Jump to content

Why doesn't ESET have this System Watcher module?


Recommended Posts

  • Administrators
14 minutes ago, itman said:

So are you saying that all the VirusTotal detection's of this supposed "corrupted" file are bogus?

I was referring just to the specific file with SHA1 EB2C417A29D2F08E37D63F3B75CDC61B42855E91, not to other files.

Link to comment
Share on other sites

Here's a description of RagnarLocker ransonware: https://www.acronis.com/en-us/blog/posts/ragnar-locker/

Of note:

Quote

Uses a specially-crafted virtual machine image for its payload execution in order to evade anti-malware detection.

Further described as:

Quote

The attacker sometimes deploys a VirtualBox virtual machine (VM) with a Windows XP image to evade detection: an early use of a virtual machine image in this manner to run the ransomware encryption attack. The technique has been adopted since by the Maze family of ransomware operators.

The specially-crafted VM image is loaded to the VirtualBox VM, mapping all local drives as read/writable into the virtual machine. This allows the ransomware process running inside the VM to encrypt all files. To the host files, the encryption appears to be a trusted VirtualBox process and thus will be ignored by many security products.

Also the ransomware is not new; dating to April , 2020.

As far as this specific RagmarLocker sample, I suspect this might have been deployed:

Quote

In the past, the Java programming language was seldomly used to create malware because the Java Runtime Environment (JRE) is needed to run the code. Similarly, Java Image (JIMAGE) files have rarely been used in malware attacks. Even developers avoid working with these largely undocumented files, opting to use the popular Java Archive (JAR) files instead.

Because of this past, some cybercriminals decided to use Java to create a new strain of ransomware and compile it into a JIMAGE file. “Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats,” explained the BlackBerry and KPMG researchers who discovered the new ransomware strain. “We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we’ve encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build.”

https://chipscs.com/3-significant-developments-in-ransomware-campaigns-2/

Edited by itman
Link to comment
Share on other sites

3 hours ago, itman said:

A quick Joe's Cloud Sandbox analysis review of this ransomware shows what's going on:

Eset_Miss.thumb.png.44e7247508865a19115b56f520a876ad.png

This sample is indeed corrupt (https://app.any.run/tasks/91032682-65d8-4ba5-9e93-8899b2d592d8/).

Joe sandbox's results indicate this sample crashed during analysis. Other vendors may detect corrupt samples because they contain malicious code, which I don't think is a false positive. 

Link to comment
Share on other sites

Link to comment
Share on other sites

  • Administrators
6 hours ago, itman said:

Here's a description of RagnarLocker ransonware: https://www.acronis.com/en-us/blog/posts/ragnar-locker/

RagnarLocker is about 2 years old and virtually every vendor detects it:

https://www.virustotal.com/gui/file/7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929

Link to comment
Share on other sites

12 hours ago, AnthonyQ said:

Joe sandbox's results indicate this sample crashed during analysis.

Review it again. Closely observe behavior of WerFault.exe.

Link to comment
Share on other sites

11 minutes ago, itman said:

Review it again. Closely observe behavior of WerFault.exe.

You can run this sample on your VM to see if it's corrupt. 

Link to comment
Share on other sites

1 minute ago, AnthonyQ said:

You can run this sample on your VM to see if it's corrupt. 

Don't have a VM installed. What this sample does is run Java at next system startup to run the payload previously created by WerFault.exe.

Here's a better example showing payload being created from WerFault.exe:

Eset_Ragar.thumb.png.1a90f9f20f22736280fcf16ba3211736.png

https://www.joesandbox.com/analysis/323226/0/html

Finally, you would not have all those detections at VT if this was actually a corrupted file.

Link to comment
Share on other sites

  • Administrators

Also the .unpack extension suggests that it's a dumped file, ie. it won't run when executed.

Link to comment
Share on other sites

19 minutes ago, itman said:

Don't have a VM installed. What this sample does is run Java at next system startup to run the payload previously created by WerFault.exe.

Here's a better example showing payload being created from WerFault.exe:

Eset_Ragar.thumb.png.1a90f9f20f22736280fcf16ba3211736.png

https://www.joesandbox.com/analysis/323226/0/html

Finally, you would not have all those detections at VT if this was actually a corrupted file.

This Joe sandbox report refers to another ransomware sample which is not corrupt and already detected by ESET as Win32/Filecoder.RagnarLocker.A.

Link to comment
Share on other sites

Here's VT's SysInternals analysis of this RagnarLocker sample that "supposedly doesn't run": https://www.virustotal.com/gui/file/f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d/behavior/Microsoft Sysinternals Hum ..... I see a lot of remote communication going on. I am done with wasting my time on this.

Link to comment
Share on other sites

  • Administrators
19 minutes ago, itman said:

I see a lot of remote communication going on.

MS IP addresses. Contacted likely when the system was searching for a possible solution of the crash and to upload the crash report.

Link to comment
Share on other sites

Getting back on topic, it should be noted that Kaspersky at VT also did not detect this RagarLocker ransomware sample discussed. 

At this point, I will give Kaspersky a pass on this baring proof otherwise. This sample only "sets the stage" for the ransomware to run at next system restart time. At that time, System Watcher anti-ransomware behavior methods would have detected the files being encrypted.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...