Jump to content

The Latest Trend In Ransomware


itman

Recommended Posts

  • 4 weeks later...
  • ESET Insiders

Users that don't use Powershell or Remote Desktop should block it using Policy Restriction or Whitelisting technologies. They can probably block over 90% of attacks by blocking the most commonly exploited executables like powershell.exe, powershell_ise.exe, rdp.exe, wscript.exe, cscript.exe, vbs.exe, cmd.exe (monitor this one using whitelisting), etc... This want be an option for most users though because it takes self initiative to learn more about security, Windows OS, and configuring security software. I believe most users don't care about security until they are victim.

Edited by cutting_edgetech
Link to comment
Share on other sites

1 hour ago, cutting_edgetech said:

They can probably block over 90% of attacks by blocking the most commonly exploited executables like powershell.exe, powershell_ise.exe, rdp.exe, wscript.exe, cscript.exe, vbs.exe, cmd.exe (monitor this one using whitelisting), etc...

On this regard, let's talk about FUD malware;

Quote

A fully undetectable (FUD) malware obfuscation engine named BatCloak is being used to deploy various malware strains since September 2022, while persistently evading antivirus detection.

The samples grant "threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files," Trend Micro researchers said.

About 79.6% of the total 784 artifacts unearthed have no-detection across all security solutions, the cybersecurity firm added, highlighting BatCloak's ability to circumvent traditional detection mechanisms.

The BatCloak engine forms the crux of an off-the-shelf batch file builder tool called Jlaive, which comes with capabilities to bypass Antimalware Scan Interface (AMSI) as well as compress and encrypt the primary payload to achieve heightened security evasion.

https://thehackernews.com/2023/06/cybercriminals-using-powerful-batcloak.html

Full Trend Micro analysis here: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak/tb-the-dark-evolution-advanced-malicious-actors-unveil-malware-modification-progression.pdf .

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
8 hours ago, cutting_edgetech said:

I believe most users don't care about security until they are victim.

Even then they still often don't care. The general public tend to want protection that runs in the background but cyber criminals can use that to their advantage

Link to comment
Share on other sites

  • ESET Insiders
23 hours ago, itman said:

If the user monitors cmd.exe they will be able to block the execution of the batch file. If the user blocks powershell.exe and powershell_ise.exe then the malware will not be able to execute at the later stage in the event the batch file is allowed to execute.

These attacks might make it past a traditional antivirus, but they can be easily blocked in a home environment using ERP or AppGuard. It's more difficult in a Corporate Environment were vulnerable executables are actually used often, so they can't be blocked as easily without creating problems. Things like Powershell, Remote Desktop, and batch files are used often in a Corporate environment. It's a hell of a lot easier to secure a home network than a corporate network.

Edited by cutting_edgetech
Link to comment
Share on other sites

22 hours ago, cutting_edgetech said:

If the user blocks powershell.exe and powershell_ise.exe then the malware will not be able to execute at the later stage in the event the batch file is allowed to execute.

You forgot that PowerShell can be run directly via Win API interface. Case in point.

A while back I came across a write up on a malware using PowerShell this way to modify environment data  stored in the registry. So I created a HIPS rule to monitor for this. Note: I always had a HIPS rule to monitor for anything starting PowerShell.

A few days ago, I updated my nVidia graphics driver. Right at the end of the installer execution, I got a HIPS alert about it modifying a registry environment variable but no prior alert on PowerShell starting execution;

Time;Application;Operation;Target;Action;Rule;Additional information
6/11/2023 3:06:54 PM;C:\NVIDIA\DisplayDriver\535.98\Win11_Win10-DCH_64\International\setup.exe;Modify registry;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\PATH;Allowed;Block PowerShell policy mode changes;

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...