AnthonyQ 48 Posted February 24, 2023 Share Posted February 24, 2023 I feel that ESET LiveGuard appears to be unable to detect some Cobalt Strike malware samples, such as the one found at https://www.virustotal.com/gui/file/e62baa593248fdcb22dbeddc976d246aee11c9e747ef232e78f5f4dbf692698c, which has been marked as Clean by ESET LiveGuard. Given the popularity of Cobalt Strike trojan, I would like to request that the ESET LiveGuard team consider adding specialized detection rules for Cobalt Strike to the product. Thanks. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted February 24, 2023 Administrators Share Posted February 24, 2023 The sample has nothing to do with Cobalt Strike. A detection has been added: Win64/TrojanDownloader.Agent.ZF trojan. The sample was not evaluated by Augur as highly suspicious nor didn't do anything suspicious that would make it detected by LiveGuard. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 24, 2023 Share Posted February 24, 2023 The malware sample contained a Cobalt Strike beacon: Ref.: https://www.virustotal.com/gui/file/e62baa593248fdcb22dbeddc976d246aee11c9e747ef232e78f5f4dbf692698c/behavior The beacon in turned allowed for download of Cobalt Strike shell code. Interesting was Microsoft Defender was able to detect it as Cobalt Strike. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 24, 2023 Share Posted February 24, 2023 Also this sample employs detection evasion tactics which most likely is was the reason for LiveGuard non-detection: Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 24, 2023 Share Posted February 24, 2023 Aside from evasion tactics bypassing of LiveGuard, its detection capability has improved. I found a ManusCrypt RAT variant sample a few days back that Eset wasn't detecting at VT: https://www.virustotal.com/gui/file/4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822/detection . Upon extraction from zip file, it was sent to LiveGuard and detected there: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 2/22/2023 3:51:28 PM;ESET LiveGuard;file;C:\Users\xxxxx\Downloads\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe;ESET LiveGuard trojan;deleted;;;D13C52CD6709F416AEFE338922C77BAE33A85F31;2/22/2023 3:48:59 PM Note that this wasn't a signature detection. Link to comment Share on other sites More sharing options...
AnthonyQ 48 Posted February 25, 2023 Author Share Posted February 25, 2023 12 hours ago, Marcos said: The sample has nothing to do with Cobalt Strike. A detection has been added: Win64/TrojanDownloader.Agent.ZF trojan. The sample was not evaluated by Augur as highly suspicious nor didn't do anything suspicious that would make it detected by LiveGuard. How about this sample (https://www.virustotal.com/gui/file/1c32e181b13679976b001bc2e5f80dfc135f190b7d536edc25b08f37c65d6ae4), which is now detected as Win64/CobaltStrike.Beacon.G by ESET? This sample was marked as Clean by ESET LiveGuard before. Link to comment Share on other sites More sharing options...
AnthonyQ 48 Posted February 25, 2023 Author Share Posted February 25, 2023 11 hours ago, itman said: The malware sample contained a Cobalt Strike beacon: Ref.: https://www.virustotal.com/gui/file/e62baa593248fdcb22dbeddc976d246aee11c9e747ef232e78f5f4dbf692698c/behavior The beacon in turned allowed for download of Cobalt Strike shell code. Interesting was Microsoft Defender was able to detect it as Cobalt Strike. Yeah. MD was the first vendor to detect this sample and its detection name is VirTool:Win64/CobaltStrike.A. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2023 Share Posted February 25, 2023 (edited) 15 hours ago, AnthonyQ said: How about this sample (https://www.virustotal.com/gui/file/1c32e181b13679976b001bc2e5f80dfc135f190b7d536edc25b08f37c65d6ae4), which is now detected as Win64/CobaltStrike.Beacon.G by ESET? This sample was marked as Clean by ESET LiveGuard before. Looks like this one used PowerShell to download the Cobalt Strike payload: Quote One of the most used features in cobalt strikes is an attack using PowerShell. PowerShell is a scripting language and a command-line shell. PowerShell is a legitimate one, but it can run a script directly in memory. Utilizing this feature, an attacker can perform remote code execution. Cobalt strike has a scripted web delivery feature that allows it to download and run the payload through PowerShell. Once the attacker gets the session, an attacker can interact with the victim’s system, extract the information, and do post-exploitation activities. https://blogs.quickheal.com/cobalt-strike-2021-analysis-of-malicious-powershell-attack-framework/ Again, I assume the sample deployed evasion tactics prevented initial LiveGuard detection. Edited February 25, 2023 by itman Link to comment Share on other sites More sharing options...
