Jump to content

A message from malware writers to ESET found in Emotet

Marcos

By Marcos,
in Malware Finding and Cleaning

 Share Followers 1

Recommended Posts

  • Most Valued Members
Nightowl

Nightowl 104

Posted
  • Most Valued Members
Posted
On 11/21/2019 at 10:18 AM, Marcos said:

 

This is interesting to be honest, wondering what is the message behind this.

Is it stupid because they can bypass easily?

Or is it stupid because they can't bypass easily?

Or they simply sending challenge messages to Malware Analyzers

Link to post
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 104

Posted
  • Most Valued Members
Posted (edited)
9 minutes ago, Marcos said:

They wouldn't bother sending messages to lame analysts who would not be able to find the message at all :) Obviously it's because our detection and protection is hard or impossible to bypass.

This is great , but in the same time it will add more challenge to ESET , because they might try their best to break the defense/protection.

Edited by Rami
Link to post
Share on other sites
itman

itman 961

Posted
Posted

The malware code comment can be interpreted two ways.

The first is as commented upon in this thread. That is the malware author has issues with bypassing Eset's protections. The second interpretation is the opposite. The malware author has no issues bypassing Eset.

Without clarification from the malware author, it is impossible to determine what he meant by the code comment.

Link to post
Share on other sites
itman

itman 961

Posted
Posted (edited)
1 hour ago, BALTAGY said:

@Marcos pls check this one, since i can't download it to send it via ESET
https://www.virustotal.com/gui/file/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0/detection

Looks like someone is trying to impersonate equi.exe. Detailed analysis here: https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0?environmentId=100

Interesting that Eset doesn't detect it.

Edited by itman
Link to post
Share on other sites
  • ESET Insiders
BALTAGY

BALTAGY 29

Posted
  • ESET Insiders
Posted
13 minutes ago, itman said:

Looks like someone is trying to impersonate equi.exe. Detailed analysis here: https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0?environmentId=100

Interesting that Eset doesn't detect it.

Ya, sadly i can't download it to see if it will run while ESET installed

Link to post
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 104

Posted
  • Most Valued Members
Posted
13 hours ago, itman said:

Note that to drop an .exe to C:\ in Win 10, you need full admin privileges.

So either a UAC bypass was deployed or user is tricked into manually elevating.

What about PowerShell scripts that elevate admin privileges without Windows/AV understanding what is happening behind the scene? , could that be used for the ransomware?

Link to post
Share on other sites
itman

itman 961

Posted
Posted
4 hours ago, Rami said:

What about PowerShell scripts that elevate admin privileges without Windows/AV understanding what is happening behind the scene? , could that be used for the ransomware?

Actually these use a Windows "living of the land" trusted executable to perform hidden privilege escalation.

This ransomware variant to date has been delivered via e-mail archived attachment. So macro use is a definite possibility. As far as I am concerned, anyone that has not by now permanently disabled Office macros deserves to get nailed by malware.

Link to post
Share on other sites
Hpoonis

Hpoonis 7

Posted
Posted (edited)

I gave up running MSOffice, primarily because of 'clicktorun'. It just rubbed me up the wrong way but have never enabled macros.

The small things...Outlook no longer marks emails as read if they are selected after a time.  That option has been removed.

I decided to stick with LibreOffice. I am just a bit miffed that most organisations with any web presence will only accept doc(x), xls(x), etc and not also .odf.

Edited by Hpoonis
Link to post
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 104

Posted
  • Most Valued Members
Posted
23 hours ago, Hpoonis said:

I gave up running MSOffice, primarily because of 'clicktorun'. It just rubbed me up the wrong way but have never enabled macros.

The small things...Outlook no longer marks emails as read if they are selected after a time.  That option has been removed.

I decided to stick with LibreOffice. I am just a bit miffed that most organisations with any web presence will only accept doc(x), xls(x), etc and not also .odf.

I stick also with LibreOffice but the trouble is that when you have someone that only wants Microsoft Office , I have also disabled Macros in Office , so it would be a little bit more safer.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Followers 1
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...