Jump to content
Marcos

A message from malware writers to ESET found in Emotet

Recommended Posts

On 11/21/2019 at 10:18 AM, Marcos said:

 

This is interesting to be honest, wondering what is the message behind this.

Is it stupid because they can bypass easily?

Or is it stupid because they can't bypass easily?

Or they simply sending challenge messages to Malware Analyzers

Share this post


Link to post
Share on other sites

They wouldn't bother sending messages to lame analysts who would not be able to find the message at all :) Obviously it's because our detection and protection is hard or impossible to bypass.

Share this post


Link to post
Share on other sites
9 minutes ago, Marcos said:

They wouldn't bother sending messages to lame analysts who would not be able to find the message at all :) Obviously it's because our detection and protection is hard or impossible to bypass.

This is great , but in the same time it will add more challenge to ESET , because they might try their best to break the defense/protection.

Edited by Rami

Share this post


Link to post
Share on other sites

The malware code comment can be interpreted two ways.

The first is as commented upon in this thread. That is the malware author has issues with bypassing Eset's protections. The second interpretation is the opposite. The malware author has no issues bypassing Eset.

Without clarification from the malware author, it is impossible to determine what he meant by the code comment.

Share this post


Link to post
Share on other sites
1 hour ago, BALTAGY said:

Looks like someone is trying to impersonate equi.exe. Detailed analysis here: https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0?environmentId=100

Interesting that Eset doesn't detect it.

Edited by itman

Share this post


Link to post
Share on other sites
13 minutes ago, itman said:

Looks like someone is trying to impersonate equi.exe. Detailed analysis here: https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0?environmentId=100

Interesting that Eset doesn't detect it.

Ya, sadly i can't download it to see if it will run while ESET installed

Share this post


Link to post
Share on other sites
2 minutes ago, BALTAGY said:

Ya, sadly i can't download it to see if it will run while ESET installed

It's definitely ransomware.

Share this post


Link to post
Share on other sites

Note that to drop an .exe to C:\ in Win 10, you need full admin privileges.

So either a UAC bypass was deployed or user is tricked into manually elevating.

Share this post


Link to post
Share on other sites
13 hours ago, itman said:

Note that to drop an .exe to C:\ in Win 10, you need full admin privileges.

So either a UAC bypass was deployed or user is tricked into manually elevating.

What about PowerShell scripts that elevate admin privileges without Windows/AV understanding what is happening behind the scene? , could that be used for the ransomware?

Share this post


Link to post
Share on other sites
4 hours ago, Rami said:

What about PowerShell scripts that elevate admin privileges without Windows/AV understanding what is happening behind the scene? , could that be used for the ransomware?

Actually these use a Windows "living of the land" trusted executable to perform hidden privilege escalation.

This ransomware variant to date has been delivered via e-mail archived attachment. So macro use is a definite possibility. As far as I am concerned, anyone that has not by now permanently disabled Office macros deserves to get nailed by malware.

Share this post


Link to post
Share on other sites

I gave up running MSOffice, primarily because of 'clicktorun'. It just rubbed me up the wrong way but have never enabled macros.

The small things...Outlook no longer marks emails as read if they are selected after a time.  That option has been removed.

I decided to stick with LibreOffice. I am just a bit miffed that most organisations with any web presence will only accept doc(x), xls(x), etc and not also .odf.

Edited by Hpoonis

Share this post


Link to post
Share on other sites
23 hours ago, Hpoonis said:

I gave up running MSOffice, primarily because of 'clicktorun'. It just rubbed me up the wrong way but have never enabled macros.

The small things...Outlook no longer marks emails as read if they are selected after a time.  That option has been removed.

I decided to stick with LibreOffice. I am just a bit miffed that most organisations with any web presence will only accept doc(x), xls(x), etc and not also .odf.

I stick also with LibreOffice but the trouble is that when you have someone that only wants Microsoft Office , I have also disabled Macros in Office , so it would be a little bit more safer.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...