mayowa 1 Posted March 5, 2020 Share Posted March 5, 2020 Dear All, A customer File server was infiltrated with files in local drive E was hidden and folder replication with different directories When we use ESET to perform on demand scan, we were unable to stop the folder replication, but the client said other AVs like Malwarebytes and Windows defender was able to detect AutoIT malware before we quarantine it with ESET, we need analysis on Root Cause Analysis as demanded by the customer and how to stop the re-occurring infiltration and guide for future reference Please see retrieved log (ASANKO_GOLD_LOG 28.02.2020 ) on ESET FTP support folder Anticipating your kind response Regards Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted March 5, 2020 Most Valued Members Share Posted March 5, 2020 3 hours ago, mayowa said: Dear All, A customer File server was infiltrated with files in local drive E was hidden and folder replication with different directories When we use ESET to perform on demand scan, we were unable to stop the folder replication, but the client said other AVs like Malwarebytes and Windows defender was able to detect AutoIT malware before we quarantine it with ESET, we need analysis on Root Cause Analysis as demanded by the customer and how to stop the re-occurring infiltration and guide for future reference Please see retrieved log (ASANKO_GOLD_LOG 28.02.2020 ) on ESET FTP support folder Anticipating your kind response Regards While possibly unrelated someone else was posting about auto.it the other day although they wanted to exclude it. If I'm correct it is classed as a PUA. Do you have PUA detection enabled? Link to comment Share on other sites More sharing options...
mayowa 1 Posted March 5, 2020 Author Share Posted March 5, 2020 26 minutes ago, peteyt said: While possibly unrelated someone else was posting about auto.it the other day although they wanted to exclude it. If I'm correct it is classed as a PUA. Do you have PUA detection enabled? Hello Peteyt, The PUA was enabled on the file security and ESET maximum security policy fully integrated to endpoints but we are still faced with the issues list above Link to comment Share on other sites More sharing options...
itman 1,758 Posted March 5, 2020 Share Posted March 5, 2020 (edited) I believe Eset's PUA detection of AutoIt only applies to attempted installations of it. AutoIt is an interpretive language similar to Python. Unlike Python, the AutoIt interrupter is quite compact and is usually bundled in an .exe along with the malicious AutoIt script: Quote What is a “Compiled” AutoIT Executable? A compiled AutoIT executable basically consists of two parts: a standalone AutoIT interpreter and the compiled script bytecode present as a resource in the PE file. The creators of AutoIT have taken some measures against easy decompilation and applied a form of compression and encryption on the bytecode. The decompression of the bytecode is performed by the compiled AutoIT binary before it is interpreted and executed. https://unit42.paloaltonetworks.com/autoit-compiled-malware/ My guess is Eset's detection of a malicious AutoIt .exe would be the same as that for any other .exe; primarily by signature. I suspect Windows Defender was able to detect this using its block-at-first-sight processing which submits any unknown process to its Azure cloud scanners which perform sandbox analysis of the process. Additional AutoIt malware references: https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-used-to-spread-malware-and-toolsets/ https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/ Edited March 5, 2020 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted March 5, 2020 Administrators Share Posted March 5, 2020 The executable is a legitimate Autoit, ie. not subject to detection. I've replied to your email a couple of hours ago. Link to comment Share on other sites More sharing options...
itman 1,758 Posted March 5, 2020 Share Posted March 5, 2020 54 minutes ago, Marcos said: The executable is a legitimate Autoit, ie. not subject to detection. Forgot to mention that both WD and MBAM are prone to false positives. Link to comment Share on other sites More sharing options...
TheDeeGee 0 Posted March 26, 2020 Share Posted March 26, 2020 On 3/5/2020 at 12:26 PM, peteyt said: While possibly unrelated someone else was posting about auto.it the other day although they wanted to exclude it. If I'm correct it is classed as a PUA. Do you have PUA detection enabled? I only ended up exluding the files, not the entire PUA. So any future treats of the AutoIt are still being detected. Link to comment Share on other sites More sharing options...
Recommended Posts