Jump to content

Kudos to ESET. A/V able to ID Meduza where others fail


gary_seven

Recommended Posts

https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work

From the article:

"What's more concerning is that a large portion of antivirus software has proven ineffective against the Meduza stealer binary, either failing to detect it statically or dynamically. (Fig. 2, Fig. 3)."

 

Figure 2: Static AV scan report

Fig.2 – Static AV scan report

 

Figure 3: Dynamic AV scan report

Fig.3 – Dynamic AV scan report

Link to comment
Share on other sites

  • gary_seven changed the title to Kudos to ESET. A/V able to ID Meduza where others fail
Just now, SeriousHoax said:

One more example of ESET's DNA detection in action, I suppose.

So, you "suppose" or you know for a fact that this is a DNA detection?

Link to comment
Share on other sites

There might be some malware "tweaking" going on here. Or, he lucked out and caught his sample while it was still in the "wild."

Based on the IOCs listed in this article: https://russianpanda.com/2023/06/28/Meduza-Stealer-or-The-Return-of-The-Infamous-Aurora-Stealer/ , very high detection rate at VT: https://www.virustotal.com/gui/file/702abb15d988bba6155dd440f615bbfab9f3c0ed662fc3e64ab1289a1098af98 .

In any case, it's good to see Eset detected it.

-EDIT- Also his scan shows only 26 vendors which means he did not scan at VT. The above linked VT sample was posted on 5/29. His scan was done on 6/27. Something not right here.

Edited by itman
Link to comment
Share on other sites

10 minutes ago, SeriousHoax said:

One more example of ESET's DNA detection in action, I suppose. 

Unless ESET had already got their hands on the sample that was analyzed there, it should be a DNA detection. 

Quote

We perform deep analysis of the code and extract “genes” that are responsible for its behavior and construct ESET DNA Detections, which are used to assess potentially suspect code, whether found on the disk or in the running process memory.

DNA Detections can identify specific known malware samples, new variants of a known malware family or even previously unseen or unknown malware that contains genes that indicate malicious behavior.

 

Edited by SeriousHoax
Link to comment
Share on other sites

14 hours ago, itman said:

-EDIT- Also his scan shows only 26 vendors which means he did not scan at VT. The above linked VT sample was posted on 5/29. His scan was done on 6/27. Something not right here.

Because they are not the same samples. You're VT link is an older sample. The two samples IOC provided in the research blog OP posted are not present in Virustotal. Also, they performed dynamic analysis also so it's clear that out of those 26 vendors, only ESET detected it at that time. Out of reputable vendors, I only see that Norton wasn't tested. 

Edited by SeriousHoax
Link to comment
Share on other sites

5 hours ago, SeriousHoax said:

The two samples IOC provided in the research blog OP posted are not present in Virustotal

Maybe not.

If you refer to the URL section of the Uptycs article, shown is a VT graph.

Note what is shown on the VT graph are hashes of other like Meduza samples Uptycs found that are publicly accessible. Again, Uptycs  states this is the same malware.  I checked the hashes shown in the VT graph and they all have a high vendor detection rate at VT. Furthermore, these samples were posted to VT at or around 6/15/2023; two weeks prior to Uptycs supposed comparative vendor scan of their malware samples.

I stand by my contention that something is not right with the samples that Uptycs highlighted in their article. Add to this the fact that Uptycs never posted their samples to VT for a vendor comparative scan. I state that the Uptycs article is a scam.

To add to the confusion here, Uptycs named their detection Meduza versus prior like malware being named Medusa. Then you have outfits like RussianPanda.com referring to the older variants as Meduza versus Medusa.

Edited by itman
Link to comment
Share on other sites

3 hours ago, itman said:

Maybe not.

If you refer to the URL section of the Uptycs article, shown is a VT graph.

Note what is shown on the VT graph are hashes of other like Meduza samples Uptycs found that are publicly accessible. Again, Uptycs  states this is the same malware.  I checked the hashes shown in the VT graph and they all have a high vendor detection rate at VT. Furthermore, these samples were posted to VT at or around 6/15/2023; two weeks prior to Uptycs supposed comparative vendor scan of their malware samples.

