Jump to content
An upgrade will take place on June 18, 2024 during the midday hours (UTC). The Forum will not be accessible for a short period of time. ×

Improve ESET LiveGuard's detection ability against Cobalt Strike Trojan


AnthonyQ

Recommended Posts

I feel that ESET LiveGuard appears to be unable to detect some Cobalt Strike malware samples, such as the one found at https://www.virustotal.com/gui/file/e62baa593248fdcb22dbeddc976d246aee11c9e747ef232e78f5f4dbf692698c, which has been marked as Clean by ESET LiveGuard.

Given the popularity of Cobalt Strike trojan, I would like to request that the ESET LiveGuard team consider adding specialized detection rules for Cobalt Strike to the product.

Thanks.

Link to comment
Share on other sites

  • Administrators

The sample has nothing to do with Cobalt Strike. A detection has been added: Win64/TrojanDownloader.Agent.ZF trojan.

The sample was not evaluated by Augur as highly suspicious nor didn't do anything suspicious that would make it detected by LiveGuard.

Link to comment
Share on other sites

The malware sample contained a Cobalt Strike beacon:

Eset_Cobalt.thumb.png.5cefee7167fba704d2c807befcbb1b2f.png

Ref.: https://www.virustotal.com/gui/file/e62baa593248fdcb22dbeddc976d246aee11c9e747ef232e78f5f4dbf692698c/behavior

The beacon in turned allowed for download of Cobalt Strike shell code.

Interesting was Microsoft Defender was able to detect it as Cobalt Strike.

Link to comment
Share on other sites

Aside from evasion tactics bypassing of LiveGuard, its detection capability has improved.

I found a ManusCrypt RAT variant sample a few days back that Eset wasn't detecting at VT: https://www.virustotal.com/gui/file/4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822/detection .

Upon extraction from zip file, it was sent to LiveGuard and detected there:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
2/22/2023 3:51:28 PM;ESET LiveGuard;file;C:\Users\xxxxx\Downloads\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe;ESET LiveGuard trojan;deleted;;;D13C52CD6709F416AEFE338922C77BAE33A85F31;2/22/2023 3:48:59 PM

Note that this wasn't a signature detection.

Link to comment
Share on other sites

12 hours ago, Marcos said:

The sample has nothing to do with Cobalt Strike. A detection has been added: Win64/TrojanDownloader.Agent.ZF trojan.

The sample was not evaluated by Augur as highly suspicious nor didn't do anything suspicious that would make it detected by LiveGuard.

How about this sample (https://www.virustotal.com/gui/file/1c32e181b13679976b001bc2e5f80dfc135f190b7d536edc25b08f37c65d6ae4), which is now detected as Win64/CobaltStrike.Beacon.G by ESET? This sample was marked as Clean by ESET LiveGuard before.

Link to comment
Share on other sites

11 hours ago, itman said:

The malware sample contained a Cobalt Strike beacon:

Eset_Cobalt.thumb.png.5cefee7167fba704d2c807befcbb1b2f.png

Ref.: https://www.virustotal.com/gui/file/e62baa593248fdcb22dbeddc976d246aee11c9e747ef232e78f5f4dbf692698c/behavior

The beacon in turned allowed for download of Cobalt Strike shell code.

Interesting was Microsoft Defender was able to detect it as Cobalt Strike.

Yeah. MD was the first vendor to detect this sample and its detection name is VirTool:Win64/CobaltStrike.A. 

Link to comment
Share on other sites

15 hours ago, AnthonyQ said:

How about this sample (https://www.virustotal.com/gui/file/1c32e181b13679976b001bc2e5f80dfc135f190b7d536edc25b08f37c65d6ae4), which is now detected as Win64/CobaltStrike.Beacon.G by ESET? This sample was marked as Clean by ESET LiveGuard before.

