden privilege escalation. This ransomware variant to date has been delivered via e-mail archived attachment. So macro use is a definite possibility. As far as I am concerned, anyone that has not by now permanently disabled Office macros deserves to get nailed by malware. Link to comment Share on other sites More sharing options...
Hpoonis 7 Posted November 25, 2019 Share Posted November 25, 2019 (edited) I gave up running MSOffice, primarily because of 'clicktorun'. It just rubbed me up the wrong way but have never enabled macros. The small things...Outlook no longer marks emails as read if they are selected after a time. That option has been removed. I decided to stick with LibreOffice. I am just a bit miffed that most organisations with any web presence will only accept doc(x), xls(x), etc and not also .odf. Edited November 25, 2019 by Hpoonis Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted November 26, 2019 Most Valued Members Share Posted November 26, 2019 23 hours ago, Hpoonis said: I gave up running MSOffice, primarily because of 'clicktorun'. It just rubbed me up the wrong way but have never enabled macros. The small things...Outlook no longer marks emails as read if they are selected after a time. That option has been removed. I decided to stick with LibreOffice. I am just a bit miffed that most organisations with any web presence will only accept doc(x), xls(x), etc and not also .odf. I stick also with LibreOffice but the trouble is that when you have someone that only wants Microsoft Office , I have also disabled Macros in Office , so it would be a little bit more safer. Link to comment Share on other sites More sharing options...
Recommended Posts