itman 1,746 Posted July 28, 2023 Share Posted July 28, 2023 (edited) 19 hours ago, SeriousHoax said: I sent BD one encrypted js file inside the ASAR file only, not the full sample. They added detection and later when tested, their real-time protection could even detect the js file, inside the ASAR file after running the sample. I was really surprised by this. Just how were they able to decrypt the JavaScript w/o the applicable key to do so? They can't do so. Appears all BD did was create a hash detection for the encrypted script. This can be simply defeated by modifying the script. Edited July 28, 2023 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 28, 2023 Author Share Posted July 28, 2023 4 minutes ago, itman said: Just how were they able to decrypt the JavaScript w/o the applicable key to do so? They can't do so. Appears all BD did was create a hash detection for the encrypted script. Watch the G-Data analyst video again where he showed an example. Besides, BD can detect it by their behavior blocker, so it doesn't matter anyway. Everyone makes hash detection for samples now and then. It's necessary sometimes. ESET also did for a few of the samples mentioned in this thread. Anyway, it's not important what other products are doing. The issue is that ESET is not detecting the samples by real-time protection which should be addressed by them. Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 29, 2023 Share Posted July 29, 2023 (edited) As far as ASAR files go, here's an interesting read; Quote QuASAR: An ASAR Manipulation Tool Now this research focused on Teams, but as I discovered that all Electron apps utilize this ASAR format. To make demonstrating the risk a bit easier, I wrote up a lil JS and called it QuASAR. QuASAR is a simple utility that will analyze a ASAR file, discover injectable files, and allow you to inject whatever code execution you like via child_process. This is NOT intended to be a red team tool that you use on engagements. I ain't out here making weapons. Instead, this is designed to demonstrate the risk and help Defenders examine this behavior to better detect and prevent it. https://taggart-tech.com/quasar-electron/ Edited July 29, 2023 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 30, 2023 Author Share Posted July 30, 2023 13 hours ago, itman said: As far as ASAR files go, here's an interesting read; https://taggart-tech.com/quasar-electron/ This is a very good find 👍 Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 30, 2023 Share Posted July 30, 2023 (edited) As far as the ASAR mitigations given in this article: https://taggart-tech.com/quasar-electron/ ; Quote Mitigation/Detection A long-standing-issue on the Electron project indicates that one mitigation—cryptopgraphic signing of the ASAR files—is not being considered. Similarly, there seems to be little interest in the types of integrity checking that Chromium-based browsers implement to protect extensions. For detections, I would consider adding detections for cmd.exe and powershell.exe of common Electron extensions in your environment. Similarly, you may wish to identify what updaters (like Squirrel.exe for Teams) actually should be making changes to your respective app.asars, and alert on anything else doing so. These detections are, in my experience, quite high fidelity given the insular nature of Electron app code. The problem with Electron is it has the capability to associate any file extension to it: https://blog.theodo.com/2015/12/link-files-to-application-in-windows/ . Also, refer back to RabbitCheecks.exe analysis at VT: https://www.virustotal.com/gui/file/d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb/behavior and you will not find any reference to a .asar being created on the disk. What you will observe is a number of modified .7z filles. -EDIT- I rechecked the Hybrid-Analysis report of RabbitCheecks.exe and it does show a .asar file being created; Quote "%APPDATA%\RabbitCheecks" --app-path="%TEMP%\2ScfuUKBSEHFy1aW3tel0VmAnMV\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=1302339472 --mojo-platform-channel-handle=2140 --field-trial-handle=1648,i,9977055099471176374,13861279839485068765,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1 Again, a hacked version of the 7-zip plug-in was deployed in these installers and the only AV solution to id it as such was CloudStrike. Edited July 31, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 31, 2023 Share Posted July 31, 2023 (edited) It's not only game installer downloads to be leery of these days, but any download from other than direct URL access to the author's web site; Quote Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT. "Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps," cybersecurity vendor Doctor Web said in an analysis. https://thehackernews.com/2023/07/fruity-trojan-uses-deceptive-software.html This puppy is using Python and deploying process doppelgänging, https://attack.mitre.org/techniques/T1055/013/ , to avoid AV detection. Edited July 31, 2023 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted August 13, 2023 Most Valued Members Share Posted August 13, 2023 (edited) On 7/31/2023 at 11:40 PM, itman said: https://thehackernews.com/2023/07/fruity-trojan-uses-deceptive-software.html This is what I posted about recently , it's nice read by the way , thank you https://news.drweb.com/show/?i=14728&lng=en I found the Dr.Web article about it. Edited August 13, 2023 by Nightowl Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 13, 2023 Share Posted August 13, 2023 6 hours ago, Nightowl said: https://news.drweb.com/show/?i=14728&lng=en Let's analyze. First, the malware is embedded in a; Quote When a visitor tries to download an app from a fake site, they are redirected to the MEGA file hosting service webpage, which offers them a zip file, containing a trojan installer package, for download. Next is what the malware does; The malware is Python based. You can't run python.exe without first installing Python so it is assumed the malicious installer does that. Since again Eset HIPS doesn't support global wildcard capability, I have previously created registry debugger entries to stop execution of python.exe and python3.exe. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted August 14, 2023 Most Valued Members Share Posted August 14, 2023 15 hours ago, itman said: Let's analyze. First, the malware is embedded in a; Next is what the malware does; The malware is Python based. You can't run python.exe without first installing Python so it is assumed the malicious installer does that. Since again Eset HIPS doesn't support global wildcard capability, I have previously created registry debugger entries to stop execution of python.exe and python3.exe. This is what happened with me , the infected PC I worked on had a person who doesn't know programming and doesn't know even English language , so naming the files fruit and idea and stuff like this made it a bit suspicious , and there is no even Python installed , the RAT supplied its own Python. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 14, 2023 Share Posted August 14, 2023 (edited) 8 hours ago, Nightowl said: there is no even Python installed , the RAT supplied its own Python. According to the Dr. Web detail analysis, the version of python.exe used is the original Python language interpreter. That can't run locally w/o being installed as I posted previously. Well, it appears Python can be run remotely. I just found this "tidbit;" Quote The easiest option is to run Python on Google's Colab servers. This doesn't require any programs to be installed on your local machine. https://blog.finxter.com/how-to-run-python-without-installation/ Ref,: https://research.google.com/colaboratory/local-runtimes.html Edited August 14, 2023 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted August 15, 2023 Most Valued Members Share Posted August 15, 2023 16 hours ago, itman said: According to the Dr. Web detail analysis, the version of python.exe used is the original Python language interpreter. That can't run locally w/o being installed as I posted previously. Well, it appears Python can be run remotely. I just found this "tidbit;" I am sure that the PC I worked with didn't have Python and the person who works on it doesn't have any programming skills or anything , I even searched for Python traces on PC , there is not. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 15, 2023 Share Posted August 15, 2023 BTW - hackers also get infected with infostealers; Over 120,000 Computers Compromised by Info Stealers Linked to Users of Cybercrime Forums https://thehackernews.com/2023/08/over-12000-computers-compromised-by.html Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 11, 2023 Share Posted September 11, 2023 (edited) To show how hopeless it is to detect 0-day infostealers, here's the "latest and greatest":https://www.cyfirma.com/outofband/new-maas-prysmax-launches-fully-undetectable-infostealer/ . It has been posted to VT since 8/13 and currently 4 or less vendors detect the IOC's listed at the bottom of the article. Eset is not one of those vendors. -EDIT- Well, that was quick. Eset now detects at VT. BTW for Kaspersky fans, it does not detect this infostealer. Edited September 12, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts