Jump to content

Stealers not detected


Recommended Posts

19 hours ago, SeriousHoax said:

I sent BD one encrypted js file inside the ASAR file only, not the full sample. They added detection and later when tested, their real-time protection could even detect the js file, inside the ASAR file after running the sample. I was really surprised by this.

Just how were they able to decrypt the JavaScript w/o the applicable key to do so? They can't do so.

Appears all BD did was create a hash detection for the encrypted script. This can be simply defeated by modifying the script.

Edited by itman
Link to comment
Share on other sites

4 minutes ago, itman said:

Just how were they able to decrypt the JavaScript w/o the applicable key to do so? They can't do so.

Appears all BD did was create a hash detection for the encrypted script.

Watch the G-Data analyst video again where he showed an example.

Besides, BD can detect it by their behavior blocker, so it doesn't matter anyway. Everyone makes hash detection for samples now and then. It's necessary sometimes. ESET also did for a few of the samples mentioned in this thread.

Anyway, it's not important what other products are doing. The issue is that ESET is not detecting the samples by real-time protection which should be addressed by them.

Link to comment
Share on other sites

As far as ASAR files go, here's an interesting read;

Quote

QuASAR: An ASAR Manipulation Tool

Now this research focused on Teams, but as I discovered that all Electron apps utilize this ASAR format. To make demonstrating the risk a bit easier, I wrote up a lil JS and called it QuASAR.

QuASAR is a simple utility that will analyze a ASAR file, discover injectable files, and allow you to inject whatever code execution you like via child_process. This is NOT intended to be a red team tool that you use on engagements. I ain't out here making weapons. Instead, this is designed to demonstrate the risk and help Defenders examine this behavior to better detect and prevent it.

https://taggart-tech.com/quasar-electron/

Edited by itman
Link to comment
Share on other sites

As far as the ASAR mitigations given in this article: https://taggart-tech.com/quasar-electron/  ;

Quote

Mitigation/Detection

A long-standing-issue on the Electron project indicates that one mitigation—cryptopgraphic signing of the ASAR files—is not being considered.

Similarly, there seems to be little interest in the types of integrity checking that Chromium-based browsers implement to protect extensions.

For detections, I would consider adding detections for cmd.exe and powershell.exe of common Electron extensions in your environment. Similarly, you may wish to identify what updaters (like Squirrel.exe for Teams) actually should be making changes to your respective app.asars, and alert on anything else doing so. These detections are, in my experience, quite high fidelity given the insular nature of Electron app code.

The problem with Electron is it has the capability to associate any file extension to it: https://blog.theodo.com/2015/12/link-files-to-application-in-windows/ .

Also, refer back to RabbitCheecks.exe analysis at VT: https://www.virustotal.com/gui/file/d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb/behavior and you will not find any reference to a .asar being created on the disk. What you will observe is a number of modified .7z filles.

-EDIT- I rechecked the Hybrid-Analysis report of RabbitCheecks.exe  and it does show a .asar file being created;

Quote

"%APPDATA%\RabbitCheecks" --app-path="%TEMP%\2ScfuUKBSEHFy1aW3tel0VmAnMV\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=1302339472 --mojo-platform-channel-handle=2140 --field-trial-handle=1648,i,9977055099471176374,13861279839485068765,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

Again, a hacked version of the 7-zip plug-in was deployed in these installers and the only AV solution to id it as such was CloudStrike.

Edited by itman
Link to comment
Share on other sites

It's not only game installer downloads to be leery of these days, but any download from other than direct URL access to the author's web site;

Quote

Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.

"Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps," cybersecurity vendor Doctor Web said in an analysis.

https://thehackernews.com/2023/07/fruity-trojan-uses-deceptive-software.html

This puppy is using Python and deploying process doppelgänging, https://attack.mitre.org/techniques/T1055/013/ , to avoid AV detection.

Edited by itman
Link to comment
Share on other sites

  • 2 weeks later...
  • Most Valued Members
On 7/31/2023 at 11:40 PM, itman said:

This is what I posted about recently , it's nice read by the way , thank you

 

https://news.drweb.com/show/?i=14728&lng=en

I found the Dr.Web article about it.

Edited by Nightowl
Link to comment
Share on other sites

6 hours ago, Nightowl said:

Let's analyze.

First, the malware is embedded in a;

Quote

When a visitor tries to download an app from a fake site, they are redirected to the MEGA file hosting service webpage, which offers them a zip file, containing a trojan installer package, for download.

Next is what the malware does;

Eset_Python.thumb.png.c6a43ddf32c53f4ef2c28f16ec05ae76.png

The malware is Python based. You can't run python.exe without first installing Python so it is assumed the malicious installer does that.

Since again Eset HIPS doesn't support global wildcard capability, I have previously created registry debugger entries to stop execution of python.exe and python3.exe.

Link to comment
Share on other sites

  • Most Valued Members
15 hours ago, itman said:

Let's analyze.

First, the malware is embedded in a;

Next is what the malware does;

Eset_Python.thumb.png.c6a43ddf32c53f4ef2c28f16ec05ae76.png

The malware is Python based. You can't run python.exe without first installing Python so it is assumed the malicious installer does that.

Since again Eset HIPS doesn't support global wildcard capability, I have previously created registry debugger entries to stop execution of python.exe and python3.exe.

This is what happened with me , the infected PC I worked on had a person who doesn't know programming and doesn't know even English language , so naming the files fruit and idea and stuff like this made it a bit suspicious , and there is no even Python installed , the RAT supplied its own Python.

Link to comment
Share on other sites

8 hours ago, Nightowl said:

there is no even Python installed , the RAT supplied its own Python.

According to the Dr. Web detail analysis, the version of python.exe used is the original Python language interpreter. That can't run locally w/o being installed as I posted previously. Well, it appears Python can be run remotely. I just found this "tidbit;"

Quote

The easiest option is to run Python on Google's Colab servers. This doesn't require any programs to be installed on your local machine.

https://blog.finxter.com/how-to-run-python-without-installation/

Ref,: https://research.google.com/colaboratory/local-runtimes.html

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
16 hours ago, itman said:

According to the Dr. Web detail analysis, the version of python.exe used is the original Python language interpreter. That can't run locally w/o being installed as I posted previously. Well, it appears Python can be run remotely. I just found this "tidbit;"

I am sure that the PC I worked with didn't have Python and the person who works on it doesn't have any programming skills or anything , I even searched for Python traces on PC , there is not.

Link to comment
Share on other sites

  • 4 weeks later...

To show how hopeless it is to detect 0-day infostealers, here's the "latest and greatest":https://www.cyfirma.com/outofband/new-maas-prysmax-launches-fully-undetectable-infostealer/ .

It has been posted to VT since 8/13 and currently 4 or less vendors detect the IOC's listed at the bottom of the article. Eset is not one of those vendors.

-EDIT- Well, that was quick. Eset now detects at VT. BTW for Kaspersky fans, it does not detect this infostealer.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...