lson-dev 0 Posted November 6, 2023 Share Posted November 6, 2023 This is a response to posts earlier this year talking about ML/Augur giving a number of hard-to-explain detections, I've seen it too and what I've discovered in the last few weeks is concerning. I'm trying to compile my findings in a structured way but that has also proven to be difficult.. The details have been made a bit obscure as per the public nature of this forum, but I believe discussing the findings openly is a more productive strategy than the alternative. ESET staff can of course feel free to reach out for more specific information. I caught something, on a Windows 10 PC that just didn't feel right. CPU utilization led me to believe it was a simple key logger or something to that effect. The engines running on VirusTotal said there's nothing particularly wrong with the files in question, the typical false positive look. Credible developer, partnered with a massive manufacturer, all that stuff. However, the unexpected encrypted network traffic and sudden dethroning on my own system, with no effective recourse as of yet.. That says there's definitely something there. By the sheer magnitude of my negligence, it managed to spread from a Windows 10 machine to another, subsequently spreading and forcing a rootkit onto an Ubuntu system, as well as a Kali Linux system and a 2020 Macbook Air running MacOS Sonoma. Neither of the machines have been possible to get to a clean state since. The system, from where the threat first made itself known, had a big ML/Augur freak-out a while back over suspicious behavior from "old" and "untouched" software, several machines. It was written off as a false positive. (A pattern.. emerges) The threat object seems to evade detection by splitting into tiny fragments, acting as something like a "finite state machine" inside the windows registry with DLL files scattered throughout the rest of the system, redirecting and orchestrating something which has proven itself incredibly difficult to map out. In terms of removal, it has managed to persist past a CMOS reset, when booting up with only a DVD and no proper drives. This.. "thing" is clearly meant to remain hidden, and Augur caught it, which is pretty impressive. The effortless jump to different operating systems without missing a beat is pure nightmare fuel, but there always has to be a next big threat, right? Peoples thoughts and/or questions are welcome, because I'm very confused as to what I've stumbled across here. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 7, 2023 Administrators Share Posted November 7, 2023 Please provide a link to the VirusTotal scan results. Link to comment Share on other sites More sharing options...
lson-dev 0 Posted November 7, 2023 Author Share Posted November 7, 2023 7 minutes ago, Marcos said: Please provide a link to the VirusTotal scan results. https://www.virustotal.com/gui/file/450dbd4a608c6c22dc1a03dfbda6acaa86c96961fc6b2872053038b2793f663f Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 7, 2023 Administrators Share Posted November 7, 2023 I've scanned the file with aggressive detection settings but the file was not detected. Link to comment Share on other sites More sharing options...
lson-dev 0 Posted November 7, 2023 Author Share Posted November 7, 2023 Yes, that's what made me very confused By its behavior it was strange to say the least but it did not get detected, that's why I went with the disassembly and decompile strategy, where I neglected to actually step into a VM. "Probably just some sub-par code", lesson learned. Anyhow, given a run on a Win10 system it flashed a terminal in my face for a split second and that was essentially game over. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 7, 2023 Share Posted November 7, 2023 (edited) There's a vulnerability in this software although it's rated low risk: https://www.cybersecurity-help.cz/vdb/SB2023091339 . However, any vulnerability can be exploited. Might be an explanation for what happened here. -EDIT- Vulnerability rated high risk here: https://nvd.nist.gov/vuln/detail/CVE-2023-3112 Edited November 7, 2023 by itman Link to comment Share on other sites More sharing options...
lson-dev 0 Posted November 8, 2023 Author Share Posted November 8, 2023 36 minutes ago, itman said: There's a vulnerability in this software although it's rated low risk: https://www.cybersecurity-help.cz/vdb/SB2023091339 . However, any vulnerability can be exploited. Might be an explanation for what happened here. -EDIT- Vulnerability rated high risk here: https://nvd.nist.gov/vuln/detail/CVE-2023-3112 Interesting, I was unaware of the high risk rating version. I've contacted Lenovo but have yet to hear back, I don't believe they've been hit with a supply chain attack or anything like that, at least I would hope not. My manual autopsy (sadly I can't run Windows through a virus scanner in one piece) leads me to suspect something similar to a revamped version of WarzoneRAT sneaking fragmented payloads into the resources of "trusted" or "legacy" applications, with registry reference spaghetti on top. If you've gotten elevation and manage to mess with the file descriptors, that would mean the certificates still be "correct", I guess? The duplicates would definitely account for the the observed "storage ballooning" as well. Throw in a derivative of Hacker Team's VectorEDK for persistence past full system wipes and it fits the bill. And from all that, back to my initial thought: If Augur detects based on behaviors.. could this have been the reason for the bump of false positives earlier this year? Not sure if there was much of a bump in actuality but, yeah you get what I'm trying to say. Link to comment Share on other sites More sharing options...
Recommended Posts