Jump to content

Script, Undetected by ESET loading from startup folder [culprit found]

Tzatz

By Tzatz
in Malware Finding and Cleaning

 Share

Recommended Posts

Tzatz

Tzatz 0

Posted
Posted (edited)

Eset never detected this virus embedded in Minitool... a malicious script is dropped by a compromised Minitool Partition Wizard. Files attached.

I created a custom hips to detect files dropped into the \roamiming\ws folder, hoping one day I would find the culprit, it payed off:

1054338832_MiniToolPartitionWizardResponsible.png.e87b1bed96bf8341ccb58435d862faff.png

Continued:  from:

MiniTool Partition Wizard 12.zip

Edited by Tzatz
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Yes, a bit of disappointment since there was a lengthily posting back in July in the forum on this Win "living off the land" binary abuse. 

Since you didn't post all Hybrid-Analysis details on this specific attack, here they are:

Eset_Virus.thumb.png.685b7b541d3454f0d51fb8f6e44ebc0a.png

https://www.hybrid-analysis.com/sample/e0f8a75737f932454aa9a325d35a7abc837fd05c23b5a5d1360d6ba1a6fb6479/60fbc6767746783ee4496bf6

BTW - OSArmor will protect against this specific Win LOL binary abuse since it specifically monitors for CertUtil execution with a command string attached. Ditto for all other known Win LOL binary abuse attack methods.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Another clever element of this attack is the malware is bundled the Minitool Partition Wizard .exe installer. It is not unusual for installers to create files in the %Temp% and/or %AppData% directories and execute them. As such if one was monitoring these directories for process startup activities via Eset HIPS rules, it could be assumed any such created processes would be allowed to run.

Also, Eset HIPS recommended anti-ransomware rules would have not prevented the renamed wscript.exe; i.e. ws.exe, from running from the %Temp% directory. This again highlights that the Eset HIPS should be monitoring .exe PE header name and provide global wildcard capability; e.g. *\wscript.exe, to block startup from any directory location.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

A few more comments.

I went to the MiniTool Partition Wizard vendor's web site and downloaded the free version. The download was named pw1205-demo.exe. Next, the download was signed with a Sertigo code signed certificate.

However, the file listed on VirusTotal is named, PartitionWizard.exe, and it is unsigned.

Obviously, the malicious version of this software is not a legit version of MiniTool Partition Wizard.

Edited by itman
Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 202

Posted
  • Most Valued Members
Posted
On 11/10/2021 at 6:23 PM, itman said:

BTW - OSArmor will protect against this specific Win LOL binary abuse since it specifically monitors for CertUtil execution with a command string attached. Ditto for all other known Win LOL binary abuse attack methods.

Does that work like AppArmor in Linux?

And have you tested it with ESET?

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
2 hours ago, Nightowl said:

Does that work like AppArmor in Linux?

And have you tested it with ESET?

Refer to this for what the software does: https://www.osarmor.com/ .

Also, there are threads for software use and support on both wilderssecurity.com and malwaretips.com where it is quite popular.

And yes, I run OSArmor concurrently with EIS with no conflicts. I do exclude Eset files and processes from OSArmor. But no exclusions for it in Eset.

Link to comment
Share on other sites
  • ESET Insiders
NewbyUser

NewbyUser 72

Posted
  • ESET Insiders
Posted
On 11/10/2021 at 10:23 AM, itman said:

Yes, a bit of disappointment since there was a lengthily posting back in July in the forum on this Win "living off the land" binary abuse. 

Since you didn't post all Hybrid-Analysis details on this specific attack, here they are:

Eset_Virus.thumb.png.685b7b541d3454f0d51fb8f6e44ebc0a.png

https://www.hybrid-analysis.com/sample/e0f8a75737f932454aa9a325d35a7abc837fd05c23b5a5d1360d6ba1a6fb6479/60fbc6767746783ee4496bf6

BTW - OSArmor will protect against this specific Win LOL binary abuse since it specifically monitors for CertUtil execution with a command string attached. Ditto for all other known Win LOL binary abuse attack methods.

Interesting article on the issue of LOLs.

https://www.darkreading.com/threat-intelligence/open-source-project-aims-to-detect-living-off-the-land-attacks

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
11 hours ago, NewbyUser said:

Interesting article on the issue of LOLs.

https://www.darkreading.com/threat-intelligence/open-source-project-aims-to-detect-living-off-the-land-attacks

Appears this tool is designed to be used in final verdict rendering by a human after a suspicious detection has been received from the AV solution:

Quote

Adobe's tool is best-suited for working with security log data, but it can work on any source of flat log data that follow the same patterns, such as authentication logs, Web server logs, and access logs, Adobe stated.

https://www.darkreading.com/threat-intelligence/adobe-open-sources-tool-for-anomaly-research

This is applicable to EDTD where suspicious verdicts are returned to the originating source. Such is not the case for LiveGuard.

BTW - Microsoft is also starting to use like ML analysis: https://www.darkreading.com/analytics/microsoft-uses-machine-learning-to-predict-attackers-next-steps/d/d-id/1340642 . Again, this appears to be to inform an installation that they are being attacked so they can implement defensive measures against it.

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...