Looks like this one used PowerShell to download the Cobalt Strike payload:

Quote

One of the most used features in cobalt strikes is an attack using PowerShell. PowerShell is a scripting language and a command-line shell. PowerShell is a legitimate one, but it can run a script directly in memory. Utilizing this feature, an attacker can perform remote code execution. Cobalt strike has a scripted web delivery feature that allows it to download and run the payload through PowerShell. Once the attacker gets the session, an attacker can interact with the victim’s system, extract the information, and do post-exploitation activities.

https://blogs.quickheal.com/cobalt-strike-2021-analysis-of-malicious-powershell-attack-framework/

Again, I assume the sample deployed evasion tactics prevented initial LiveGuard detection.

Edited by itman
Link to comment
Share on other sites

6 hours ago, itman said:

Looks like this one used PowerShell to download the Cobalt Strike payload:

https://blogs.quickheal.com/cobalt-strike-2021-analysis-of-malicious-powershell-attack-framework/

Again, I assume the sample deployed evasion tactics prevented initial LiveGuard detection.

That's possible. If that's the case, it's not OK for LiveGuard to declare a sample deployed evasion tactics "Safe to use".

Edited by AnthonyQ
Link to comment
Share on other sites

On 2/24/2023 at 8:08 AM, Marcos said:

The sample has nothing to do with Cobalt Strike

 

On 2/24/2023 at 9:18 AM, itman said:

The malware sample contained a Cobalt Strike beacon:

So, which is which?

Link to comment
Share on other sites

14 hours ago, AnthonyQ said:

That's possible. If that's the case, it's not OK for LiveGuard to declare a sample deployed evasion tactics "Safe to use".

Another possibility for the sample using PowerShell is it deployed a Win AMSI bypass preventing Eset from scanning the script:

Cobalt Strike BOF - Inject AMSI Bypass

Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.

Quote

Method = AMSI.AmsiOpenSession

Proof of Concept Demo Screenshots

Before - Powershell.exe AMSI.AmsiOpenSession

Before-Amsi-OpenSession.png

After - Powershell.exe AMSI.AmsiOpenSession

After-AmsiOpenSession.png

 

https://github.com/boku7/injectAmsiBypass

Edited by itman
Link to comment
Share on other sites

As a FYI, a Chinese forum member over at malwaretips.com performed a test against a whole bunch of security solutions using 10 custom coded Cobalt Strike payloads: https://malwaretips.com/threads/45avs-vs-cobaltstrike.121263/#post-1026903 .

Eset detected all payloads. Microsoft Defender did not.

Link to comment
Share on other sites

On 3/2/2023 at 8:25 AM, itman said:

As a FYI, a Chinese forum member over at malwaretips.com performed a test against a whole bunch of security solutions using 10 custom coded Cobalt Strike payloads: https://malwaretips.com/threads/45avs-vs-cobaltstrike.121263/#post-1026903 .

Eset detected all payloads. Microsoft Defender did not.

I read his test results on the Chinese forum he mentioned a few weeks ago. Thanks to ESET's great signature, all samples were blocked. 

But in the case of the sample mentioned in this post, the ESET LiveGuard cloud sandbox failed to detect it.

So I'm posting to ask ESET LiveGuard team to improve its detection capability.

Link to comment
Share on other sites

  • Administrators
4 minutes ago, AnthonyQ said:

So I'm posting to ask ESET LiveGuard team to improve its detection capability.

The sample didn't do anything highly suspicious, such as accessing a blocked url so the evaluation was mainly dependent on Augur classification which didn't evaluate the sample with high enough score in order to be detected.

Link to comment
Share on other sites

2 hours ago, Marcos said:

The sample didn't do anything highly suspicious, such as accessing a blocked url so the evaluation was mainly dependent on Augur classification which didn't evaluate the sample with high enough score in order to be detected.

Eset needs to improve its detection of Cobalt Strike components. Having a backdoor residing on your device is totally unacceptable:

Eset_CS.thumb.png.7087603f1dad44afc5001dc3c3615ba0.png

Link to comment
Share on other sites

As far as why LiveGuard couldn't detect the previous referenced Cobalt Strike sample:

Quote

The researchers attest that Cobalt Strike can be detected in the memory. Palo Alto designed a hypervisor-based sandbox for analyzing artifacts in memory and Unit 42 analyzed samples of three Cobalt Strike loaders detected by the sandbox.

