itman 1,749 Posted May 17, 2023 Share Posted May 17, 2023 (edited) Skip the encryption activities and just steal data instead: https://www.bleepingcomputer.com/news/security/fbi-confirms-bianlian-ransomware-switch-to-extortion-only-attacks/ . Edited May 18, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 10, 2023 Author Share Posted June 10, 2023 Latest case in point: https://www.securityweek.com/saas-ransomware-attack-hit-sharepoint-online-without-using-a-compromised-endpoint/ . Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted June 12, 2023 ESET Insiders Share Posted June 12, 2023 (edited) Users that don't use Powershell or Remote Desktop should block it using Policy Restriction or Whitelisting technologies. They can probably block over 90% of attacks by blocking the most commonly exploited executables like powershell.exe, powershell_ise.exe, rdp.exe, wscript.exe, cscript.exe, vbs.exe, cmd.exe (monitor this one using whitelisting), etc... This want be an option for most users though because it takes self initiative to learn more about security, Windows OS, and configuring security software. I believe most users don't care about security until they are victim. Edited June 12, 2023 by cutting_edgetech Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 12, 2023 Author Share Posted June 12, 2023 (edited) 1 hour ago, cutting_edgetech said: They can probably block over 90% of attacks by blocking the most commonly exploited executables like powershell.exe, powershell_ise.exe, rdp.exe, wscript.exe, cscript.exe, vbs.exe, cmd.exe (monitor this one using whitelisting), etc... On this regard, let's talk about FUD malware; Quote A fully undetectable (FUD) malware obfuscation engine named BatCloak is being used to deploy various malware strains since September 2022, while persistently evading antivirus detection. The samples grant "threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files," Trend Micro researchers said. About 79.6% of the total 784 artifacts unearthed have no-detection across all security solutions, the cybersecurity firm added, highlighting BatCloak's ability to circumvent traditional detection mechanisms. The BatCloak engine forms the crux of an off-the-shelf batch file builder tool called Jlaive, which comes with capabilities to bypass Antimalware Scan Interface (AMSI) as well as compress and encrypt the primary payload to achieve heightened security evasion. https://thehackernews.com/2023/06/cybercriminals-using-powerful-batcloak.html Full Trend Micro analysis here: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak/tb-the-dark-evolution-advanced-malicious-actors-unveil-malware-modification-progression.pdf . Edited June 12, 2023 by itman Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted June 13, 2023 Most Valued Members Share Posted June 13, 2023 8 hours ago, cutting_edgetech said: I believe most users don't care about security until they are victim. Even then they still often don't care. The general public tend to want protection that runs in the background but cyber criminals can use that to their advantage Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted June 13, 2023 ESET Insiders Share Posted June 13, 2023 (edited) 23 hours ago, itman said: On this regard, let's talk about FUD malware; https://thehackernews.com/2023/06/cybercriminals-using-powerful-batcloak.html Full Trend Micro analysis here: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak/tb-the-dark-evolution-advanced-malicious-actors-unveil-malware-modification-progression.pdf . If the user monitors cmd.exe they will be able to block the execution of the batch file. If the user blocks powershell.exe and powershell_ise.exe then the malware will not be able to execute at the later stage in the event the batch file is allowed to execute. These attacks might make it past a traditional antivirus, but they can be easily blocked in a home environment using ERP or AppGuard. It's more difficult in a Corporate Environment were vulnerable executables are actually used often, so they can't be blocked as easily without creating problems. Things like Powershell, Remote Desktop, and batch files are used often in a Corporate environment. It's a hell of a lot easier to secure a home network than a corporate network. Edited June 13, 2023 by cutting_edgetech Link to comment Share on other sites More sharing options...
itman 1,749 Posted June 14, 2023 Author Share Posted June 14, 2023 (edited) 22 hours ago, cutting_edgetech said: If the user blocks powershell.exe and powershell_ise.exe then the malware will not be able to execute at the later stage in the event the batch file is allowed to execute. You forgot that PowerShell can be run directly via Win API interface. Case in point. A while back I came across a write up on a malware using PowerShell this way to modify environment data stored in the registry. So I created a HIPS rule to monitor for this. Note: I always had a HIPS rule to monitor for anything starting PowerShell. A few days ago, I updated my nVidia graphics driver. Right at the end of the installer execution, I got a HIPS alert about it modifying a registry environment variable but no prior alert on PowerShell starting execution; Time;Application;Operation;Target;Action;Rule;Additional information 6/11/2023 3:06:54 PM;C:\NVIDIA\DisplayDriver\535.98\Win11_Win10-DCH_64\International\setup.exe;Modify registry;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\PATH;Allowed;Block PowerShell policy mode changes; Edited June 14, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts