Jump to content

Malware undetected for 5 years


Go to solution Solved by Marcos,

Recommended Posts

hi 

i found this malware like 5 years ago when i download vbox and for some reason the version downloaded was with invalid sig

i uploaded the file to vt nothing came up 

i re uploaded the sample now after 5 years still undetected by all 

by some kind of evasion technique 

 

because of the large size i'm going to link the vt 

https://www.virustotal.com/gui/file/a172b1c18045400e459a2353de8f250c9ab36c72b30057feb9c2db894f39e568

 

a172b1c18045400e459a2353de8f250c9ab36c72b30057feb9c2db894f39e568

 

i think this a part of targeted attack  further analysis and feedback is welcomed 

thanks in advance 

Edited by king99
some typing error corrected
Link to comment
Share on other sites

  • Administrators
  • Solution

To me the only difference between the original VirtualBox installer and this one with a broken signature is missing data between offset 0x4fadd1a and 0x4fbc47c. Removing some data from a file won't make it malicious.

Link to comment
Share on other sites

1 hour ago, king99 said:

i uploaded the file to intezer platform and it says it's 100 percent malicious could it be a false positive because of just a broken download ???

Looks like the detection was an Avast behavior based one. One possibility is this download was tampered with as indicated by the invalid signature. Also, this "Dirty Moe" malware does install a signed kernel mode mini-port driver.

Link to comment
Share on other sites

A few other comments about "Dirty Moe" malware.

It is deployed via exploiting;

Quote

The DirtyMoe malware uses a simple idea of how to be modularized, undetectable, and untrackable at the same time. The aim of this malware is focused on Cryptojacking and DDoS attacks. DirtyMoe is run as a Windows service under system-level privileges via EternalBlue and at least three other exploits.

https://decoded.avast.io/martinchlumecky/dirtymoe-1/

The Virtual Box sample referenced at VT dates to 2018. There was a vulnerability in VB at that time that was being ignored by Oracle. A researcher was so frustrated with Oracle for ignoring the vulnerability, he created his own POC exploit code and released it publicly: https://www.bleepingcomputer.com/news/security/virtualbox-zero-day-vulnerability-details-and-exploit-are-publicly-available/ .

Putting it all together, appears this VB sample was altered to include either the exploit code and possibly, the Dirty Moe malware code or dropper code to download it from attack C&C server.

-EDIT- Forgot this "tidbit" which is why Dirty Moe is referenced as undetectable;

Quote

All the while, attackers used VMProtect and the malware’s own encryption algorithm to hide what they were doing. They also employed rootkit techniques for concealing the botnet and a multi-level network communication architecture to hide their servers.

https://securityintelligence.com/news/dirtymoe-botnet-returns-undetectable-threat-profile/

Edited by itman
Link to comment
Share on other sites

thanks for the help itman i really appreciate it 

I clearly remember downloading the vbox back in 2018 

from the original website 

does that mean that  vbox site was compromised at that time ? or it was a mitm attack ?

 

to make the situation more bizarre

i just found in the download folder of Patchmypc an oracle cert 

which is extremely odd  reported it to Patchmypc no response yet 

https://www.virustotal.com/gui/file/75e96bab78e894c582d115f74392d87213222e3356f858161d33f0f9719a05e9/detection

 

could it be the malware evolved from 2018 to hide it self with compromised digital signatures 

 

 

please bear with me little I'm a noob in the malware world 

 

 

Link to comment
Share on other sites

7 hours ago, king99 said:

I clearly remember downloading the vbox back in 2018 

from the original website 

does that mean that  vbox site was compromised at that time ? or it was a mitm attack ?

My best guess is that the VirtualBox 2018 download will not install currently on Win 10/11. Assumed is the cert. for the download is SHA-1 signed. Microsoft disallowed SHA-1 certs. in 2019: https://support.microsoft.com/en-us/topic/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus-64d1c82d-31ee-c273-3930-69a4cde8e64f .

I just downloaded VB ver. 7.0.8 from here: https://www.virtualbox.org/wiki/Downloads. The download is validly signed with a SHA-2 cert.. Of note is the old SHA-1 cert. dating to 2014 is still shown. It is also shown as invalid due to not being validly countersigned.

My best guess at this point is your VirtualBox 2018 download is showing as invalidly signed for the above reasons. At this point, it is impossible to determine how you downloaded a malicious version of VB.

7 hours ago, king99 said:

to make the situation more bizarre

i just found in the download folder of Patchmypc an oracle cert 

I suspect that Oracle cert. is for manually signing VB Win kernel modules to remove conflict w/Win 10/11 Secure Boot processing as noted here: https://gist.github.com/reillysiemens/ac6bea1e6c7684d62f544bd79b2182a4

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...