One of the loaders – dubbed KoboldLoader – uses various techniques to evade detection. KoboldLoader runs the payload using mapping injection and launches a decrypted Cobalt Strike SMB beacon that can be detected in memory, despite some in-memory evasion features.

It would have been impossible to detect the SMB beacon without being able to look inside memory while the malicious code was being executed, according to the researchers.

MagnetLoader is a DLL that imitates a legitimate Windows library and decrypts the Cobalt Strike beacon into a memory buffer, using a Windows API function to run the beacon loader rather than calling it directly.

LithiumLoader is a DLL that uses a side-loading attack technique that hijacks legitimate software to run another malicious DLL. The sample was part of a Fortinet installation package created by the attackers and submitted to VirusTotal. One of the loader's functions indirectly runs the Cobalt Strike stager shelled code through the EnumSystemGeoID function rather than directly. The stager shellcode is a reverse HTTP shell payload.

"These samples do not execute in normal sandbox environments," the researchers write. "But … there is a wealth of information that we can use for detection if we look inside memory during execution, like function pointers, decoded stages of the loader, and other artifacts."

 

https://www.theregister.com/2022/12/06/cobalt_strike_memory_unit_42/

As long as Eset can detect Cobalt Strike loaders in memory at execution time, the attack would not succeed.

Edited by itman
Link to comment
Share on other sites

21 hours ago, Marcos said:

The sample didn't do anything highly suspicious, such as accessing a blocked url so the evaluation was mainly dependent on Augur classification which didn't evaluate the sample with high enough score in order to be detected.

Today I found a malicious script sample on Anyrun (https://app.any.run/tasks/2455fd40-7058-46f1-8b8c-3d47245e9f38/; VT: https://www.virustotal.com/gui/file/8fb827650ba056d6917d5371db00dedc173cd68647cc9f703f63224ec9d54189) and I sent it to ESET LiveGuard, but ESET LiveGuard told me it's safe.

Although this sample does not seem to be ITW, but it does perform malicious actions, such as trying to run on system startup, stopping a service using the taskkill command, and editing registry to disable system function.

Edited by AnthonyQ
Link to comment
Share on other sites

  • Administrators
29 minutes ago, AnthonyQ said:

Although this sample does not seem to be ITW, but it does perform malicious actions, such as trying to run on system startup, stopping a service using the taskkill command, and editing registry to disable system function.

It doesn't do anything unusual. It restarts explorer.exe but does not kill any other process.

Function RestartExplorer()
WshShell.Run "Taskkill /f /im explorer.exe",0
WScript.Sleep 400
WshShell.Run "cmd /c explorer.exe",0
End Function

Basically the only bad thing it does that besides relatively normal actions it displays a message to scary the user:
message="Since I have invaded your computer, I know a lot about you! Here is what I know!" & vbCrLf & "IP Address: " & IPAddress & vbCrLf & "Username: " & WshNetwork.UserName & vbCrLf & "Computer Name: " & WshNetwork.ComputerName & vbCrLf & "Domain: " & WshNetwork.UserDomain

Link to comment
Share on other sites

6 hours ago, Marcos said:

Basically the only bad thing it does that besides relatively normal actions it displays a message to scary the user:
message="Since I have invaded your computer, I know a lot about you! Here is what I know!" & vbCrLf & "IP Address: " & IPAddress & vbCrLf & "Username: " & WshNetwork.UserName & vbCrLf & "Computer Name: " & WshNetwork.ComputerName & vbCrLf & "Domain: " & WshNetwork.UserDomain

The problem with hoax malware like this is it will often employ a screen locker at system startup time to display the hoax malware/tech support message. The result is a totally inaccessible system. This appears to be the case with this sample.

Whereas the Ctrl-+Alt-+Del, ALT+F4, etc. keyboard combo works with most of these to bypass the lock screen and allow access to the desktop, only security aware individuals are aware of this trick.

Finally, the average user will most likely respond to the telephone number posted in the hoax message to get access to his system. Once done, he can be duped into paying money to fix the issue. Or worse, actually downloading malware or remote control software allowing full access to his system.

Eset needs to detect hoax malware.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...