LiveGuard Not Blocking Script Downloads

[itman 1,659]

7 minutes ago, AnthonyQ said:

LiveGuard just removed this IcedID sample with a very low VT detection rate. Considering it took more than 5 mins to display a result, I believed this sample has be examined by behavior analyzer.

ESSP LiveGuard is performing Eset cloud analysis.

However, it is not performing LiveGuard Advanced analysis: https://support.eset.com/en/kb6682-sandboxing-technology-in-eset-liveguard-advanced . Namely, execution sandbox analysis performed on MS Azure servers.

ESSP LiveGuard is performing LiveGrid cloud analysis only. Refer to this article: https://support.eset.com/en/kb6681-comparison-of-eset-liveguard-advanced-eset-threat-intelligence-and-eset-livegrid . Note the 'Technology used for analysis' section; namely what LiveGrid uses.

[itman 1,659]

I guess it is time to discuss what Eset needs to do to allow ESSP LiveGuard to effectively scan scripts.

The obviously solution is to enable full LiveGuard Advanced capability for ESSP. That is not going to happen folks. If for no reason other than no one thereafter will purchase Eset Protect or Endpoint and the annual subscription to use LiveGuard Advanced.

That leaves Eset needs to provide a local based isolated sandbox to monitor script execution. Logging capability would be built-in to the sandbox to capture system modification activities.

The first thing ESSP would do is monitor script execution in the local sandbox using existing Eset local detection methods. If suspicious activities were detected, this would trigger an upload to the LiveGrid cloud of the script execution instance log after script execution completed. The LiveGrid cloud would then apply YARA behavior rule analysis against the log to determine if actual malicious or highly suspicious activities have manifested.

Hint - think along the lines of Farbar Recovery Scan Tool (FRST) in sandbox cloud analysis: https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ . The log from it has already flagged suspicious/malicious system modifications.

Edited May 24, 2022 by itman

[New_Style_xd 69]

6 hours ago, AnthonyQ said:

LiveGuard just removed this IcedID sample with a very low VT detection rate. Considering it took more than 5 mins to display a result, I believed this sample has be examined by behavior analyzer.

Maybe LiveGuard needs to improve its detection of script malware.

It really needs to improve a lot.

[itman 1,659]

I found a real "hum dinger" of a .doc 0-day malware sample yesterday morning. Upon extract from .zip download, no submission to LiveGuard: https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection/f-4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784-1653823257 . Note that I have Eset configured to submit document files.

More detail in this Twitter posting: https://twitter.com/nao_sec/status/1530196847679401984 . It turns out this malware is exploiting a known and previously reported MS Word vulnerability that Microsoft stated wasn't a security issue. This bugger is also "blowing through" most EDR software. You can read about all the ugly details of this one here: https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

I just checked VT today and Eset plus a lot of other AV's are now detecting this particular malware instance.

Edited May 30, 2022 by itman

[Marcos 5,074]

This is ok since only documents with active content are submitted to LiveGuard. The mentioned document doesn't contain any macro, there's only a malicious link in word/_rels/document.xml.rels. The website was blocked earlier today and is down already (doesn't resolve at all).

[itman 1,659]

4 hours ago, Marcos said:

The website was blocked earlier today and is down already (doesn't resolve at all).

Assuming the below excerpt from the Proofpoint article is correct:

Quote

Detection is probably not going to be great, as Word loads the malicious code from a remote template (webserver), so nothing in the Word document is actually malicious.

Eset recommended anti-ransomware HIPS rules applying to MS Office executable's should block this by detecting any child process activity from winword.exe except if a .rtf file based exploit was dropped.

-EDIT-

However, if the document was delivered in RTF format, just accessing it could get you infected:

Quote

In a separate analysis today, researchers at cybersecurity services company Huntress analyzed the exploit and provide more technical details on how it works.

They found that the HTML document setting things in motion came from “xmlformats[.]com,” a domain that is no longer loading.

Huntress confirmed Beaumont’s finding that an RTF document would deliver the payload without any interaction from the user (apart from selecting it), for what is commonly known as “zero-click exploitation.”

Follina payload executed just by selecting the malicious RTF document, source: Huntress

https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/

Edited May 30, 2022 by itman

[AnthonyQ 48]

After more testing, I find that many JS script samples were unable to be automatically blocked and analyzed by LiveGuard. For example, this one (https://www.virustotal.com/gui/file/a608783f22317e2964b8adb03345a9ac995979f73c9dfc0d0d5d6a090af9da03), now detected as JS/TrojanDropper.Agent.OOM. 

---------------------

Another three typical malicious samples bypassed LiveGuard:

1. https://www.virustotal.com/gui/file/29170db2866b123a1dd16867b991bd098acdebe9a452d33c70825133b6b7f035 - backdoor, LiveGuard said it's safe, submitted via email and no detection is added for now.

2. https://www.virustotal.com/gui/file/7027e7c8ac1db327ff484f153b56767121d306264332418047b1c3bcb78613d3 - backdoor, LiveGuard said it's safe, now detected as Win32/Farfli.BPZ.

3. https://www.virustotal.com/gui/file/fd045d6533863dd5063b1d9fdead33834cd0af646f13845db2c3f4d9e50962ee - coinminer, LiveGuard said it's safe, now detected as MSIL/CoinMiner.BSO

[itman 1,659]

A few more comments about this Word 0-day exploit.

OSArmor blocks it under its basic protection mitigations: https://malwaretips.com/threads/new-ms-office-zero-day-evades-defender.114090/#post-990757 . The important point to note is what is the parent process of msdt.exe; a legit Win binary. That parent process is sihost.exe; i.e.  Shell Infrastructure Host, which hasn't been publicly disclosed.

Also someone at malwaretips.com confirmed that PowerShell Constrained Language mode would have blocked the PowerShell code from running.

Edited May 30, 2022 by itman

[itman 1,659]

Looks like things are improving on script detection, but a bit to early to state LiveGuard is finally properly scanning scripts.

Found a .hta malware sample. VT showed Eset not detecting it by sig,: https://www.virustotal.com/gui/file/8c328025a7ad98e842dca1207bbccd31ae65cf3c5728d56d2c8685c5a97919bc/detection/f-8c328025a7ad98e842dca1207bbccd31ae65cf3c5728d56d2c8685c5a97919bc-1654007533 .

Upon extraction from .zip file, LiveGuard detected and submitted it:

Time;Hash;File;Size;Category;Reason;Sent to;User
5/31/2022 10:58:57 AM;9F127CFEF0C5D79974ADD716AC2493C3DB123D95;C:\Users\xxxxx\Downloads\8c328025a7ad98e842dca1207bbccd31ae65cf3c5728d56d2c8685c5a97919bc.hta;103862;Script;Automatic;ESET LiveGuard;xxxxxxxx

Within 5 - 10 seconds, LiveGuard returned a malicious verdict; a first for me:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
5/31/2022 10:59:03 AM;ESET LiveGuard;file;C:\Users\xxxxx\Downloads\8c328025a7ad98e842dca1207bbccd31ae65cf3c5728d56d2c8685c5a97919bc.hta;ESET LiveGuard;deleted;;;9F127CFEF0C5D79974ADD716AC2493C3DB123D95;5/31/2022 10:58:47 AM

Now a couple of inconsistencies here. Notice that the detection log entry creation time is 10 secs. less than the submission creation time log entry. Appears to me that this was a Eset local blacklist detection and LiveGuard/LiveGrid cloud blacklist scan confirmation of it. However, LiveGrid cloud blacklist detection returns a "Suspicious" detection reason which is not present in the Detection log entry?

Edited May 31, 2022 by itman

[itman 1,659]

Looks like the above .hta file detection by LiveGuard was an "anomaly."

Here's a .vbs script LiveGuard returned a safe verdict for: https://www.virustotal.com/gui/file/9e08313c58463a1fdce8ebd5adc5be6e95b826a6a85e867a635c1bd33eeee689?nocache=1 .

As such, nothing has changed as far as LiveGuard being able to detect common script malware.