AnthonyQ 48 Posted February 26, 2023 Author Share Posted February 26, 2023 (edited) 6 hours ago, itman said: Looks like this one used PowerShell to download the Cobalt Strike payload: https://blogs.quickheal.com/cobalt-strike-2021-analysis-of-malicious-powershell-attack-framework/ Again, I assume the sample deployed evasion tactics prevented initial LiveGuard detection. That's possible. If that's the case, it's not OK for LiveGuard to declare a sample deployed evasion tactics "Safe to use". Edited February 26, 2023 by AnthonyQ Link to comment Share on other sites More sharing options...
rotaru 10 Posted February 26, 2023 Share Posted February 26, 2023 On 2/24/2023 at 8:08 AM, Marcos said: The sample has nothing to do with Cobalt Strike On 2/24/2023 at 9:18 AM, itman said: The malware sample contained a Cobalt Strike beacon: So, which is which? Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 26, 2023 Share Posted February 26, 2023 (edited) 14 hours ago, AnthonyQ said: That's possible. If that's the case, it's not OK for LiveGuard to declare a sample deployed evasion tactics "Safe to use". Another possibility for the sample using PowerShell is it deployed a Win AMSI bypass preventing Eset from scanning the script: Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Quote Method = AMSI.AmsiOpenSession Uses the AMSI bypass technique taught in Offensive Security's PEN-300/OSEP (Evasion Techniques and Breaching Defenses) course. https://www.offensive-security.com/pen300-osep/ Proof of Concept Demo Screenshots Before - Powershell.exe AMSI.AmsiOpenSession After - Powershell.exe AMSI.AmsiOpenSession https://github.com/boku7/injectAmsiBypass Edited February 26, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 2, 2023 Share Posted March 2, 2023 As a FYI, a Chinese forum member over at malwaretips.com performed a test against a whole bunch of security solutions using 10 custom coded Cobalt Strike payloads: https://malwaretips.com/threads/45avs-vs-cobaltstrike.121263/#post-1026903 . Eset detected all payloads. Microsoft Defender did not. Link to comment Share on other sites More sharing options...
sesk 23 Posted March 2, 2023 Share Posted March 2, 2023 10 hours ago, itman said: Eset detected all payloads. Microsoft Defender did not. 💪 Link to comment Share on other sites More sharing options...
AnthonyQ 48 Posted March 3, 2023 Author Share Posted March 3, 2023 On 3/2/2023 at 8:25 AM, itman said: As a FYI, a Chinese forum member over at malwaretips.com performed a test against a whole bunch of security solutions using 10 custom coded Cobalt Strike payloads: https://malwaretips.com/threads/45avs-vs-cobaltstrike.121263/#post-1026903 . Eset detected all payloads. Microsoft Defender did not. I read his test results on the Chinese forum he mentioned a few weeks ago. Thanks to ESET's great signature, all samples were blocked. But in the case of the sample mentioned in this post, the ESET LiveGuard cloud sandbox failed to detect it. So I'm posting to ask ESET LiveGuard team to improve its detection capability. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted March 3, 2023 Administrators Share Posted March 3, 2023 4 minutes ago, AnthonyQ said: So I'm posting to ask ESET LiveGuard team to improve its detection capability. The sample didn't do anything highly suspicious, such as accessing a blocked url so the evaluation was mainly dependent on Augur classification which didn't evaluate the sample with high enough score in order to be detected. Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 3, 2023 Share Posted March 3, 2023 2 hours ago, Marcos said: The sample didn't do anything highly suspicious, such as accessing a blocked url so the evaluation was mainly dependent on Augur classification which didn't evaluate the sample with high enough score in order to be detected. Eset needs to improve its detection of Cobalt Strike components. Having a backdoor residing on your device is totally unacceptable: peteyt 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 3, 2023 Share Posted March 3, 2023 (edited) As far as why LiveGuard couldn't detect the previous referenced Cobalt Strike sample: Quote The researchers attest that Cobalt Strike can be detected in the memory. Palo Alto designed a hypervisor-based sandbox for analyzing artifacts in memory and Unit 42 analyzed samples of three Cobalt Strike loaders detected by the sandbox. One of the loaders – dubbed KoboldLoader – uses various techniques to evade detection. KoboldLoader runs the payload using mapping injection and launches a decrypted Cobalt Strike SMB beacon that can be detected in memory, despite some in-memory evasion features. It would have been impossible to detect the SMB beacon without being able to look inside memory while the malicious code was being executed, according to the researchers. MagnetLoader is a DLL that imitates a legitimate Windows library and decrypts the Cobalt Strike beacon into a memory buffer, using a Windows API function to run the beacon loader rather than calling it directly. LithiumLoader is a DLL that uses a side-loading attack technique that hijacks legitimate software to run another malicious DLL. The sample was part of a Fortinet installation package created by the attackers and submitted to VirusTotal. One of the loader's functions indirectly runs the Cobalt Strike stager shelled code through the EnumSystemGeoID function rather than directly. The stager shellcode is a reverse HTTP shell payload. "These samples do not execute in normal sandbox environments," the researchers write. "But … there is a wealth of information that we can use for detection if we look inside memory during execution, like function pointers, decoded stages of the loader, and other artifacts." https://www.theregister.com/2022/12/06/cobalt_strike_memory_unit_42/ As long as Eset can detect Cobalt Strike loaders in memory at execution time, the attack would not succeed. Edited March 3, 2023 by itman Link to comment Share on other sites More sharing options...
AnthonyQ 48 Posted March 4, 2023 Author Share Posted March 4, 2023 (edited) 21 hours ago, Marcos said: The sample didn't do anything highly suspicious, such as accessing a blocked url so the evaluation was mainly dependent on Augur classification which didn't evaluate the sample with high enough score in order to be detected. Today I found a malicious script sample on Anyrun (https://app.any.run/tasks/2455fd40-7058-46f1-8b8c-3d47245e9f38/; VT: https://www.virustotal.com/gui/file/8fb827650ba056d6917d5371db00dedc173cd68647cc9f703f63224ec9d54189) and I sent it to ESET LiveGuard, but ESET LiveGuard told me it's safe. Although this sample does not seem to be ITW, but it does perform malicious actions, such as trying to run on system startup, stopping a service using the taskkill command, and editing registry to disable system function. Edited March 4, 2023 by AnthonyQ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted March 4, 2023 Administrators Share Posted March 4, 2023 29 minutes ago, AnthonyQ said: Although this sample does not seem to be ITW, but it does perform malicious actions, such as trying to run on system startup, stopping a service using the taskkill command, and editing registry to disable system function. It doesn't do anything unusual. It restarts explorer.exe but does not kill any other process. Function RestartExplorer() WshShell.Run "Taskkill /f /im explorer.exe",0 WScript.Sleep 400 WshShell.Run "cmd /c explorer.exe",0 End Function Basically the only bad thing it does that besides relatively normal actions it displays a message to scary the user: message="Since I have invaded your computer, I know a lot about you! Here is what I know!" & vbCrLf & "IP Address: " & IPAddress & vbCrLf & "Username: " & WshNetwork.UserName & vbCrLf & "Computer Name: " & WshNetwork.ComputerName & vbCrLf & "Domain: " & WshNetwork.UserDomain Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 4, 2023 Share Posted March 4, 2023 (edited) 6 hours ago, Marcos said: Basically the only bad thing it does that besides relatively normal actions it displays a message to scary the user: message="Since I have invaded your computer, I know a lot about you! Here is what I know!" & vbCrLf & "IP Address: " & IPAddress & vbCrLf & "Username: " & WshNetwork.UserName & vbCrLf & "Computer Name: " & WshNetwork.ComputerName & vbCrLf & "Domain: " & WshNetwork.UserDomain The problem with hoax malware like this is it will often employ a screen locker at system startup time to display the hoax malware/tech support message. The result is a totally inaccessible system. This appears to be the case with this sample. Whereas the Ctrl-+Alt-+Del, ALT+F4, etc. keyboard combo works with most of these to bypass the lock screen and allow access to the desktop, only security aware individuals are aware of this trick. Finally, the average user will most likely respond to the telephone number posted in the hoax message to get access to his system. Once done, he can be duped into paying money to fix the issue. Or worse, actually downloading malware or remote control software allowing full access to his system. Eset needs to detect hoax malware. Edited March 4, 2023 by itman peteyt 1 Link to comment Share on other sites More sharing options...
Recommended Posts