Yeah, I checked those too last night and they are indeed present in VT. Maybe one wasn't? I forgot. But the two MD5 they shared on their site are not present in VT.

3 hours ago, itman said:

I stand by my contention that something is not right with the samples that Uptycs highlighted in their article. Add to this the fact that Uptycs never posted their samples to VT for a vendor comparative scan. I state that the Uptycs article is a scam.

WoW that's a big claim. I don't know about it being a scam. But why would they show ESET's detection? About sample not being in VT is not uncommon. Specially if the vendors also sell threat intelligence service. For example, ESET have not always shared their researched samples on VT but it's understandable. ESET is also a well-known and respected company while I don't know much about Uptycs. 

But releasing scam research where everyone but one didn't detect wouldn't go unnoticed in other vendors eyes. So, I can't comment on that. 

Link to comment
Share on other sites

45 minutes ago, SeriousHoax said:

But why would they show ESET's detection?

It's not uncommon for malware testers to "tweak" malware. AV lab, MRG Effitas, is best know for this via its simulated malware testing. For example, they used a "tweaked" Chaos 3 ransomware sample in a number of tests which Eset had a hard time detecting. The difference in AV labs doing this type of testing and others doing so is the AV lab fully discloses the synthetic malware testing.

The "giveaway" for me in the Uptycs testing is at least they had one well know AV detect their sample. Assumed is they left a code snippet or the like in the malware samples they knew Eset would detect. or the code was left in place by accident. This lends legitimacy to that the malware was discovered in the "wild."

Finally, Uptycs did not disclose where/how they did their comparative vendor product testing. This puts them the category of all the ad hoc testers on the web.  

There is also an established practice in the security community to disclose 0-day malware upon detection to prevent the spread of the malware. One way of doing so is by uploading the malware to VT.

Edited by itman
Link to comment
Share on other sites

There is another possibility in regards to these Uptycs malware samples.

They stated in their article that they monitor the Dark Web and like nasty places. They could have been able to "pilfer" a beta version of this latest Medusa malware variant prior to it being released in the wild. This would explain the non-public disclosure of their malware samples lest their surveillance activities be exposed.

However, there is no way of knowing if the final production version of this latest Medusa variant contained code that could be identified by other security solutions when it was released to the wild. Based on this: https://www.virustotal.com/gui/file/2ad84bfff7d5257fdeb81b4b52b8e0115f26e8e0cdaa014f9e3084f518aa6149  ,TrendMicro is detecting it as SmokeLoader plus most of the behavior based security solutions also are detecting it. This leads me to believe additional detectable code was inserted into the production version. What is interesting is Kaspersky doesn't detect it.

 

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
On 7/4/2023 at 10:50 PM, itman said:

There is another possibility in regards to these Uptycs malware samples.

They stated in their article that they monitor the Dark Web and like nasty places. They could have been able to "pilfer" a beta version of this latest Medusa malware variant prior to it being released in the wild. This would explain the non-public disclosure of their malware samples lest their surveillance activities be exposed.

However, there is no way of knowing if the final production version of this latest Medusa variant contained code that could be identified by other security solutions when it was released to the wild. Based on this: https://www.virustotal.com/gui/file/2ad84bfff7d5257fdeb81b4b52b8e0115f26e8e0cdaa014f9e3084f518aa6149  ,TrendMicro is detecting it as SmokeLoader plus most of the behavior based security solutions also are detecting it. This leads me to believe additional detectable code was inserted into the production version. What is interesting is Kaspersky doesn't detect it.

 

Kaspersky detection now has UDS in the name

Malware Hashes (UDS) – a set of file hashes detected by Kaspersky Lab cloud technologies (UDS stands for Urgent Detection System) based on a file's metadata and statistics (without having the object itself).

It's weird and also I've posted because of your question.

Edited by Nightowl
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...